California’s Latest AI & Privacy Rule Updates: What Organizations Need to Know
by Candace E. Moore
On July 24, 2025, the California Privacy Protection Agency (CPPA) Board approved major updates to the California Consumer Privacy Act (CCPA). These changes mainly focus on Automated Decision-Making Technology (ADMT), Cybersecurity Audits, and Privacy Risk Assessments. They aim to strengthen transparency, safeguard personal data, and expand protections for minors and location data.
These updates apply to both nonprofit and for-profit organizations and will be rolled out over the next several years, with deadlines based on the organization’s size and revenue.
Key Updates that Could Affect Your Organization
Automated Decision-Making Technology (ADMT)
ADMT refers to automated systems that make decisions based on personal data. Under the new rules, systems that replace human judgment face stricter limits. Systems that simply assist human decision-making are less restricted, but some uses — particularly in housing, credit, and employment — require “transparency disclosures.”
If you believe your activities are covered by these updates, you should…
· Review all AI and algorithmic tools to ensure they do not engage in prohibited decision-making.
· Add human oversight for decisions with legal or significant impact to any person.
Cybersecurity Audits
Organizations will be required to complete formal cybersecurity audits that assess threats, outline mitigation measures, and document active data protection practices.
These audits must be completed according to the deadlines below:
· If your business earns over $100M in revenue, by April 1, 2028
· If your business earns between $50M and $100M in revenue, by April 1, 2029
· If your business earns less than $50M in revenue, by April 1, 2030
If you believe your activities are covered by these updates, you should…
· Start drafting the audit frameworks to avoid any future compliance issues.
Privacy Risk Assessments
Beginning on April 21, 2028, certain “high-risk” activities, e.g., processing the data of minors, profiling, or processing sensitive health or location data will require formal risk assessments and attestation filings.
If you believe your activities are covered by these updates, you should…
· Identify which of your activities might meet the applicability threshold.
· Create an internal process for regular data privacy and security reviews.
Expanded Protections for Minors & Location Data
The CCPA board reinforced restrictions on targeted advertising, profiling, and the sales of data involving minors. Now location data has increased restrictions including stricter collection limits, disclosure requirements, and prohibitions on certain types of sharing.
If you believe your activities are covered by these updates, you should…
· Audit your data collection practices to ensure they remain compliant.
· Update your privacy policies to explain how minor and location data is being used and/or shared.
Tips & Tricks
· Map Your Data to understand what personal, sensitive, and location data you collect.
· Audit your organization’s use of automated decision making tools.
· Ensure that your policies accurately reflect your data practices.
· Keep an eye out for future deadlines.
· Engage in continued education on privacy, security and compliance best practices.
California’s updated rules are a part of a broader shift toward stricter oversight. Organizations that maintain transparency, security, and fairness into their operations will be better positioned to meet legal requirements and maintain public trust in the years ahead.
