While headlines in the UK have recently been dominated by the new Data (Use and Access) Act—and more recently, the buzz surrounding the Online Safety Act—we thought we’d offer a little change of scenery for this legal update.
So, as the weather turns crisp and those carefree summer holidays fade into memory, let’s take a virtual trip to the sun-drenched West Coast of the U.S., California, to be precise.
Why? Because the California Privacy Protection Agency (CPPA) has been busy—recently approving significant amendments to the CCPA Regulations that are going to matter for businesses operating (or offering services) in the Golden State.
What’s Changing?
Here’s your bite-sized summary of what to expect:
Privacy Risk Assessments
Businesses subject to the California Consumer Privacy Act (CCPA) will now be required to conduct risk assessments for certain “high-risk” processing activities. It seems that, having initially held off on including mandatory risk assessments in the CCPA and CPRA, the approach taken in the future will be much more similar to what we’ve seen under the GDPR. Be aware that disclosure of assessment details to the CPPA can be required.
Cybersecurity Audits
Given the recent spate of high-profile data breaches, it’s no surprise that cybersecurity is getting more attention. Under the revised regulations, in-scope businesses must consider 18 specific security controls when conducting information security audits. Expect more documentation, and yes—there’s now an annual certification requirement as well.
Automated Decision-Making
Automation continues to raise eyebrows, and California’s not holding back. The updated rules bring in fresh transparency and opt-out requirements around automated decision-making. The framework may feel familiar if you’re used to the GDPR framework—but there are some uniquely Californian layers added on top.
What’s Next?
The amended regulations still need a final thumbs-up from the California Office of Administrative Law, but that approval is expected. If (and when) it’s granted, the new law will start to take effect from 1st January 2026 with phased compliance milestones—giving businesses a little time to prepare.
Feeling a Little Overwhelmed?
You’re not alone. Navigating privacy regulations across jurisdictions can feel like chasing the sun—just when you think you’ve found it, something shifts.
But the good news? Our team is here to help. Whether you’re grappling with the UK’s latest data rules or wondering how the new CCPA changes apply to your business, we’ve got you covered.
Reach out to our privacy team today to chat about how we can support your compliance journey.