CCPA rulemaking: cybersecurity & automated decision-making

The California Privacy Protection Agency's revised cybersecurity rulemaking introduces phased compliance timelines tied to company revenue, replacing the original single-date approach. Rather than a flat zero trust architecture mandate, the updated proposal applies requirements on a sliding scale based on organizational maturity — a direct response to business feedback. Smaller companies without existing SOC 2 certifications now have a more realistic runway, with implementation dates likely starting no earlier than 2027 and extending to 2030 depending on revenue tier. On automated decision-making technology, the CPPA narrowed its definitional scope from "solely based on ADMT" to the middle-ground standard of "substantially replaced" — a compromise that tracks Colorado law and addresses concerns about capturing ordinary software use. Three key compliance obligations remain: pre-use notice (which can now be bundled with the privacy policy), opt-out rights (with exceptions for employment decisions where a human reviewer has authority to overturn), and consumer requests to access ADMT logic. The access request obligation is particularly demanding, requiring plain-language explanations of purpose, logic, and outcome, though trade secret protections apply with documented analysis. Businesses will need to conduct a formal scoping analysis rather than rely on intuition. The Honda consent decree — the only public CCPA enforcement action to date — signals that even technical compliance is insufficient if consumer access is overly burdensome. Regulators are consistent in their message: businesses should document their decision-making process and show their work, even if conclusions are later challenged. A July board meeting is expected to bring further updates.

**Jenny:** Love to turn to the next topic, which is cybersecurity. This one I think is so interesting as these areas of privacy and security continue to merge. So this one, a lot of the changes are so detailed. They are reflecting what business comments were about making this more frictionless and easier to implement. But I'll start with the timing because, you know, that was really interesting what the staff came up with. So they decided to propose to the board that instead of there being one date, there'd be different dates based on your revenue. And that makes, I think, perfect sense. My clients that are smaller, that are gonna take time, they don't already have the SOC two. This is great. So I think that's where we're gonna see a little bit of switching to between what we get final because so I'd rather just say at this point, there's going to be phase in dates, whether they start probably not before twenty twenty seven and going till twenty thirty. But there might be three levels or there might be four levels of revenue. And then the other comment I'll just make about this is the zero trust architecture that is is out. Sounds a lot more reasonable to make it a sliding scale depending on maturity of the business. **Jenny:** And lastly, let's talk about ADMT, which is, of course, automated decision making technology. So I think it's important just to realize that we have narrowed the scope. So the definition of automated decision making, they did talk about that at the April fourth meeting, and they had three options. So one option was, like, the business is making a decision solely based on the ADMT. And Alastair, who, again, was part of the whole process of proposition twenty four, didn't wanna go that far because they thought that would be too big of a loophole. But where the staff was at was on the other end was substantially facilitate. So the middle ground is substantially replaced. So I think the concern about where is that line gonna be of how you're using ADMT and from the business comments with things that are what he called just normal software use now and just too much could be in. So the substantially replaced was a compromise, and that follows Colorado. That's another theme that came up a lot in the April fourth meeting is how can we make it easier by business to be consistent with other similar laws and implementation of it. I'd say that the key really here is having a human in the loop. I think we've all kind of heard that, is to make decisions. You better make sure you have a human reviewer who, first of all, is authorized to overturn the decision. They gave this example in the medical field of a doctor, I don't know, a thousand or some things that he was approving. There was no way that was really reviewing it. Right? This is what I'm gonna have to advise my clients. We can't just give a gut reaction. Oh, I don't think it applies. We're gonna have to go through the data and decide, okay. Now we're taking the position. This is like what I do with my clients with GDPR with, like, the legitimate interest analysis or controller versus processor. We gotta go through an analysis, and then we can take a position that we have a good faith belief that this is where we stand and then unless that gets challenged at some point down the road. **Jenny:** What I wanted to really talk about three things that are so key to think about with ADMT, preuse notice, opt out, and request to access ADMT. We still have those requirements. Some of the changes that happened with a preuse notice was it can be bundled with the notice at collection. That's the privacy policy. That should be easier for businesses. It's gotta be plain language. They say not generic. Like, you can't say you're using it to make a significant decision from the consumer point of view. What is the effect this could have on their life? And then you need to describe to the consumer that they haven't opt out right unless they don't because there's exceptions, especially in the employment area, And then how to submit request for access to the AVMT. You have to tell the consumer that there's no retaliation for exercising your rights. And then here's the big one for some of my smaller clients that are using AI. How does it work? If you're a smaller company, you need to have something there. And then what are the categories of personal information used? What are the outputs generated? There is a statement that says they don't have to disclose trade secrets. But, again, that means an analysis. We can't just say everything's a trade secret. So that's the pre then you gotta think about the opt out. So you there's an exception. If the human reviewer, again, has the authority to overturn the decision and they go into more detail in admission, acceptance, or hiring decisions, allocation or assignment of work and compensation. Those are, again, areas that we had a lot of feedback from business and their concerns. And then the final one, the request to access ADMT, that's gonna be a lot of work. You've gotta give a plain language explanation of purpose, logic, outcome, and then also your statements about no retaliation, and you can protect trade secrets. But so the big move was to limit to the scope. You're gonna have to do an analysis to see whether or not you're in the scope. **Colleen:** Well and as you walk through that, what occurs to me most, I think, is how clear it is that they're really trying to put themselves in the shoes of the consumer and make sure this is easy, right, for the consumer to understand. **Jenny:** Yeah. Absolutely. And I think if we saw anything from the Honda decision, that's been the only CCPA enforcement action where we have a public consent decree from the agency for CCPA. Honda, they're a bigger company. They had done a lot of things to technically comply, but they were considered by the agency to overly burden the consumer to access their information, all of the verification steps and things like that. That's definitely gonna be an enforcement priority for the agency is I think they're trying to balance it. And as the board members have all said, this isn't one and done. We can come back and we can review and see how it's working. And, hopefully, they'll continue to have kind of these forums and opportunities for both sides for business and consumers and labor to talk about how it's working. The other thing I've heard from regulars too at some of these conferences over the spring season is just they're looking for businesses to show their work. Right? It's like on a math test if you give the wrong answer. If you give the wrong answer with no showing of how you did it, you're not gonna get any credit. But if you show how you got there, at least you're showing you're trying. Right? Regulators wanna see that businesses are making a best attempt. **Colleen:** Totally. You hear that over and over. Show your work. So I think you stay tuned for the July meeting. It hasn't been announced, but it sounds clear they're gonna have a July meeting, and we'll see what happens there. **Jenny:** Well, Jenny, thank you so much for being our eyes and ears at these meetings. It's great to have the detailed takeaways. I appreciate you sharing them with us. **Jenny:** Yeah. My pleasure. It was a lot of fun. Thank you, Colleen. I can't wait to talk to you next time.