Overview

• The California Office of Administrative Law approved the California Privacy Protection Agency’s regulatory package, which takes effect on January 1, 2026.
• Automated decision-making requirements begin on January 1, 2027, granting consumers rights when automated systems make or meaningfully influence significant decisions.
• Businesses subject to annual cybersecurity audits must file certifications by April 1 of 2028, 2029, or 2030, depending on revenue thresholds.
• Privacy risk assessments are required starting in 2026, with an attestation and summary due to the CPPA by April 1, 2028.
• The rules expand coverage to insurance companies and update duties on consumer requests, service providers, and recordkeeping, as the CPPA reports roughly 150 complaints per week and hundreds of open investigations.