UPDATE – May 2025: Since this article was published, the California Privacy Protection Agency (CPPA) has advanced its draft rules on cybersecurity audits, risk assessments, and the use of automated decision-making technologies (ADMTs). Though final regulations are still pending, businesses in California should prepare for mandatory audits and documented risk assessments. BABL AI continues to monitor these developments and offers audit and compliance services aligned with emerging privacy and AI frameworks.
ORIGINAL NEWS STORY:
California Privacy Agency Discusses Draft Rules on AI, Cybersecurity, and Risk
While lawmakers continue to go back and forth in Washington D.C., while California continues to go on. On September 8th, the California Privacy Protection Agency (CPPA) convened to review a sweeping set of draft regulations focused on cybersecurity audits, risk assessments, and automated decision-making technologies.
The CPPA was established after the passage of Proposition 24 in 2020 and is governed by a five-member board tasked with enforcing California’s privacy laws.
As for the draft regulations discussed at their latest meeting, the draft regulations were formed this past summer after a public hearing earlier in the year. At the 6+ hour meeting, the CPPA Board went back and forth on audit regulations.
Cybersecurity Audits for Large Data Processors
The draft regulations propose mandatory annual cybersecurity audits for businesses processing significant amounts of personal data. One threshold under discussion includes businesses with annual gross revenue above $25 million and those that process personal information of 100,000 or more. Additional employee and customer count thresholds are still under review.
Audits must be conducted by independent professionals, whether internal or external. The auditor must maintain objective judgment and document the organization’s cybersecurity program—including practices related to authentication, encryption, access controls, training, vendor oversight, and incident response. The auditor must also evaluate risks related to data breaches or unauthorized data use.
Risk Assessments for Data Use and ADMTs
The second half of the meeting focused on risk assessments tied to both cybersecurity audits and the use of automated decision-making technologies (ADMTs).
Under draft rules, businesses must document how they process personal information—including how it is collected, used, shared, and retained. The data must be categorized, and any sensitive personal information should be identified, although a precise definition for “sensitive” data is still pending.
Risk assessments must include:
-
The context of data processing
-
The relationship between the business and the data subjects
-
The purpose and benefits of data processing
-
A clear description of potential risks or harms to consumers or stakeholders
What Comes Next?
The CPPA emphasized that these proposals are still in draft form, and public comment remains open. No final regulations were adopted during the meeting, and no date has yet been set for the agency’s next session.
Nonetheless, the proposals signal California’s continued push for stronger privacy regulation and AI oversight.
Prepare for California’s Next Privacy Shift
As rulemaking progresses, companies operating in California should prepare now. BABL AI offers independent audit services, risk assessments, and compliance guidance aligned with evolving rules and regulatory frameworks. Contact BABL AI, they can answer all your questions and more.
