Table of Contents >> Show >> Hide
- What the CPPA actually finalized (and why it’s a big deal)
- ADMT rules: when your algorithm becomes the “decision-maker”
- Risk assessments: California’s “show your work” requirement
- Cybersecurity audits: independent, evidence-based, and not “trust us, bro”
- Advances DROP: making data broker deletion less painful
- Practical next steps for 2026 compliance
- Conclusion
- Field Notes: of Real-World “This Is What It Feels Like” Experience
California’s privacy regulators just did what California does best: make the rest of the country pay attention. The California Privacy Protection Agency (CPPA) has finalized a major package of regulations covering Automated Decisionmaking Technology (ADMT), privacy risk assessments, and cybersecurity auditsand it’s also pushing forward the Delete Request and Opt-Out Platform (DROP) for data brokers.
Translation: if your business uses algorithms to make meaningful calls about people (think hiring, lending, housing, education, or health care), sells or shares personal information, processes sensitive personal information, or runs large-scale data operations, your compliance program is about to get a lot more “hands-on” (and a lot less “we have a policy somewhere”).
What the CPPA actually finalized (and why it’s a big deal)
The final rules land in three high-impact buckets: (1) ADMT requirements for “significant decisions,” (2) mandatory risk assessments for certain processing activities, and (3) independent cybersecurity audits for businesses whose processing presents “significant risk” to consumer security. Layer on DROPa centralized mechanism meant to make data broker deletion requests less like whack-a-moleand you’ve got a full-on modernization of California privacy compliance.
What’s different this time is the vibe: these rules push companies toward demonstrable operational controls. Risk assessments need real analysis (not generic fluff), cybersecurity audits must rely on evidence (not management promises), and ADMT can trigger consumer rights like notice, opt-out, and accessdepending on how it’s used.
ADMT rules: when your algorithm becomes the “decision-maker”
Step one: know what counts as ADMT
ADMT isn’t “any automation ever.” The definition focuses on technology that processes personal information and uses computation to replace or substantially replace human decisionmaking. “Substantially replace” is the key phrase: if the business uses the tool’s output to make a decision without meaningful human involvement, you’re in ADMT territory.
That “human involvement” standard isn’t a rubber stamp. The human reviewer needs to understand how to interpret the output, actually review it (and other relevant information), and have the authority to change the decision. In other words: a human-shaped paperweight does not count.
What’s a “significant decision” (and what’s not)
The rules tie most ADMT obligations to “significant decisions.” These include decisions that result in the provision or denial of: financial or lending services, housing, education enrollment or opportunities, employment/independent contracting opportunities or compensation, or healthcare services.
Two practical notes matter a lot in day-to-day compliance:
- Advertising is explicitly carved out. A “significant decision” does not include advertising to a consumer. (So your ad-targeting model doesn’t automatically fall under the “significant decision” bucketthough other privacy rules may still apply.)
- Some decisions can look “big” but still be excluded in narrow cases. For example, ADMT that provides or denies housing based solely on vacancy/availability or successful payment isn’t treated as a significant decision.
Pre-use notice: tell people before the robot decides
If you use ADMT to make a significant decision about a consumer, you’ll generally need to provide a Pre-use Notice. The notice must be clear about the specific purpose (not “to make a significant decision,” and not “because reasons”). The regulations repeatedly discourage generic descriptionsCalifornia wants the consumer to understand what’s happening to them.
Businesses can sometimes provide consolidated notices (for multiple ADMT tools or systematic use), which is useful if your org runs a stack of models across the same relationship (like an employer using ADMT for hiring and then for performance-based work allocation).
Opt-out of ADMT: the right exists, with some tightly drawn exceptions
Consumers generally have the right to opt out of a business’s use of ADMT for significant decisionsunless an exception applies. The big practical exception is an appeal-to-a-human route: if you offer a method to appeal the decision to a qualified human reviewer with authority to overturn it, you may not have to offer opt-out for that ADMT use.
There are also narrower exceptions tied to employment and education contexts. For certain admission/acceptance/hiring decisions, and for allocation/assignment of work and compensation, the business may avoid offering opt-out if the ADMT is used solely for that assessment purpose and it works for the stated purpose without unlawful discrimination.
And California gets very specific about how opt-out has to work:
- Two or more methods to submit opt-out requests are required.
- At least one method must reflect how you primarily interact with the consumer (online, in person, etc.).
- A cookie banner alone is not an acceptable opt-out method for ADMT (because cookies are about collection, not necessarily use).
- Opt-out requests don’t require a “verifiable consumer request” process in the same way as some other rights (though you can ask for what’s necessary to identify the consumer).
- If a consumer opts out after processing started, you generally need to stop using that ADMT for them within 15 business days and notify downstream parties who process the consumer’s information using that ADMT.
Requests to access ADMT: “plain language” explanations, not a math PhD defense
Consumers can also request access to information about ADMT used for significant decisions. When responding, businesses must provide plain language explanations: the specific purpose, information about the logic (enough to understand how input became output), and the outcome of the decisionmaking process (including how the output was used).
The compliance challenge here is balancing transparency with security and intellectual property concerns. The practical goal is to explain “what inputs mattered and how the output was used” without handing over a blueprint for fraud or exposing protected trade secrets.
Risk assessments: California’s “show your work” requirement
The risk assessment rules are designed to force structured decision-making before certain high-impact processing begins. If your processing presents “significant risk” to consumers’ privacy, you must conduct a risk assessment before initiating that processing.
When risk assessments are required
Several activities are automatically treated as presenting significant risk, including:
- Selling or sharing personal information
- Processing sensitive personal information (with a limited carve-out for narrow employee/contractor administrative purposes)
- Using ADMT for a significant decision concerning a consumer
- Using automated processing to infer/extrapolate sensitive traits (like health, economic situation, behavior, location, movements) based on systematic observation in education/employment contexts
- Using automated processing to infer/extrapolate certain traits based on a consumer’s presence in a sensitive location (with a carve-out for using info solely to deliver goods or provide transportation at that location)
- Processing personal information intended to train ADMT for significant decisions, or to train facial recognition, emotion recognition, or other identity verification / physical or biological identification or profiling technologies
What a risk assessment needs to include
These assessments are not supposed to read like fortune cookies (“We value privacy. Risks exist. The end.”). They must identify the business’s specific purpose for processing (no generic “to improve our services”), describe categories of information, the scope and context of the processing, expected benefits, and potential negative impacts to privacy.
The goal is clear: if the risks to the consumer outweigh the benefits to the consumer, the business, or other stakeholders, the assessment is meant to drive restriction or prohibition of the processing. The rules also push stakeholder involvementmeaning the people who actually design or run the processing (not just counsel) should be part of the process.
Updates, timing, and submissions
Risk assessments must be reviewed and updated at least once every three years, and updated within a tight window after a material change that increases privacy risk. Businesses can reuse assessments prepared for other laws (for example, another state’s data protection assessment), but only if the California-required content is actually present (or paired with the missing pieces).
Importantly, the CPPA also requires submissions: for risk assessments conducted in 2026 and 2027, businesses must submit required information to the Agency by April 1, 2028then by April 1 following any year in which later assessments are conducted.
Cybersecurity audits: independent, evidence-based, and not “trust us, bro”
California’s cybersecurity audit rules are aimed at businesses whose processing creates significant risk to consumer security. If you’re in scope, you’ll need an annual audit by a qualified, objective, independent professionaland the findings must rely primarily on evidence (documents reviewed, testing performed, interviews), not management attestations.
Who is in scope
The rules define “significant risk” using thresholds tied to the CCPA’s business definitions. In broad terms, you may be in scope if:
- You meet the “50% of annual revenue from selling or sharing personal information” threshold; or
- You meet the “annual gross revenue” threshold and also processed personal information of 250,000+ consumers/households or processed sensitive personal information of 50,000+ consumers in the preceding year.
What auditors must look at
The audit must assess how your cybersecurity program protects personal information and availability, plus the establishment, implementation, and enforcement of the program appropriate to your size, complexity, and processing. The regulations list concrete components that may be assessed (as applicable), including multi-factor authentication, encryption at rest and in transit, account/access controls, and more.
The independence rules matter too: auditors can be internal or external, but internal auditors must be structured to avoid conflicts (including reporting lines and performance evaluation not controlled by the cybersecurity program leadership). Both the business and auditor must retain audit-relevant documents for at least five years.
Phased compliance timeline and certifications
Deadlines are phased by revenue:
- April 1, 2028 (if 2026 annual gross revenue was > $100M): audit covers Jan 1, 2027 to Jan 1, 2028
- April 1, 2029 (if 2027 annual gross revenue was $50M–$100M): audit covers Jan 1, 2028 to Jan 1, 2029
- April 1, 2030 (if 2028 annual gross revenue was < $50M): audit covers Jan 1, 2029 to Jan 1, 2030
After an audit, a senior executive (or appropriate leader) must certify completion to the CPPA with a signed attestation under penalty of perjury, including a statement that the business did not attempt to influence the auditor’s decisions. California is not subtle about wanting independence that’s real, not decorative.
Advances DROP: making data broker deletion less painful
DROP is California’s attempt to turn “delete my data from data brokers” into something closer to a single action instead of a part-time job. The platform enables consumers to submit a single deletion request that data brokers must honorwithout the consumer having to individually contact each broker.
What consumers can do (and what data brokers must do)
Consumers can verify California residency and submit a deletion request through the state’s platform. Data brokers will be required to access the platform regularly, retrieve relevant deletion requests, and delete the consumer’s personal information from their records within a specified period.
Timeline that matters
DROP is live for consumers beginning in 2026, and a key compliance milestone lands on August 1, 2026, when data brokers must begin deleting consumers’ data within the required timeframe after receiving the request through the platform.
For businesses that qualify as data brokers (or buy from them), DROP’s practical impact is bigger than the portal: it’s a forcing function for identity matching, suppression list management, vendor coordination, and reliable deletion workflows across systems. In other words, the “delete” button is just the beginning.
Practical next steps for 2026 compliance
- Inventory ADMT usage now: identify which models/tools “substantially replace” humans and where they touch significant decisions.
- Design consumer-facing ADMT flows: pre-use notices, opt-out mechanisms (two+), and an access response playbook in plain language.
- Stand up a risk assessment program: templates, stakeholder intake, a benefits/harms framework, and an update trigger process.
- Prepare for audit readiness: benchmark cybersecurity controls, confirm independence requirements, and align evidence collection.
- If you’re a data broker (or work with them): map how DROP deletion requests will be received, matched, executed, and tracked.
The through-line is simple: California is moving from “post a notice” to “prove the program works.” The sooner your organization builds repeatable workflows, the less painful the deadlines will feel.
Conclusion
The CPPA’s final ADMT, risk assessment, and cybersecurity audit rules are a clear signal that privacy compliance is becoming more operational, more measurable, and more tightly connected to security and AI governance. Meanwhile, DROP makes data broker deletion rights easier for consumers and harder for brokers to ignore. If your organization touches any of these areas, 2026 is the year to move from “policy” to “practice.”
Field Notes: of Real-World “This Is What It Feels Like” Experience
In practice, teams don’t struggle with the words “ADMT” or “risk assessment.” They struggle with the sentence “Tell me everywhere we use this.” The first week of preparation usually looks like an archaeological dig: privacy pulls a list of systems, security pulls a list of vendors, HR pulls a list of tools that “help with recruiting,” and product pulls a list of “personalization features.” Then everyone realizes the same tool shows up in three different lists under three different names. Congratulationsyou’ve discovered the universal law of enterprise technology: the same thing has at least four aliases and one of them is wrong.
ADMT mapping becomes much easier once you stop asking “Do we use AI?” and start asking: “Where do we use outputs without meaningful human involvement, and does that output influence a significant decision?” That shift changes the conversation from buzzwords to decision points. For example, an HR team might insist a hiring tool is “only advisory,” but the workflow reveals that recruiters automatically filter out candidates below a score threshold. If no one regularly challenges the output and has authority to override it, the rules may treat it as substantially replacing human decisionmaking. The fix isn’t always to kill the toolit’s often to redesign the process so human review is real, documented, and empowered.
Risk assessments feel intimidating until you treat them like product requirements with a conscience. The best programs create a repeatable intake: purpose (specific), data categories (including sensitive), scale (how many people), context (online/offline, consumers vs. employees), and downstream sharing. Then the hard part: negative impacts. Teams often start with the obvious (breach risk, discrimination risk), but the useful assessments go furthermisuse by insiders, chilling effects (people behave differently when tracked), error impacts (false positives), and the “surprise factor” (would a reasonable consumer expect this use?). The strongest assessments include mitigation that is concrete: changes to defaults, limited retention, access controls, logging, bias testing, and meaningful appeal paths.
Cybersecurity audits create a different kind of stress: evidence. If your security program is solid but lightly documented, the audit becomes a scavenger hunt. Teams that already run SOC 2 Type II or align to NIST/ISO often have a head start, but California’s independence and evidence expectations still require planning. One practical move is to establish an “audit packet” process: maintain standardized evidence for MFA, encryption, access reviews, vulnerability testing, incident response exercises, and vendor oversight. That reduces the annual scramble and keeps the audit from turning into a quarterly panic disguised as a spreadsheet.
And DROP? For data brokers, the operational challenge isn’t just receiving the requestit’s matching identities at scale without creating new privacy risks. Expect engineering discussions about hashed identifiers, suppression lists, false matches, and how to prevent “deletion abuse” without imposing unreasonable friction. The teams that succeed treat DROP as a workflow product: intake, match, delete, confirm, and logrepeat. The ones that struggle treat it like an email inbox. California is not building you an inbox.