California Implements New CCPA Rules Targeting Automated Decision-Making

California Privacy Protection Agency adopts CCPA rules targeting ADMT and high-risk processing

On July 24, 2025, the California Privacy Protection Agency (CPPA) unanimously voted to adopt updates to the California Consumer Privacy Act (CCPA) focused on automated decision-making technology (ADMT) and related high-risk data processing. The rules introduce mandatory cybersecurity audits and risk assessments as a compliance requirement for organizations operating in scope.

Per the adopted timeline described in the source, cybersecurity audits begin April 1, 2027. The update also calls out implications for regulated industries, including insurance, where the rules include specific carve-outs that clarify compliance obligations for companies operating in that sector and for vendors serving them.

• Audit-readiness becomes a product requirement, not a policy document. Data and ML teams will need durable ADMT governance: clear system inventories, decision-use documentation, and controls that can be evidenced under audit—not just asserted.
• Logging and traceability will drive engineering work in 2025–2026. Even with audits starting in 2027, teams should expect to build (or retrofit) event logging, model/version lineage, access controls, and risk assessment workflows early to avoid last-minute operational disruption.
• Synthetic data is a practical lever for reducing exposure while generating evidence. Privacy engineers can use synthetic data to validate models and test decisioning pipelines with less sensitive data, potentially reducing audit friction while still producing repeatable compliance artifacts.
• Insurance carve-outs still require careful vendor alignment. Startups and data service providers selling into insurance should map the carve-outs to their own processing and reporting obligations, because “industry exception” language rarely eliminates downstream audit and documentation needs.