Following California’s Lead: How the CCPA’s New Rule Guides Compliance Efforts Nationwide
August 22, 2025
Publications
When it comes to data privacy and cybersecurity regulation in the United States, California continues to lead the way. The state’s latest updates to the California Consumer Privacy Act (CCPA) show that its rules do more than guide compliance locally; they set the tone for regulators nationwide and are a reminder that businesses across the country need to pay close attention.
The California Privacy Protection Agency, which has enforcement and rulemaking authority under the law, initiated a new rulemaking process in November 2024. The regulations are designed to provide numerous benefits to consumers and businesses. For consumers, the regulations decrease the risk of unfair outcomes and unauthorized use of their personal information. For businesses, they increase efficiency and operational improvements while promoting innovation. The new regulations impose specific requirements for how businesses protect consumer data, with an emphasis on risk assessments, opt-out rights, and proactive security measures. And their impact is not limited to California’s borders. The state’s regulatory approach continues to serve as a model for other jurisdictions crafting or enforcing their own data privacy laws.
Cybersecurity regulations
Like other state privacy laws, the CCPA requires businesses to implement and maintain “reasonable” security procedures. The Federal Trade Commission has also penalized companies that failed to maintain reasonable security measures when retaining or processing personal information. Until now, the meaning of “reasonable” security was unclear, with minimal guidance from enforcement agencies.
The new CCPA regulations provide greater clarity. Under Section 7123(c), businesses must conduct a cybersecurity audit if their handling of personal information presents significant risks to consumer privacy or security. Triggers may include processing of sensitive personal information, conducting large-scale data operations, using data in automated decision-making, sharing data with third parties, or a history of security incidents.
The regulations also identify specific technical safeguards, such as multi-factor authentication and encryption, that may be evaluated during enforcement. Not every safeguard is mandatory for every business, but the list provides concrete guidance on what “reasonable” security looks like in practice.
Automated decision making
The new rules expand requirements around automated decision-making. Other privacy laws already require companies to let consumers opt out when these systems are used for legally or similarly significant decisions, such as housing, insurance, or employment.
The CCPA now goes further. Consumers have the right to opt out of being subject to automated decisions and to access information about how such systems are used. Businesses must also provide clear notice when deploying these technologies, ensure that any human oversight is meaningful, and make sure the use of Automated Decision-Making Technology (ADMT) is appropriate for the consumer’s expectations. They must also provide a conspicuous opportunity to opt out.
Risk assessments
Alongside cybersecurity audits, the updated CCPA regulations provide clearer guidance on risk assessments. A business must conduct regular risk assessments if it engages in “high-risk” processing of personal data, a trigger similar to those in other state laws, such as Maryland and Virginia. The new rules clarify what to include in these assessments, how often they should be conducted, and which processing activities require them.
California goes further than other states by specifying that compliant assessments should include documentation of safeguards, the business purpose for processing, and consideration of alternative, less risky methods.
Even if your business is not directly subject to the CCPA, these regulations offer valuable insight into how regulators are likely to define “reasonable” cybersecurity, responsible use of automated decision-making, and the scope of risk assessments. Businesses that align with California’s model now will be better positioned to adapt quickly to future regulations and strengthen compliance under current laws.
Key effective dates
- General rules: January 1, 2026
- Automated decision-making requirements: January 1, 2027
- Risk assessment requirements: December 31, 2027
- Cybersecurity audit requirements: April 1, 2028, to April 1, 2030, depending on business size
Looking ahead
California’s updated CCPA regulations illustrate the direction privacy enforcement is likely to take in the United States. Even for businesses outside California, understanding these rules can provide a roadmap for meeting evolving expectations around cybersecurity, risk assessments, and automated decision-making. Organizations that align their policies with California’s model can reduce compliance risk, improve efficiency, and adapt quickly as new privacy laws emerge nationwide. If your organization is navigating these complex requirements or needs guidance on policy development, risk assessments, audits, or compliance strategies, I can help. Together, we can align your business with evolving privacy regulations and reduce compliance risk.
