On Sept. 23, 2025, the California Privacy Protection Agency (CPPA) announced that the state’s Office of Administrative Law (OAL) had formally approved the CPPA’s wide-ranging package of revised and new California Consumer Privacy Act (CCPA) regulations, thereby confirming a Jan. 1, 2026, effective date.
Although the new rules do not contain a delayed enforcement grace period, as some earlier versions of the CCPA statute or amending rules had done, the new requirements pertaining to cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) largely have compliance deadlines kicking in after the rules’ 2026 effective date.