California's Updated Privacy Regulations: Automated Decisionmaking Technology, Cybersecurity Audits, and Risk Assessments, Part 1

On January 1, 2026, a robust set of privacy regulations¹ will go into effect in California (2026 Regulations) to further implement the California Consumer Privacy Act² (CCPA). The 2026 Regulations address, among other topics, requirements relating to automated decisionmaking technology (ADMT), cybersecurity audits, and risk assessments as well as a variety of modifications to the existing CCPA regulations. As explained below, the 2026 Regulations will increase consumer protection and organizational accountability in the realms of sensitive personal information, artificial intelligence (AI), and automated systems. This alert summarizes key takeaways of the 2026 Regulations for businesses within the scope of the CCPA. 

ADMT

General. The 2026 Regulations generally define ADMT as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking,” excluding a list of commonly used information-technology utilities. The ADMT obligations apply to businesses that use ADMT to make a significant decision, which is “a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or health care services,” concerning a consumer. 

Pre-Use Notice. Under the 2026 Regulations, a business that uses ADMT to make a significant decision is required to provide a pre-use notice that describes its use of ADMT in plain language. The pre-use notice should also disclose information about the consumer’s right to opt out of, and access, ADMT. It should include at least two easy methods to opt out of the use of ADMT to make a significant decision concerning the consumer. 

Human Involvement Exception. If a business uses ADMT to make significant decisions about consumers, the business may avoid the scope of the ADMT obligations by involving a human who:

• knows how to interpret and use the ADMT’s output as a resource to make a decision, 
• reviews and analyzes the output and any other relevant information to make or change the decision, and 
• has the authority to make or change the decision based upon the human’s analysis.

Notably, in granting this authority to personnel, businesses should invest in training to help ensure the human-review process is meaningful and not merely a rubber-stamp procedure.

Opt-Out Rights. Businesses must provide consumers with opt-out methods when using ADMT to make a significant decision. The business must provide at least two methods for opting out, including a clear link with the text “Opt-out of Automated Decisionmaking Technology” and an interactive form with an opt-out link in the Pre-Use Notice.

Exceptions to Consumer Opt-Out Rights. There are certain exceptions under the 2026 Regulations, where a business is not required to enable consumers to opt out of the business’s use of ADMT for significant decisions. While each exception is subject to certain requirements for the business to satisfy, these exceptions generally apply if: 

• the business provides a method for the consumer to appeal the decision to a human reviewer who has the authority to overturn the decision, 
• the decision is for admission, acceptance, or hiring, or 
• the decision is for an allocation or assignment of work and compensation. 

Timing. Businesses using ADMT for a significant decision prior to January 1, 2027, must be in compliance by that date. Any use of ADMT for a significant decision initiated after January 1, 2027, requires compliance by the date of the decision.  

Cybersecurity Audits

General. The 2026 Regulations require businesses to complete an annual cybersecurity audit if their processing of personal information presents a “significant risk” to consumers’ security. The following activities constitute a “significant risk” that requires a cybersecurity audit:

• the business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information, or
• as of January 1 of the calendar year, the business had annual gross revenues in excess of $25 million in the preceding calendar year, and the businesses conducted one of the following: 
  • processed the personal information of 250,000 or more consumers or households in the preceding calendar year, or
  • processed the sensitive personal information of 50,000 or more consumers in the preceding calendar year. 

Auditing Procedure. If a business satisfies the above criteria (Audit-Required Business), the Audit-Required Business must have audits conducted by a qualified, objective auditor using a generally accepted auditing procedure. This auditor must have a thorough understanding of cybersecurity and how to audit the Audit-Required Business’s cybersecurity program. The audit must assess and document how the Audit-Required Business’s cybersecurity program protects personal information from unauthorized access, use, modification, or disclosure and protects against the loss of availability of personal information. For Audit-Required Businesses using an internal auditor, the highest-ranking auditor must be used and report directly to the executive management team. 

Timing. For Audit-Required Businesses, compliance deadlines vary. An Audit-Required Business with an annual gross revenue above $100 million in 2026 must complete its first audit by April 1, 2028, covering the 2027 calendar year. An Audit-Required Business with an annual gross revenue between $50 million and $100 million in 2027 must complete its first audit by April 1, 2029, covering the 2028 calendar year. An Audit-Required Business with an annual gross revenue less than $50 million in 2028 must complete its first audit by April 1, 2030, covering the 2029 calendar year. After April 1, 2030, all Audit-Required Businesses must complete audits and submit certifications on an annual basis. 

Annual Submissions to Agency. By April 1 of each year following the audit-required year, Audit-Required Businesses must submit a written certification to the California Privacy Protection Agency (Agency) that it has completed the cybersecurity audit. 

Risk Assessments

General. The 2026 Regulations require businesses to conduct a formal risk assessment before initiating any processing activity that presents a “significant risk” to consumer privacy. Any of the following activities constitute a “significant risk” that requires a risk assessment:

• selling personal information, 
• sharing (as defined by the CCPA) personal information, which is triggered by the use of cross-context behavioral advertising,
• processing sensitive personal information with certain exceptions involving employees and independent contractors,
• using ADMT for a significant decision, or
• using automated processing to:
  • infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, location, or movements based upon “systematic observation” (explained below) of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business, 
  • infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, or movements based upon that consumer’s presence in a “sensitive location” (explained below), or 
  • process the personal information of consumers, which the business intends to use to “train” (explained below) an ADMT for a significant decision concerning a consumer; or train a facial-recognition, emotion-recognition, or other technology that verifies a consumer’s identity, or conducts physical or biological identification or profiling of a consumer. 

A business that satisfies the criteria listed above (Assessment-Required Business) must conduct a risk assessment to evaluate the potential impact of data processing on consumers, including whether the likelihood and severity of a harm outweighs the benefit that the Assessment-Required Business will receive from the data processing. 

Reports on Risks. Assessment-Required Businesses must create risk assessment reports that cover, among other topics, the following:

• the purpose for processing consumer personal information,
• any negative impacts of the processing,
• safeguards, and 
• the logic of any ADMT used to make a significant decision, and how the business will use the output to make a significant decision. 

Timing. These assessment obligations are ongoing for Assessment-Required Businesses. In general, risk assessments must be updated every three years but also whenever material changes are made to a sensitive processing activity. 

Annual Submissions to Agency. The 2026 Regulations require Assessment-Required Businesses to submit certain assessment information to the Agency that provides, among other information, the time period covered by the submission, the number of risk assessments conducted, and whether the risk assessments involve the processing of certain types of personal information. With respect to risk assessments conducted in calendar years 2026 and 2027, the business must send the submission to the Agency by April 1, 2028. With respect to risk assessments conducted after the 2027 calendar year, the business must send the submissions to the Agency on an annual basis, no later than April 1 of each year. Also, at any time, the Agency or California’s Attorney General may require an Assessment-Required Business to submit a copy of its unabridged risk assessment reports to the Agency or Attorney General.

The 2026 Regulations represent a comprehensive overhaul of California’s regulatory framework for the CCPA. As businesses expand their use of AI and automated processes for decisionmaking and other workflows, businesses subject to the CCPA should review their current data practices, evaluate their obligations under these new rules, and implement appropriate measures for compliance. Stand by for Part 2 of this series, which will dive deeper into the details of these regulations.

For more information about the CPPA, its regulations, and compliance guidance, please contact Renato Smith-Bornfreedom, Data Security & Technology Practice Area co-chair, at rsmithbornfreedom@barclaydamon.com; Kat Delos Reyes, associate, at kdelos@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area.
                                                                                                    
¹California Consumer Privacy Act, 11 Cal. Code Regs. §§ 7000–7302 (effective Jan. 1, 2026).
²California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.