Written by: Haim Ravia, Dotan Hammer
California is rolling out two significant regulatory packages that will reshape business obligations under California privacy law beginning January 1, 2026. Together, these regulations introduce comprehensive automated decision-making requirements, mandatory cybersecurity audits, risk assessments, and a centralized consumer deletion mechanism for data brokers.
Automated decision-making technology
The updated CCPA regulations establish extensive requirements for businesses using “automated decision-making technology” (ADMT), defined as technology that processes personal information and uses computation to replace or substantially replace human decision-making. Human involvement requires a reviewer who understands the technology’s output, analyzes it alongside other relevant information, and possesses the authority to make or change the resulting decision.
Businesses deploying ADMT must provide consumers with a “Pre-use Notice” before using such technology. Consumers gain new rights to access information about how ADMT is used with respect to them and, except in limited circumstances, to opt out of ADMT entirely. Privacy policies must be updated to explain these rights. For “significant decisions” – those affecting financial services, housing, education enrollment, employment, or healthcare – consumers may appeal ADMT-based outcomes. The regulations define “profiling” broadly to encompass automated processing evaluating personal aspects, including intelligence, aptitude, health, preferences, behavior, location, and movements.
Cybersecurity audits and risk assessments
Businesses whose processing presents a significant risk to consumer security must conduct annual cybersecurity audits and produce documented audit reports. The regulations define “cybersecurity program” as policies protecting personal information from unauthorized access, destruction, use, modification, or disclosure. New requirements address privileged accounts, multi-factor authentication, and penetration testing.
Separately, qualifying businesses must conduct risk assessments, analyzing processing activities, and produce documented risk assessment reports. The regulations define “sensitive locations”—including healthcare facilities, domestic violence shelters, educational institutions, and places of worship—and “systematic observation” covering methodical monitoring through technologies like Wi-Fi tracking, drones, video recording, geofencing, or license-plate recognition.
Centralized deletion mechanism for data brokers
Newly established Delete Request and Opt-out Platform (DROP) regulations create a centralized system through which California consumers can submit deletion requests that reach all registered data brokers simultaneously. Data brokers must create DROP accounts, select consumer deletion lists matching the identifier categories they maintain, and access the platform at least every 45 calendar days to retrieve deletion requests.
Upon accessing DROP, data brokers must compare consumer identifier information against their records using specified standardization and hashing procedures, delete all personal information associated with matched identifiers, and report deletion status back through the platform. For unmatched requests, data brokers must retain the deletion list and compare it against any newly collected records before selling or sharing that information.
New data brokers must create a DROP account before commencing operations and begin accessing the platform within 45 days, paying prorated access fees ranging from $6,000 in January to $500 in December. The regulations clarify that “direct relationship” requires intentional consumer interaction for purposes of obtaining products or services—not merely exercising privacy rights—and that businesses remain data brokers as to any personal information collected outside first-party interactions.
Click here to read the new CCPA regulations.
Click here to read the new California regulations regarding Accessible Deletion Mechanism – Delete Request and Opt–out Platform (“DROP”) System.
