On Sept. 23, 2025, the California Privacy Protection Agency (CPPA) announced that the state’s Office of Administrative Law (OAL) had formally approved the CPPA’s wide-ranging package of revised and new California Consumer Privacy Act (CCPA) regulations, thereby confirming a Jan. 1, 2026, effective date.

Although the new rules do not contain a delayed enforcement grace period, as some earlier versions of the CCPA statute or amending rules had done, the new requirements pertaining to cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) largely have compliance deadlines kicking in after the rules’ 2026 effective date. 

As highlighted below, many of the new provisions taking effect on New Year’s Day – such as those pertaining to privacy policy disclosures, a business displaying on its website that it has processed a Global Privacy Control opt-out request, unsymmetrical dark pattern practices, and consent in relation to website cookie banners ­­– are public-facing and may require near-term changes to companies’ websites, mobile applications, or policies made available to consumers. 

An overview of the main changes are addressed below but, given the nuance and detail contained within each, Greenberg Traurig’s Data Privacy & Cybersecurity team will be monitoring the new cybersecurity audit, risk assessment, ADMT rules, and more. What follows below is an overview of some of the key changes taking effect Jan. 1, followed by the major takeaways for the new audit, assessment, and ADMT rules with later compliance deadlines.

Read the full GT Alert.