Skip to Content

Guide to CCPA Regulations Modifications

08.20.2025

Quick Reference Guide to Certain Modifications of CCPA Regulations

On July 24, 2025, the California Privacy Protection Agency (Agency) finalized amendments to regulations under the California Consumer Privacy Act (CCPA). These modifications impose new requirements on covered businesses and modify existing obligations and concepts. 

Below is a list detailing certain key updates with section references to help you digest the modified text (available online here: Modified Text of Proposed Regulations).

Please note that the following is intended only as a summary and a general description of certain modifications and does not constitute legal advice. Businesses should conduct their own review of the CCPA and the Regulations and should seek legal counsel as appropriate.

______________________________________________________________________________

ARTICLE 1. GENERAL PROVISIONS

§ 7001. Definitions

  • New and updated definitions are included throughout the entire definitions section, including, for example, new definitions of:
    • “Automated decision-making technology” or “ADMT”
    • “Cybersecurity audit” and “cybersecurity program”
    • “Performance at work”
    • “Performance in an educational program”
    • “Physical or biological identification or profiling”
    • “Request to access ADMT”
    • “Risk assessment report”
    • “Sensitive personal information”
    • “Significant Decision”
    • “Systematic observation” 
    • “Train”

§ 7002. Restrictions on the Collection and Use of Personal Information.

  • Right to withdraw consent at any time for secondary uses of data based on consent. § 7002(e).

§ 7003. Requirements for Disclosures and Communications to Consumers.

  • Update to appropriate font size and color for website links. § 7003(c).

§ 7004. Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent.

  • Update on methods for submitting CCPA requests and obtaining consumer consent, including testing requirements. § 7004(a)(2) - (c).

 

ARTICLE 2. REQUIRED DISCLOSURES TO CONSUMERS

§ 7010. Overview of Required Disclosures.

  • Businesses must provide a “Pre-use Notice” regarding ADMT, including an appropriate opt-out link. § 7010(c) - (d).

§ 7011. Privacy Policy

  • Updates to information required in privacy policies, including opt-out and access rights regarding ADMT. § 7010(e)(1)(B) – (3)(e).

§ 7013. Notice of Right to Opt-out of Sale/Sharing and the “Do Not Sell or Share My Personal Information” Link.

  • Requirements for deployment of sale/sharing opt-out notices in the context of connected devices and augmented or virtual reality. § 7013 (e)(3)(C) – (D).

§ 7014. Notice of Right to Limit and the “Limit the Use of My Sensitive Personal Information” Link.

  • Requirement to provide, where relevant, the “Notice of Right to Limit” regarding sensitive personal information processing in the same manner in which the information was collected, and new examples of acceptable notice, such as within augmented or virtual reality environments. § 7014(e)(3).

§ 7015. Alternative Opt-out Link.

  • Clarifying that when providing an alternative opt-out link via the prescribed “opt-out icon,” the color of the icon may be adjusted to be conspicuous. § 7015(b)(3).

 

ARTICLE 3. BUSINESS PRACTICES FOR HANDLING CONSUMER REQUESTS

§ 7020. Methods for Submitting Requests to Delete, Requests to Correct, and Requests to Know. 

  • A new requirement for businesses maintaining data from the past 12 months, the method for submitting a request to know shall include a means for consumers to request access to data collected prior to the 12-month period preceding the request. § 7020(e).

§ 7021. Timelines for Responding to Requests to Delete, Requests to Correct, and Requests to Know, Requests to Access ADMT, and Requests to Appeal ADMT.

  • Businesses must confirm receipt of access and appeal requests regarding ADMT no later than 10 business days after receipt and must respond to the same no later than 45 calendar days after receipt. § 7021(a) – (b).

§ 7023. Requests to Correct.

  • New requirement that when a relevant business, service provider, or contractor honors a request to correct, these entities must also ensure that the information remains corrected. New examples are included. § 7023 (c)(1) – (2).
  • Upon denying a request to correct health data and receiving a written statement from a consumer to be included in the record, the business must make the statement available to any person with whom it makes the relevant data available, upon request of the consumer. § 7023 (f)(3).
  • Where the business is not the source of the information that the consumer contends is inaccurate, the business must either provide the consumer with the contact information of the source, or inform the relevant source that the information provided is incorrect and must be corrected. § 7023 (i).
  • Businesses must provide a way to confirm certain sensitive data in the context of a correction request. § 7023 (j).

§ 7024. Requests to Know.

  • Businesses must provide a way for verified consumers to confirm that the relevant information is what the consumer provided. § 7024(d)(2).
  • When denying a request to know, the business must provide a detailed explanation of the basis of denial (including any exception to the CCPA) and must disclose the personal information not subject to the exception. § 7024(e).
  • Modifications to the information businesses are required to provide in response to a verified request to know, including information “shared.” § 7024(k)(3) – (l).

§ 7025. Opt-out Preference Signals.

  • Requirement for businesses to display the status of a consumer’s choice when a consumer consents to the sale or sharing of personal data despite a conflict between an opt-out preference signal and 1) the consumer’s business-specific privacy setting, or 2) participation in an incentive program. § 7025(c)(3)-(4).
  • Updates to wording for display to a consumer regarding the processing of an opt-out preference signal. § 7025(c)(6).

§ 7026. Requests to Opt-out of Sale/Sharing.

  • Examples to illustrate how a business may comply with a request to opt-out of sale/sharing, including immediate cessation of use of certain online advertising technology. § 7026(f)(3)-(4).
  • The business must provide a means by which consumers can confirm that their opt-out requests have been processed, including example language. § 7026(g).

§ 7027. Requests to Limit Use and Disclosure of Sensitive Personal Information.

  • Businesses must provide a means by which a consumer can confirm that their request to limit has been processed. § 7027(h).
  • Examples of when a business may use or disclose sensitive personal information without being required to offer consumers a right to limit. § 7027(m)(2) – (3).

§ 7028. Requests to Opt-in After Opting-out of the Sale or Sharing of Personal Information or Limiting the Use and Disclosure of Sensitive Personal Information.

  • Consumer opt-ins must now be a two-step process for opt-ins of sale and sharing and for the use and disclosure of sensitive personal information. § 7028(a).
  • Instructions on communications with consumers who engage in transactions requiring the use or disclosure of sensitive data of which they have opted out previously. § 7028(c).

 

ARTICLE 4. SERVICE PROVIDERS, CONTRACTORS, AND THIRD PARTIES

§ 7050. Service Providers and Contractors.

  • Further limits service provider and contractor data processing in relation to previously enumerated purposes, to also require that such processing is reasonably necessary and proportionate for those purposes. § 7050(a).
  • Service providers and contractors must cooperate with businesses in relation to the business’s cybersecurity audits and risk assessments. § 7050(h)(1) – (2).

§ 7051. Contract Requirements for Service Providers and Contractors.

  • The previous service provider and contractor contract requirement explicitly prohibiting the processing of data collected under the contract for any commercial purpose other than the business purposes specified in the contract has been removed. Formerly § 7051(a)(4).
  • Service providers and contractor contracts must include requirements to assist with cybersecurity audits, business risk assessments, and the business’s ADMT requirements. § 7071(a)(5).

 

ARTICLE 5. VERIFICATION OF REQUESTS

§ 7060. General Rules Regarding Verification.

  • Requests to access ADMT must be verified; requests to opt-out of ADMT may not be subject to identity verification. § 7060(a), (b).
  • Businesses must match consumer-provided information with data already maintained before requesting additional information; must provide reimbursement instructions when a business compensates consumers for the cost of notarization. § 7060(c)(1), (e).

§ 7062. Verification for Non-Accountholders.

  • Requires businesses to verify the identity of consumers making a request to access ADMT to a reasonably high degree of certainty and to deny such a request if the business cannot verify the request. § 7062(c), (f).

§ 7063. Authorized Agents.

  • Prohibits a business from requiring a consumer to resubmit a rights request in their individual capacity when such request was made by an authorized agent. § 7063(a)(2).

 

ARTICLE 7. NON-DISCRIMINATION

§ 7080. Discriminatory Practices.

  • States that a denial of a consumer rights request related to ADMT for reasons allowed by the Regulations shall not be considered discriminatory. § 7080(c).

 

ARTICLE 8. TRAINING AND RECORD-KEEPING

§ 7102. Requirements for Businesses Collecting Large Amounts of Personal Information.

  • Requires certain businesses that receive or make available the personal information of 10 million or more consumers in a calendar year to compile certain new information, including the number of ADMT access and opt-out requests, and responses to the same. § 7102(a)(1)(D), (G).

 

ARTICLE 9. CYBERSECURITY AUDITS

§ 7121. Timing Requirements for Cybersecurity Audits and Audit Reports.

  • Required timing of first cybersecurity audit reports, with various tiers based on annual revenue. § 7021(a)-(b).

§ 7122. Thoroughness and Independence of Cybersecurity Audits.

  • Further information about acceptable cybersecurity audit procedures, qualified auditors, required independence, report delivery, and information to be contained in the report. § 7122(a)-(g).

§ 7123. Scope of Cybersecurity Audit and Audit Report.

  • Further requirements for what the audit must assess, including “how the business implements and enforces compliance with its cybersecurity program” under the Regulation. § 7023(b), (c).
  • Audit report requirements. § 7023(e), (f).

§ 7124. Certification of Completion.

  • Requirement to submit written certification to the Agency of completion of a cybersecurity audit, including April 1 submission deadline and an attestation by executive management under penalty of perjury. § 7124(a)-(d).

 

ARTICLE 10. RISK ASSESSMENTS

§ 7150. When a Business Must Conduct a Risk Assessment.

  • Risk assessments required for the use of ADMT and other automated processing; examples provided. § 7150(b)(3)-(c).

§ 7151. Stakeholder Involvement for Risk Assessments.

  • Requires employees to be involved in a risk assessment when duties pertain to the relevant processing and allowing external parties to be involved in the risk assessment. § 7151(a)-(b).

§ 7152. Risk Assessment Requirements.

  • Requires documenting the required assessment topics and outlines report content. § 7152(a).

§ 7153. Additional Requirements for Businesses that Process Personal Information to Train Automated Decisionmaking Technology.

  • Requires businesses that make ADMT available to other businesses (and provide “all facts available”) to support the business’s own risk assessments. § 7153(a)-(b).

§ 7154. Goal of a Risk Assessment.

  • States the goal of risk assessments generally, which is to balance the risks and benefits of personal data processing, and prevent processing where risks outweigh benefits. § 7154.

§ 7155. Timing and Retention Requirements for Risk Assessments.

  • Specifies a timing requirement of “as soon as feasibly possible” but within 45 days, for risk assessment updates after material changes in processing and specifying risk assessment retention requirements. § 7155(a)-(c).

§ 7156. Conducting Risk Assessments for a Comparable Set of Processing Activities or in Compliance with Other Laws or Regulations.

  • Allows the use of other risk assessments when required information is included or when the other assessment is supplemented appropriately; examples provided. § 7156(b).

§ 7157. Submission of Risk Assessments to the Agency.

  • Specifies information a business must submit to the Agency after a risk assessment and timing of reporting; requires attestation under penalty of perjury by a business executive. § 7157(a)-(c).

 

ARTICLE 11. AUTOMATED DECISION-MAKING TECHNOLOGY

The sections of this article set forth:

  • The scope of applicability of the Article. § 7200.
  • The requirement to provide pre-use notice to consumers regarding ADMT and the content of such notice. § 7220.
  • The requirement to offer consumers the ability to opt-out of ADMT and exceptions to that requirement. § 7221.
  • The requirement to offer access rights regarding ADMT and required content in response to such a request. § 7222.

 

ARTICLE 12. INSURANCE COMPANIES

§ 7271. General Application of the CCPA to Insurance Companies.

  • New example of when CCPA does not apply to insurance companies. § 7271(b)(3).

 

ARTICLE 13. INVESTIGATIONS AND ENFORCEMENT

§ 7302. Probable Cause Proceedings.

  • The Agency to provide notice of probable cause hearing. § 7302(b).
  • Requirement to conduct probable cause proceedings via telephone or video conference unless appropriately requested otherwise. § 7302(c)(1).
  • Removal of former § 7302(e) regarding notices of probable cause and probable cause determinations.

Media Contact

If you have any media inquiries or would like additional information, please click here.

Featured People

Featured Services

Featured Industries

Featured Focus Areas