California remains at the forefront of U.S. consumer privacy regulation. Recent developments in the California Consumer Privacy Act (“CCPA”), amended by the California Privacy Rights Act (“CPRA”), and ongoing rule-making by the California Privacy Protection Agency (“CPPA”) reflect a shift toward stronger enforcement and broader data-security obligations. Businesses operating in or with exposure to California must act now to align with the evolving standards.

The CPPA announced new monetary thresholds and increased civil penalties for violations of the CCPA. On July 24, 2025, the CPPA Board adopted final regulations that update the CCPA to require, effective January 1, 2026 (i) mandatory cybersecurity audits for certain business categories; (ii) risk assessments for automated decision-making technology (“ADMT”); and (iii) expanded rights for consumers related to algorithmic processes. In addition, the California Legislature amended the CCPA via SB 1223 and AB 1008 to include neural data (i.e. data generated by measuring the activity of a consumer’s central or peripheral nervous system)  within the “sensitive personal information” category.

Companies subject to the CCPA and CPRA must reassess whether they meet the updated revenue thresholds and data collection volumes, and determine whether new regulations apply to them. At a minimum, covered businesses should inventory personal and sensitive data types (including newly covered neural data) and update privacy policies and notice at point of collection statements to reflect expanded definitions and the more robust consumer rights that are at play. In addition, it would be prudent for such businesses to map data flows (particularly where ADMT is used or consumer neural data is processed) and establish programmatic cybersecurity audit schedules and risk-assessment protocols for ADMT systems. The new rules require transparency regarding ADMT. To that end, companies must disclose to consumers the use of ADMT, provide such consumers with opt-out paths where required, and document algorithmic risk assessments. The regulatory trend is to now treat many corporate responsibilities associated with privacy and cybersecurity as fully integrated (not separate and distinct) obligations.

Given the increased civil penalty regime and active CPPA enforcement agenda, businesses must maintain documentation of privacy program operations, and regularly audit results and consumer rights responses. Records of risk assessments, audit outcomes and incident handling will be crucial for companies to demonstrate compliance to the CPPA. If a company processes personal information of California residents or uses ADMT that affects California based consumers, it should assume that the new rules apply to them.  Moreover, for businesses using emerging data like neural metrics captured by wearables or health and fitness devices, it is imperative to assess whether such data falls under the new definition of “sensitive personal information”. In addition to the aforementioned, contractual agreements and vendor management and data-processing addenda should be reviewed to ensure obligations align with the latest regulatory requirements.

Ultimately, boards and senior management must develop integrated privacy and cybersecurity policies related to oversight, reporting, auditing and accountability. Proactive compliance will inevitably become a competitive advantage for companies that can demonstrate robust governance frameworks, will help such companies mitigate risk, and eventually assist them in building and maintaining consumer trust.

The California privacy regime continues to evolve, driven by advances in technology, regulatory ambition and consumer expectations. The amendments to the CCPA and CPRA in conjunction with the CPPA’s rule making mark a strategic shift where privacy is no longer only about disclosure and consent.  Rather, privacy (and privacy law compliance) is increasingly becoming about data security, algorithmic transparency, and enhanced consumer rights. Companies that act now to build resilient internal frameworks geared toward compliance will be well positioned to avoid heightened regulatory scrutiny and investigations, and reduce litigation risks in the future.

This publication is published by the law firm of Ervin Cohen & Jessup LLP. The publication is intended to present an overview of current legal trends; no article should be construed as representing advice on specific, individual legal matters. Articles may be reprinted with permission and acknowledgment. ECJ is a registered service mark of Ervin Cohen & Jessup LLP. All rights reserved.