Modernizing Privacy, California-Style: CPPA Unveils New Proposed Rules

Written By Kellie Bubeck

California is once again leading the charge in shaping the future of privacy regulation.

On May 1, 2025, the California Privacy Protection Agency (CPPA) rolled out new proposed rules under the California Consumer Privacy Act (CCPA). The goal: to make privacy compliance smarter, clearer, and actually doable in a world full of AI, algorithms, and virtual everything.

These updates reflect what many businesses have been asking for: rules that keep up with emerging tech without requiring a legal team the size of a Fortune 500 company.

Key Changes at a Glance

  • Updated & Simplified Definitions

Out with the jargon, in with the useful stuff. The CPPA ditched terms like “artificial intelligence” and “behavioral advertising” and added more practical ones like “cybersecurity audit report” and “risk assessment report.” Definitions are now more aligned with how data and tech are actually used.

  • Automated Decisions & Risk Assessments

If your systems are making automated decisions that impact people (think job offers, pricing, or perks), you’ll need to explain what’s going on. The rules now make it clear what must be included in a risk assessment such as the purpose of data use, potential harms, and the safeguards in place. And yes, you can use your existing ones, if they meet the new standards.

  • Cybersecurity Audits Requirements

Audits are being phased in based on company size and revenue. Reports now go to a responsible executive (and not just the board) and must cover specific core areas. Some of the more burdensome requirements have been cut, which means less red tape and more actual risk management.

  • Streamlined Consumer Notices

Using virtual reality or other augmented reality environments? You’ll need to let people know how their data is being collected before they dive in. Meanwhile, some older requirements (like “you have the right to file a complaint”) have been dropped to keep things focused.

What Happens Next?

The proposed revised rules triggered a 15-day public comment period, so if you’ve got thoughts, now is the time to speak up. After that, the CPPA may tweak the rules again or finalize them.

If adopted later this year, enforcement could begin as soon as late 2025 or early 2026. Some of the more complex requirements (like cybersecurity audits) will be phased in over a three-year period, giving businesses time to ramp up.

Kellie Bubeck https://www.bubecklaw.com/about
Previous

The Early Text Gets the Lawsuit: Craftie Fox Sued Under TCPA
Next

Can Texting Parents for COPPA Consent Trigger TCPA Liability?