California Finalises Sweeping Privacy Rules

How ADMT, Audits, and Risk Assessments Will Reshape Email Marketing

On July 24, 2025, the California Privacy Protection Agency (CPPA) unanimously approved a landmark package of regulations under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). The rules, a culmination of years of drafting and public comment, are set to significantly impact how businesses—including those in the email marketing and MarTech space—handle consumer data.

The finalized package introduces three major pillars of compliance: new obligations for Automated Decision-Making Technology (ADMT), a requirement for annual cybersecurity audits for certain businesses, and mandatory privacy risk assessments for “high-risk processing.”

Here’s a breakdown of what email professionals and senders need to know and how to prepare.

Automated Decision-Making Technology (ADMT): A New Frontier for Profiling

The new regulations define ADMT as any technology that processes personal information to “replace or substantially replace human decision-making.” While earlier drafts had broader language, the final rule clarifies its focus on technologies that make “significant decisions” about consumers, such as eligibility for a loan or a job, as well as extensive profiling activities.

For email marketers, this is a game-changer. Technologies that rely on data to automate and optimize campaigns—such as audience segmentation, predictive send-time optimization, and deliverability scoring—fall squarely under these new rules.

Effective Date: January 1, 2027

Starting in 2027, California residents will have new rights regarding ADMT:

• The Right to Notice: Businesses must provide clear, pre-use notices explaining how their ADMT works, the types of data it uses, and its potential impact on the consumer.
• The Right to Opt-Out: Consumers must be given a frictionless way to opt out of the use of ADMT, particularly when it’s used for profiling or targeted advertising. The regulations emphasize that the opt-out process must be as easy as opting in—a direct challenge to “dark patterns” and complex unsubscribe flows.
• The Right to Access & Appeal: Consumers can request information about how a significant decision was made and, in some cases, appeal the outcome with a human review.

Mandatory Cybersecurity Audits

The new rules require certain businesses to conduct annual, independent cybersecurity audits. This applies to companies that meet specific revenue and data processing thresholds, namely those processing the personal information of 250,000 or more California residents, or the sensitive personal information of at least 50,000.

Phased Compliance Deadlines:

• April 1, 2028: For businesses with over $100 million in annual gross revenue in 2026.
• April 1, 2029: For businesses with $50-$100 million in annual gross revenue in 2027.
• April 1, 2030: For businesses with less than $50 million in annual gross revenue that meet the data processing thresholds.

This obligation will place significant new compliance burdens on email service providers (ESPs) and large senders. The audits must align with recognized frameworks like NIST and ISO, raising the bar for “reasonable security” and making vendor due diligence more critical than ever.

High-Risk Processing and Risk Assessments

The regulations also introduce a requirement for businesses to conduct detailed risk assessments for any “high-risk processing” activities. This includes targeted advertising, extensive profiling, and processing sensitive personal information.

Deadline: December 31, 2027

For many email marketers, this will be the most immediate compliance challenge. Any sender using behavioral tracking, open-rate analytics, or cross-campaign profiling will need to perform a documented risk assessment. These assessments must weigh the privacy risks against the business benefits and detail the safeguards in place to mitigate potential harm to consumers. A summary of these assessments must be submitted to the CPPA annually, starting April 1, 2028.

Next steps for Email Marketers

The message from the CPPA is clear: proactive compliance is no longer optional. Here are the key action points for the email industry:

1. Inventory Your Tech Stack: Map out every instance where your email platform or marketing tools use ADMT for segmentation, lead scoring, or personalization. Identify which of these uses impact California residents.
2. Rethink Your Opt-Out Flows: Prepare to build and deploy new, simplified opt-out mechanisms for any ADMT-driven profiling. The process must be as easy as clicking a single link, or an equally frictionless method.
3. Initiate a Risk Assessment Framework: Begin a formal process for conducting and documenting risk assessments for all high-risk email marketing activities. This documentation will be essential for demonstrating lawful basis and proportionality to the CPPA.
4. Strengthen Your Cybersecurity: If you’re an ESP or a large sender, start preparing for the annual audit requirements. This may involve aligning your internal security programs with NIST or ISO frameworks.
5. Update Privacy Policies: Ensure your privacy policies are updated well before the 2027 deadlines to include the new disclosures on ADMT, consumer opt-out rights, and the nature of your risk assessment practices.

The new regulations are a significant step towards a more transparent and accountable data ecosystem. For the email industry, it’s a wake-up call to move beyond basic list hygiene and embrace a proactive, privacy-first approach to technology and consumer data.