Skip to main content
Home/Blog/California's 2026 CCPA Regulations: ADMT, Risk Assessments and What They Mean for Advertising
Back to Intelligence Hub
regulationUnited StatesRisk Level: medium

California's 2026 CCPA Regulations: ADMT, Risk Assessments and What They Mean for Advertising

California's finalized CCPA regulations add ADMT rights, risk assessments and cybersecurity audits — and they treat targeted advertising differently from what many advertisers expect.

Updated July 8, 2026· Originally published July 8, 202613 min readAuditSocials Research
TweetShare
Quick Answer

The California Privacy Protection Agency finalized new regulations under the California Consumer Privacy Act that took effect on January 1, 2026, adding three main components: rights to access and opt out of automated decision-making technology (ADMT) used for significant decisions, mandatory risk assessments for higher-risk processing, and annual cybersecurity audits for qualifying businesses. For advertisers, the most important clarification is that targeted advertising is treated as outside the ADMT 'significant decision' category — the regulations state that targeted advertising alone is not a significant decision — so the ADMT access and opt-out rights, which attach to decisions about finances or lending, housing, education, employment and healthcare, do not attach to targeted advertising itself. That is not the end of the story for adtech, however, because the regulations separately require a risk assessment where a business sells or shares personal information for cross-context behavioral advertising, so behavioral advertising is squarely within the risk-assessment regime even though it is excluded from the ADMT significant-decision definition. The compliance timeline is staggered: the regulations are in effect from January 1, 2026, businesses using ADMT for significant decisions must comply by April 1, 2027, initial risk assessments for ongoing processing are due by December 31, 2027 with reporting to the Agency due by April 1, 2028, and cybersecurity audits phase in by revenue — larger businesses first, from April 1, 2028, then April 1, 2029 and April 1, 2030 for smaller ones. Because dates and definitions govern, confirm the current text against the CPPA. Audit how audience and data practices map to these rules with the AI Compliance Audit, map the multi-state picture with the Legal Compliance Scan, and track effective dates on the Policy Change Tracker.

California's 2026 CCPA Regulations: ADMT, Risk Assessments and What They Mean for Advertising

What the 2026 CCPA Regulations Add

The California Privacy Protection Agency finalized a set of regulations under the California Consumer Privacy Act that took effect on January 1, 2026, and they add three substantial components to the existing CCPA framework: consumer rights relating to automated decision-making technology, a requirement to conduct risk assessments for higher-risk processing, and a requirement for qualifying businesses to complete annual cybersecurity audits. Together they extend the CCPA from a set of access, deletion and opt-out rights into a regime that also governs automated decisioning, risk documentation and security assurance.

For advertisers and adtech, the regulations are significant less because they ban anything and more because they define where specific obligations attach. The headline for marketing teams is a precise one: targeted advertising sits in a particular place in the framework — outside the automated-decision-making category that carries access and opt-out rights, but inside the risk-assessment regime where personal information is sold or shared for cross-context behavioral advertising. Getting that distinction right is what prevents both over-compliance and gaps.

"Targeted advertising alone is not a 'significant decision.'
— California Consumer Privacy Act regulations (2026)"

This guide explains the ADMT rules and why advertising is treated separately, how risk assessments apply to behavioral advertising, the cybersecurity-audit deadlines, and what advertisers should be doing now. For the broader California context see the California audience-targeting audit guide, and define terms in the compliance glossary.

ADMT and Why Advertising Is Excluded

Automated decision-making technology, or ADMT, is the part of the regulations most likely to be misread by marketing teams, because the rights it creates sound as though they might reach behavioral advertising — but the regulations define the trigger narrowly, and targeted advertising is placed outside it.

The ADMT Framework

  • What ADMT is: technology that processes personal information and uses computation to replace or substantially replace human decision-making.
  • The trigger is "significant decisions": the access and opt-out rights attach where ADMT is used to make a significant decision about a consumer.
  • What counts as significant: decisions resulting in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent-contracting opportunities or compensation, or healthcare services.
  • Advertising is excluded: the regulations state that targeted advertising alone is not a significant decision, and advertising — which appeared in earlier drafts — was excluded from the final significant-decision definition.

The practical consequence is that the ADMT-specific rights — a consumer's right to access information about the logic and use of ADMT and to opt out of its use for a significant decision — do not attach to targeted advertising. Businesses that use ADMT for the enumerated significant decisions, such as lending or employment, must comply with those requirements by April 1, 2027, but a business using automated systems solely for targeted advertising does not fall within the ADMT significant-decision obligations on that basis. This is a case where reading the definition precisely prevents unnecessary work. For adtech built around financial products, note that lending decisions are a significant-decision category; see the financial services ad-compliance guide, and audit automated decisioning with the AI Compliance Audit.

Risk Assessments and Behavioral Advertising

While targeted advertising is excluded from the ADMT significant-decision category, it is not outside the regulations altogether, because the separate risk-assessment requirement reaches behavioral advertising directly. This is the part of the framework most relevant to adtech and audience teams.

Where Risk Assessments Apply

The regulations require a business to conduct a risk assessment before engaging in processing that presents a significant risk to consumers' privacy, and the enumerated triggers include selling or sharing personal information — and, specifically, selling or sharing personal information for cross-context behavioral advertising purposes. That places behavioral advertising squarely within the risk-assessment regime even though it is not an ADMT significant decision.

ObligationKey deadline
Regulations in effectJanuary 1, 2026
ADMT compliance (significant decisions)April 1, 2027
Initial risk assessments (ongoing processing)December 31, 2027
Risk-assessment reporting to the AgencyApril 1, 2028

A risk assessment is a documented analysis that weighs the benefits of the processing against the risks to consumers and identifies safeguards, and for adtech the practical implication is that programmes involving the sale or sharing of personal information for behavioral advertising need that documented assessment on the regulation's timeline. Because the assessment must exist before the processing continues under the new rules, and because initial assessments for ongoing processing are due by December 31, 2027 with reporting due by April 1, 2028, the work of inventorying which data flows involve selling or sharing for behavioral advertising should begin well ahead of those dates. Map which audience and data flows are in scope with the Legal Compliance Scan, and for the interaction with state privacy signals see the Meta limited data use guide.

Cybersecurity Audits and the Deadlines

The third component of the 2026 regulations is a requirement for qualifying businesses to complete annual cybersecurity audits, and the obligation phases in by business size, with larger businesses required to comply first.

The Phased Audit Timeline

Business sizeFirst audit deadline
More than $100 million in 2026 revenueApril 1, 2028
$50 million to $100 million in 2027 revenueApril 1, 2029
Less than $50 million in 2028 revenueApril 1, 2030

The cybersecurity-audit requirement applies to businesses whose processing presents significant risk to consumers' security, and the staggered schedule gives smaller businesses additional time. For advertising and data-driven organisations, the audit connects to the same underlying data practices that the risk assessments cover, so the two obligations are best approached together: an accurate inventory of personal-data processing supports both the risk-assessment analysis and the scope of the cybersecurity audit. Because the qualifying thresholds and deadlines are defined by the regulations and can be refined, confirm the applicable dates and revenue tests against the CPPA rather than a summary. Track the phased deadlines on the Policy Change Tracker, and align security and data-governance work using the SaaS and tech compliance guide.

What Advertisers Should Do Now

Because the regulations phase in over several years, advertisers have a genuine runway, but the foundational work — knowing which data flows and decisions fall into which category — takes time and should start well before the deadlines. The priorities follow the structure of the rules.

The Advertiser Priority List

  • Classify decisions: identify whether any automated systems make significant decisions (lending, housing, education, employment, healthcare); if so, plan for the ADMT obligations by April 1, 2027. Pure targeted advertising does not fall here.
  • Inventory behavioral-advertising data flows: map where personal information is sold or shared for cross-context behavioral advertising, since those flows require a documented risk assessment.
  • Plan risk assessments: prepare to complete initial assessments for ongoing processing by December 31, 2027, with reporting to the Agency by April 1, 2028.
  • Scope cybersecurity audits: determine which revenue tier applies and the corresponding first-audit deadline between 2028 and 2030.

The strategic point is that the 2026 regulations reward precise classification. Targeted advertising is not swept into the ADMT access-and-opt-out rights, which avoids a common misconception, but the sale or sharing of personal information for behavioral advertising is firmly within the risk-assessment regime, so adtech programmes need documented assessments on the regulation's timeline. Approaching the risk assessments and cybersecurity audits together, on the foundation of an accurate data inventory, is the efficient path. Because the details govern and can change, confirm current requirements against official CPPA sources. Audit audience and data practices with the AI Compliance Audit, and map cross-jurisdiction exposure with the Legal Compliance Scan.

CCPA 2026 Compliance Checklist

  • [ ] Identified any automated systems making significant decisions (lending, housing, education, employment, healthcare)
  • [ ] Confirmed that pure targeted advertising is not treated as an ADMT significant decision
  • [ ] Planned ADMT access and opt-out compliance by April 1, 2027 where significant decisions are made
  • [ ] Inventoried data flows that sell or share personal information for cross-context behavioral advertising
  • [ ] Scheduled initial risk assessments for ongoing processing by December 31, 2027
  • [ ] Prepared for risk-assessment reporting to the Agency by April 1, 2028
  • [ ] Determined the cybersecurity-audit revenue tier and first-audit deadline (2028–2030)
  • [ ] Built a single personal-data inventory supporting both risk assessments and audits
  • [ ] Aligned consent and opt-out signal handling with the behavioral-advertising flows in scope
  • [ ] Confirmed current definitions and deadlines against official CPPA sources

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our Meta Rejection Predictor first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#CCPA#California Privacy#ADMT#Risk Assessment#Cybersecurity Audit#Behavioral Advertising#CPPA#State Privacy#Ad Compliance#2026 Policy#Advertisers#Compliance Guide 2026

Share This Report

TweetShare

Related Posts

Related Resources