California ADMT Rules Get Final Approval, Take Effect Jan. 1
The California Privacy Protection Agency received final approval on automated decision-making technology (ADMT) and other rules from the Office of Administrative Law (OAL), the CPPA said Tuesday. Meanwhile, in materials released ahead of a Friday board meeting, the CPPA disclosed that it has seen a steady increase in consumer privacy complaints over the last two years.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
“These rules ensure that Californians continue to have the strongest privacy protections in the country while being responsive to the realities of business implementation,” said CPPA Board Chair Jennifer Urban. Phil Laird, the agency’s general counsel, said the rules “provide clarity for businesses, while ensuring strong protections for Californians.” The CPPA’s “goal has always been to give consumers meaningful rights and also provide practical compliance pathways for businesses,” he added. OAL approval was expected (see 2508120025).
The CPPA's rules on ADMT, cyber audits, risk assessments, insurance and other California Consumer Privacy Act go into effect Jan. 1, though some of the new requirements provide extra time for companies to comply, the agency said.
For instance, businesses that use ADMT to make significant decisions must comply with the automated decision-making requirements starting on Jan. 1, 2027. Businesses required to complete cybersecurity audits must submit certifications to the CPPA by April 1, 2028, if their annual gross revenue exceeds $100 million; April 1, 2029, if the business' annual gross revenue is between $50 million and $100 million; or April 1, 2030, if it's less than $50 million. Meanwhile, risk assessment requirements apply on Jan. 1, 2026, but attestations that required risk assessments were completed and summaries of risk assessment information aren’t due until April 1, 2028.
OAL's approval of the regulations means the agency won't have to consider modifications to the text of the rules at Friday's meeting, a CPPA spokesperson said. A meeting agenda released last week included a possible modification of the text as agenda item No. 8 (see 2509170023).
Since the CPPA board adopted 119 pages of rules on July 24 (see 2507240070), many privacy lawyers have been suggesting first steps companies can take to comply (see 2507250027). These include mapping the organization's automated decision-making technology (ADMT), reviewing and revising privacy policies, planning for cybersecurity audits and reviewing vendor contracts (see 2508050031).
Also, some lawyers flagged for immediate attention rules requiring websites to display that they are honoring universal opt-out signals (see 2508210026) and that opt-out processes have the same or fewer steps than the process to opt in (see 2508260044).
The board is scheduled Friday to consider another rulemaking related to implementing an accessible data-deletion mechanism known as the Delete Request and Opt-Out Platform (DROP). After reviewing comments due Aug. 18 on revised draft rules (see 2508220022), the agency “determined that no further substantive changes would be made to the proposed regulations,” according to a draft final statement of reasons released Monday. The CPPA also posted the draft text and summaries and responses to the first and second rounds of comments.
Also, the CPPA board is scheduled Friday to receive an update from Enforcement Deputy Director Michael Macko. The agency received 8,265 consumer privacy complaints between July 6, 2023, and Sept. 8, 2025, said a slide deck released Monday. An accompanying chart shows that the number of complaints steadily increased over time, with a spike from January to February 2025.
The most common complaints concerned the right to delete (51%); collection, use, storing or sharing of personal information (44%); and the right to limit (39%), according to the presentation. Less commonly, complaints related to the right to correct (13%), children’s privacy (6%) or financial incentive programs (5%).
Additionally, at Friday’s meeting, the board will consider a staff recommendation to reduce the data broker registration fee to $6,000 from $6,600, according to a meeting memo. The agency said that about 530 data brokers registered in 2025. The CPPA estimated that implementing and maintaining requirements under the California Delete Act, including setting up an accessible deletion mechanism, will cost $6.8 million over fiscal years 2025-26 and 2026-27. “These costs are highly volatile given the uncertainty around the utilization of the system by Californians,” it said.