On April 4, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss the latest draft California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and an assortment of other updates to existing regulations. These revisions come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. The board meeting turned out to be quite contentious, with board member Alastair Mactaggart emphasizing some of the serious concerns raised in the unusually large volume of public comments—totaling 630 comments and 1,664 pages of feedback—expressing his own concerns that those comments lay out “the very explicit blueprints” for others to challenge the constitutionality of the draft regulations. Ultimately, the Board provided extensive feedback on the draft regulations to CPPA staff, going beyond the issues that staff had prepared for discussion.

CPPA Board Addresses Concerns Raised in Public Comments

In response to many of the comments raised and a perceived potential for legal challenges, board member Mactaggart proposed a motion for CPPA staff to prepare a report assessing the following six issues raised in the public comments that could form the basis for legal challenges: (1) exceeding statutory authority with respect to cybersecurity audits; (2) risk assessments imposing compelled speech; (3) exceeding statutory authority and raising potential First Amendment concerns with respect to “behavioral advertising,” which is not otherwise defined in the statute currently in effect; (4) contravening statutory intent in light of ADMT regulations risking the elimination of first-party advertising; (5) the ADMT pre-use notification requirement imposing compelled speech; and (6) an unconstitutional delegation of power over ADMT regulations in light of the lack of statutory definition. The CPPA Board ultimately did not vote on board member Mactaggart’s motion due to concerns of privilege. Instead, CPPA staff agreed to look into the First Amendment concerns raised by board member Mactaggart relating to compelled speech and behavioral advertising and provide advice.

CPPA Board Discussion of Substantive Alternatives in Draft Regulations

In addition to a number of smaller changes to the draft text of the regulations, CPPA staff proposed six more substantive issues for CPPA Board discussion. These issues pertained to the definitions of ADMT and “significant decision,” thresholds for “behavioral advertising,” “work or educational profiling,” “public profiling,” “training,” and risk assessment submissions to the CPPA.

• Definition of ADMT: CPPA staff presented three alternatives to the draft definition of ADMT—the first to broaden the definition to cover technology that merely assists human decision-making that materially impacts consumers; the second to somewhat narrow it to technology that substantially replaces human decision-making; and the third to significantly narrow it to technology that replaces human decision-making for the purpose of making solely-automated significant decisions without human oversight. At the meeting, the Board primarily weighed the first two alternatives offered. CPPA staff explained that they drafted these alternatives as a direct response to the feedback in public comments. Board member Mactaggart critiqued the language in the second alternative as being overly vague and requested that CPPA staff prepare a redline against the Colorado Artificial Intelligence Act (CAIA)’s statutory text (with which the alternative was intended to align) indicating recommended changes. The Board ultimately agreed upon moving forward with the second alternative and preparing the redline.
• Definition of “significant decision”: The ADMT regulations would apply to businesses that use ADMT to make a “significant decision” concerning a consumer (among other uses). CPPA staff presented five alternatives to the draft definition of “significant decision” concerning a consumer. These alternatives would primarily remove different items from the definition’s list of services or opportunities for which the provision or denial of services is considered to be “significant.” In considering the alternatives presented, the CPPA Board noted that public commenters expressed confusion over which “significant decisions” would be captured within CCPA exemptions. For instance, board member Jeffrey Worthe questioned the scope of key services, such as “housing” or “financial lending services.” Board member Mactaggart supported removing “access to” the services in the definition, as well as several categories, including “insurance,” “criminal justice,” “allocation or assignment of work,” and “essential goods or services.” In response to this feedback, CPPA staff agreed to provide a new version of the definition that removes “access to” and several categories of services and opportunities. CPPA staff also agreed to clarify what decisions and use cases would fall within these categories of services or opportunities.
• “Behavioral advertising” threshold: CPPA staff proposed eliminating “behavioral advertising” as a trigger for risk assessments and ADMT obligations. During the meeting, board member Mactaggart raised concerns about the regulations’ implications for companies’ advertising practices, which rely on the use of automated technologies for ad delivery to consumers. Board member Mactaggart noted that conducting a risk assessment for advertising would be overly burdensome for companies. Board member Drew Liebert echoed concerns of requiring risk assessments for first-party advertising. In response, CPPA staff agreed to remove first-party behavioral advertising as a trigger for risk assessments and ADMT obligations.
• “Work or educational profiling” and “public profiling” thresholds: CPPA staff also proposed eliminating “work or education profiling” and “public profiling” as triggers for risk assessments and ADMT obligations. These triggers involve systematic observation of consumers in various capacities such as at work and in public places. Rather than agreeing to eliminate these thresholds, the Board directed staff to provide examples of such profiling to aid the Board’s future discussion on the scope of the thresholds.
• “Training” threshold: The draft regulations proposed to cover, within the scope of ADMT, technologies that process personal information to train ADMT that are capable of being used for specific purposes. CPPA staff presented three alternatives to the “training” threshold. The first would keep the regulations the same; the second would cabin the threshold to ADMT that the business knows or should know is being used to make a decision; and the final alternative would eliminate the threshold entirely. The Board generally appeared to direct the staff to modify the language, from ADMT that is “capable of being used” for the specific purposes, to something narrower, though it was unclear whether this narrowing would apply only in the context of triggering risk assessments or if it would also apply to triggering pre-use notice and opt-out requirements.
• Risk assessment submissions: CPPA staff outlined the requirements for a proper submission of a risk assessment to the CPPA. The Board agreed to streamline the necessary requirements for risk assessment submissions to just six key pieces of information, although the Board also agreed that businesses must provide the full risk assessments upon request of the CPPA or the Attorney General. Separately, the Board directed staff to assess the Colorado Privacy Act (ColoPA) and the General Data Protection Regulation (GDPR) to align the full risk assessment requirements more closely with these laws.

In addition to the topics listed in the presentation of proposed discussion items from the CPPA staff, the Board briefly touched on the cybersecurity audit requirement and its associated cost. The Board noted that it intended to get to the bottom of what the true cost of the annual cybersecurity audit would be for an individual business. The Board’s preliminary conclusion was that it would be expensive for businesses because auditing would be an annual requirement. Board member Mactaggart proposed reducing that burden by exempting small businesses from the annual audit requirement. Board Chair Jennifer Urban noted it might be helpful to work with the legislature to explore a less burdensome requirement by increasing the time between required cybersecurity audits for all businesses. In the end, the Board requested more information from the staff regarding this issue before moving forward with a formal proposal. Specifically, the Board asked for public comments with more comprehensive economic research on the factors that contribute to the high cost for annual cybersecurity audits.

Other Proposed Changes to the Draft Regulations

CPPA staff also proposed several smaller changes to the draft regulations to lower the compliance burden on businesses. For example, the draft regulations for cybersecurity audits introduce three different compliance timelines for cybersecurity audits, with the earliest date delayed to January 1, 2028, instead of the original requirement of 24 months after the regulations are adopted. The updates to the current CCPA Regulations would also remove the requirement in the existing regulations that businesses, service providers, and contractors implement measures to ensure that personal information deleted pursuant to a consumer request remains deleted, deidentified, or aggregated. Lastly, despite the CPPA staff’s efforts to streamline compliance, the draft regulations continue to omit any explanation of how consumer rights requests are intended to interact with trade secret protections.

Next Steps

Given the extensive feedback on this round of draft regulations, the CPPA Board agreed to continue discussing the updated draft regulations in the next two meetings, one during the scheduled May meeting and another in July. Board member Mactaggart, reckoning with the anticipated substantial new changes in the draft, raised procedural questions regarding what would happen if the Board does not adopt the draft regulations by November 2025. Philip Laird, CPPA’s General Counsel, answered that significantly modified draft regulations would require a new public notice, a new initial statement of reasons, a new Standardized Regulatory Impact Assessment (SRIA), and a new 45-day comment period. Chair Urban strongly encouraged the Board to finish its rulemaking prior to November to avoid wasting any further public resources. Board member Mactaggart did not back down, pointing out the regulations’ potential significant negative impact on the California economy, including a mass loss of jobs. The Board now faces the difficult task of balancing the need to agree on significant revisions to the draft regulations to complete their work before November, or risk facing legal challenges from businesses and trade groups for exceeding their statutory and constitutional authority with the draft regulations.

Wilson Sonsini routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your CCPA compliance efforts, please contact Eddie Holman, Tracy Shapiro, Yeji Kim, Malcolm Yeary, or any member of the firm's Data, Privacy, and Cybersecurity practice. For more information or advice concerning your compliance efforts related to ADMT or artificial intelligence, please contact Scott McKinney, Eddie Holman, Maneesha Mithal, or any member of the firm’s Artificial Intelligence and Machine Learning team.

Taylor Stenberg Erb contributed to the preparation of this alert.