CPPA/OAL approve finalized CCPA regulations package covering cybersecurity audits, risk assessments, and ADMT (plus updates to existing CCPA regs)

The CPPA announced approval of a major CCPA/CPRA regulations package (approved by OAL) that includes requirements and frameworks for cybersecurity audits, risk assessments, and rules governing automated decisionmaking technology (ADMT), along with updates to existing CCPA regulations. This is directly relevant to Vendor Cybersecurity & Data Privacy because these obligations commonly flow down into vendor/service-provider governance: businesses will need stronger documentation of cybersecurity programs, assessment processes, audit readiness, and risk management for processing activities often performed by vendors (e.g., cloud/SaaS processors). The CPPA announcement states an effective date of Jan 1, 2026, with staged compliance timelines referenced for audit certifications, risk assessment submissions/attestations, and ADMT significant-decision obligations.