TL;DR: California’s updated CCPA regulations add new obligations for automated decision-making, cybersecurity audits, and risk assessments, with staged compliance dates beginning in 2027 and audit attestations from 2028, according to OneTrust. The practical shift is from policy awareness to evidence-backed governance across automated systems, vendor contracts, and recordkeeping.
NHIMG editorial — based on content published by OneTrust: CCPA Adopts New CCPA Regulations: What Businesses Need to Know
By the numbers:
- Businesses must undergo mandatory cybersecurity audits based on their annual gross revenue, with requirements starting at ≥ $100M effective April 1, 2028 and reaching <$50M by April 1, 2030.
Questions worth separating out
Q: How should teams govern automated decision-making systems under privacy regulations?
A: Teams should inventory every decision workflow, identify whether it affects eligibility, access, or regulated outcomes, and assign a human owner for review and escalation.
Q: Why do automated decisions create a governance problem for IAM and privacy teams?
A: Automated decisions can shape access, eligibility, and consumer rights without leaving the same accountability trail as a human reviewer.
Q: How do organisations know whether their privacy controls are audit ready?
A: Audit-ready controls are traceable, repeatable, and backed by evidence that matches the actual workflow.
Practitioner guidance
- Inventory every ADMT workflow Identify all automated decision-making systems, including spreadsheets, databases, and third-party tools that influence consumer outcomes.
- Add appeal and disclosure paths to workflow design Design opt-out, disclosure, and appeal mechanisms before deployment so they are linked to the systems actually making or supporting decisions.
- Build an audit-ready evidence set now Collect policies, procedures, audit criteria, test results, and reviewed evidence in a single control repository.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Exact compliance timing for ADMT, cybersecurity audits, and risk assessment attestations by revenue band.
- Vendor contract language and workflow changes needed to support disclosures, appeals, and recordkeeping.
- Examples of the specific audit artefacts and assessment records businesses will need to retain.
- The article’s practical checklist for organisations preparing in Q4 2025 and beyond.
👉 Read OneTrust’s analysis of the updated CCPA ADMT and audit requirements →
CCPA ADMT and audit rules: what privacy teams need to prepare for?
Explore further
CCPA’s ADMT regime turns privacy governance into control governance. The article shows that California is no longer asking organisations to simply disclose automated decision-making, but to explain, assess, and evidence it. That is a broader governance shift because the control surface now includes rule-based systems, vendor workflows, and review mechanisms. For privacy and identity programmes, the practical conclusion is that decision transparency must be engineered, not drafted after the fact.
A question worth separating out:
Q: Who is accountable when a vendor supports automated decision-making or privacy workflows?
A: The business remains accountable even when a vendor provides the tooling or processes. Contracts should require the vendor to support disclosures, assessments, consumer requests, and recordkeeping, but accountability cannot be transferred away. If the vendor cannot produce evidence, the buyer still carries the compliance burden.
👉 Read our full editorial: CCPA’s ADMT rules raise the bar for privacy governance