CPPA’s New Privacy Ruling – What It Means for the CX Industry

Navigating CX in the Age of ADMT: How CPPA’s Finalized CCPA Rules Reshape Customer Experience

In July 2025, the California Privacy Protection Agency (CPPA) took a landmark step by finalizing a sweeping package of amendments to the CCPA regulations. These new rules introduce stringent requirements around automated decision-making technology (ADMT),cybersecurity audits, and privacy risk assessments. As the new regulatory landscape unfolds, it’s time for CX leaders to rethink how they collect, process, and interact with customer data. Here’s what’s changing—and how to adapt.

What Did the CPPA Decide?

On July 24, 2025, the CPPA Board unanimously approved a comprehensive update to the CCPA regulations, now moving through procedural review by the Office of Administrative Law. The key pillars include:

Automated Decision-Making Technology (ADMT):
Now broadly defined as any system that substantially replaces human decision-making (e.g., using algorithms for hiring, pricing, or service eligibility). Companies must:

• Provide clear notices before or at data collection.
• Explain how the system works, its consequences, and consumer rights—including an opt-out if the system makes “significant decisions.”
• ADMT rules take effect by January 1, 2027. Foley HoagNelson Mullins Riley & Scarborough LLP

Privacy Risk Assessments:
Required for activities posing significant privacy or security risk, such as using ADMT or sharing sensitive personal information. These must be documented, regularly updated, and produced to regulators upon request. Foley HoagNelson Mullins Riley & Scarborough LLP

Cybersecurity Audits:
Annual, independent audits are now a must for covered businesses (e.g., those with >$25M revenue or large-scale processing of consumer information). Audits must assess security posture, breach readiness, and remediation gaps, and report directly to executive leadership. Deadlines begin in 2027, with earlier requirements for larger firms. Foley HoagNelson Mullins Riley & Scarborough LLP

Additionally, prior draft versions had attempted broader AI regulation but were revised in response to industry concerns—narrowing the focus to ADMT, tightening definitions, and reducing compliance burdens. blog.freshfields.us

Why It Matters to the CX Industry

1. Transparency Is Now Mandatory—Beyond Privacy Policies

AI-driven personalization, chatbots, or decision engines must come with explicit notice and opt-out options if they make significant decisions (e.g., eligibility checks, offers, promotions). CX teams need to rethink script language, design disclosures, and consent workflows. Opt-in/opt-out pathways must be seamless.

2. Risk Awareness Becomes Core to CX Design

Customer-facing tools must now undergo formal risk assessments to weigh business benefit against potential privacy harm. CX functions handling personal or sensitive data must be more deliberate—especially in onboarding flows or data-sharing activities.

3. Security Isn’t Optional; It’s Audited

Annual cybersecurity audits must be baked into CX operations. If you run loyalty programs, mobile apps, or data-driven customer match platforms, expect regulatory interest. CX must build defensible security controls—think encryption, access management, and incident detection.

4. Cross-functional Collaboration Is Essential

Compliance now bridges privacy, security, legal, and customer-facing teams. CX leaders should proactively coordinate with privacy officers and security teams to embed privacy-by-design into journeys.

5. California Often Sets National Trends

Given California’s economic heft, these new rules are likely to influence other states or federal standards. Investing in compliance now may pay off by enabling broader CX readiness for future mandates. Goodwin Law Firm

Action Steps for CX Leaders