California Announces New Regulations Amending the CCPA: Effective January 1, 2026

The California Privacy Protection Agency (CPPA) has adopted a new set of regulations to further implement the California Consumer Privacy Act (CCPA). These rules were approved by the Office of Administrative Law on September 22, 2025, and take effect beginning January 1, 2026, with several rolling deadlines through 2030.  

These regulations significantly expand obligations around cybersecurity audits, privacy risk assessment, automated decision-making technology (ADMT), notice requirements, and consumer rights. They also clarify expectations for insurance companies, mobile applications, connected devices, and the processing of minors’ data.  

Why This Matters 

Compliance professionals will need time and resources to implement new procedures to align with the new rules which improve the strength of protection for consumers while also considering the realities of business implementation and providing clarity on compliance requirements. These new requirements bring in increases in consumer rights and new complex compliance activities with rolling timelines based upon entity revenue and consumer reach.  

Rules Going into Effect January 1, 2026, and Beyond: 

The new CPPA regulations taking effect on January 1, 2026, require businesses to begin compliance with risk assessment requirements, honor opt-out requests (especially those using Global Privacy Control (GPC) signals), and update their privacy policies. Additional updates apply to privacy policy disclosures, mobile application settings, and cookie consent banners. Rolling implementation dates will apply to requirements related to automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits.  

Below is a quick snapshot of what is coming and how it may impact your organization: 

What is your strategy to meet these new CPPA requirements? 

As privacy regulations expand and AI-driven use cases increase, organizations are prioritizing integrated, risk-aligned privacy programs. Consolidated governance, automated tooling, and a formalized data management framework will help reduce duplicated effort across CCPA, GDPR, state privacy laws, and emerging AI regulations. 

How Tevora Can Help 

The Tevora differentiator between Privacy Attorneys and Internal Compliance teams is making compliance operational, scalable, and technically executable.  

We partner with organizations to close the gap between legal requirements and practical implementation, helping organizations:  

• Translate regulatory requirements into actionable controls, workflows, and system changes 
• Build and operationalize privacy processes that internal teams cannot live alone due to bandwidth or technical complexity  
• Integrate privacy into technology ecosystems (cloud, apps, data platforms, product security, AI tools, and vendor systems)  
• Perform independent risk and ADMT assessments  
• Design evidence ready programs that stand up to audits and regulatory scrutiny  

We would also welcome the opportunity to help your organization plan for and implement the changes needed to comply with this comprehensive data security law through our data compliance services. Give us a call at (833) 292-1609 or email us at [email protected].