Key point: Businesses subject to the CCPA must comply with extensive new regulations.

On September 22, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s latest California Consumer Privacy Act (CCPA) rulemaking package. The rulemaking package covers updates to the existing regulations, automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance requirements.

The new regulations are voluminous, and businesses subject to the CCPA must undertake significant efforts now and over the next few years, to ensure compliance. A summary of the new regulations is available here.

Based on the submission form accompanying the approval, the regulations are effective January 1, 2026, although the ADMT, risk assessment, and cybersecurity audit provisions contain staggered implementation dates. We identified those staggered dates in our prior summary article. Among other changes that will go into effect in January, businesses will need to notify consumers when their websites recognize a GPC signal.

On September 25, we will host a webinar discussing the regulations surrounding cybersecurity audits, treatment of insurance companies, and other significant changes to existing CCPA regulations. Register for the webinar here.

We previously hosted a webinar analyzing the ADMT and risk assessment regulations. The webinar recording and slide deck are available here and here, respectively.