CCPA Finalizes Rules on Implicit Bias Risks & Cyber Security Audits in Financial Services Automation
On July 24, 2025, California regulators approved a number of regulations under the California Consumer Privacy Act (CCPA) governing the use of automated decision-making technology (ADMT). The rules impose new obligations around pre-use notices, opt-out rights, risk assessments, and cybersecurity audits. These regulations carry particular significance for financial services companies, where automated lending and credit decision tools raise serious concerns about implicit bias. On September 23, 2025, the California Office of Administrative Law (OAL) announced that it had approved the regulations proposed by the California Privacy Protection Agency (CPPA). With the implementation of these new regulations, it is crucial for financial institutions to evaluate their use of ADMT and ensure compliance.
What is Automated Decision-Making Technology?
ADMT is defined as any technology that “processes personal information and uses computation to replace or substantially replace human decision-making.” (California Privacy Protection Agency, California Consumer Privacy Act (CCPA) Statute (eff. Jan. 1, 2026), at p.4 (Sept. 22, 2025), https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?utm_source=chatgpt.com) In financial services, this is inclusive of credit scoring systems, fraud detection algorithms, loan underwriting platforms, and automated consumer onboarding tools. Because the definition hinges on “substantially replace,” businesses cannot avoid compliance by including nominal human review. If algorithms are driving the decision, the rules apply.
Implicit Bias Risks
Lending and the extension of credit must be fair in nature. Financial institutions have long faced scrutiny under fair lending laws, and the use of ADMT amplifies that risk. Some contemplated risks include the following:
- Incorporate historical data that reflects past discriminatory practices.
- Rely on proxy variables such as ZIP code or employment history, which correlate with protected traits like race or gender.
- Produce opaque outcomes that mask how creditworthiness is determined, making it difficult to identify whether bias has driven the lending and credit decisions.
These risks can lead to disparate impacts on protected groups and expose lenders to both regulatory enforcement, civil actions, and reputational harm. California’s regulations require institutions to confront these issues head-on by documenting their processes and justifying their reliance on ADMT.
Pre-Notice Requirements for Businesses that Utilize ADMT
When ADMT is used to make significant decisions, such as whether to extend credit, businesses must provide clear pre-use notices. For lenders, the challenge will be drafting disclosures that are both legally compliant and accessible to ordinary consumers. Under the new regulations, before using ADMT to collect personal information, businesses will be required to send Pre-Notices to consumers that explain the purpose of the ADMT, how consumers can opt out or appeal to a human reviewer, what rights they have to access their ADMT-related data, and how the system operates in plain terms. These requirements will be enforced beginning January 1, 2027.
The Pre-Use Notice must state, in specific terms, the following:
- A description of how ADMT works.
- The purpose for which ADMT will be used.
- The consumer’s right to opt out of ADMT and how to do so.
- The consumer’s right to access information about the ADMT use.
- A description of the alternate decision-making process if the consumer opts out.
- The business cannot retaliate against them for exercising those rights.
Opt-Out Requirements
If a consumer opted out, the business would have to cease collection, use, disclosure, and retention of the consumer’s personal information using the ADMT. However, there are several separate instances where a business would not have to provide an opt-out of its use of ADMT:
- Business provides an opportunity to appeal the ADMT decision to a human reviewer who can reverse the decision.
- Use solely in assessment of prospective employees’ ability to perform at work and what.
- For work assignment/allocation.
Responses to Consumer’s Request to Access Information
Should a consumer request access, the response would have to include: (1) why the business used ADMT; (2) how the ADMT worked with respect to that consumer (such as key factors that affected the ADMT output and how the business used the output to make a decision); and (3) how the consumer can correct the inaccurate information and that no retaliation may be taken against them.
Risk Assessments: Addressing Bias Directly
Impacted businesses must conduct risk assessments before using ADMT in contexts that present significant privacy risks. For finance companies, this includes any use of ADMT to make lending or credit decisions.
Scope of Risk Assessment Reports
Risk assessments require weighing risks to consumer privacy against business and societal benefits. In practice, this means explicitly evaluating whether data inputs, model design, or deployment practices create a risk of bias, not just basis itself. A well-documented risk assessment not only supports CCPA compliance but can also demonstrate proactive efforts to mitigate bias under federal and state fair lending laws. Businesses who sell or share personal information or use ADMT to process personal information must conduct these assessments and provide a risk assessment report to the CPPA. A risk assessment report must include the following:
- The specific purpose of the processing of personal information in precise terms;
- The categories of personal and sensitive information processed, limited to what is necessary to achieve the stated purpose;
- The operational elements of the processing of personal information (e.g., methods of collecting personal information, retention periods, and disclosures provided to consumers);
- The benefits arising from the processing of personal information;
- The risks with consumers’ privacy associated with the processing of the personal information;
- The safeguards the business will implement to protect the personal information obtained;
- Whether the business intends to proceed with the processing of personal information; and
- The individuals who contributed information to the assessment (excluding legal counsel) and the date it was approved.
Timeline to Submit
Starting April 1, 2028, and every year thereafter, businesses must submit the following to the CPPA:
- Business and Contact Information;
- Reporting Period for the risk assessment;
- Categories of personal and sensitive personal information included in assessment; and
- Identification for individual submitting the risk assessment.
Cybersecurity Audits
In addition to fairness concerns, financial institutions must prepare for cybersecurity audits, conducted by a qualified independent professional, if their data practices pose significant risks to consumer security. Given the volume and sensitivity of consumer financial data, many lenders will likely fall within the scope of this requirement. A business’s obligation to undergo a cybersecurity audit is determined by several metrics. Specifically, a business is subject to a cybersecurity audit if:
- Its annual gross revenue meets the CCPA threshold of $26,625,000.00 and it has processed the personal information of at least 250,000 consumers or the sensitive personal information of at least 50,000 consumers; or
- It derives 50% or more of its annual gross revenue from selling or sharing personal information
Scope of Cybersecurity Audit Reports
The regulations require that each covered business conduct an independent cybersecurity audit that results in a report. The scope of the audit should generally cover the business’ cybersecurity program, and how the program protects personal information and implements and enforces its cybersecurity controls. This would include authentication, encryption of data, access controls, account management, incident response, training, and data disposal. More importantly, cybersecurity audit reports must include the following information:
- Description of systems, policies, and procedures evaluated.
- Criteria and evidence used to reach conclusions
- Gaps/weaknesses, remediation plan, and timelines
- Prior corrections and responsible personnel titles
- Auditor’s credentials and certification statement of independence
- Copies and descriptions of breach notifications, if applicable.
- Personal Attestation –
- Must attest that certification is true and correct
- That business has not made any attempt to influence auditor’s assessments
Auditor Requirements
- The auditor must possess specialized knowledge of cybersecurity and cybersecurity auditing and must exercise independent judgment throughout the audit.
- The auditor may be internal or external; however, internal auditors must not report to the executive management team member responsible for overseeing the business’ cybersecurity program.
- All audit work must comply with the standards established by the American Institute of Certified Public Accountants (AICPA) or the Public Company Accounting Oversight Board (PCAOB).
- The business must provide the auditor with all requested, relevant information and make a good-faith effort to fully and truthfully disclose all pertinent facts.
Timeline to Submit
Businesses with less than $50 million in revenue will be required to submit their first report by April 1, 2030; those with $50-$100 million in revenue will be required to submit their first report by April 1, 2029; and those with revenue in excess of $100 million will have to submit their reports by April 1, 2028.
Key Action Items for Finance Companies
To prepare for compliance and reduce both legal and reputational risks, financial institutions should:
- Map all uses of ADMT in lending, credit, and fraud prevention.
- Design consumer-friendly pre-use notices tailored to each ADMT tool.
- Build processes for opt-outs and genuine human review of automated decisions.
- Conduct and document bias testing as part of risk assessments.
- Prepare governance structures for mandatory cybersecurity audits beginning in 2028
Conclusions:
California’s new regulations underscore the dual challenge for finance companies deploying automated systems: protecting consumer privacy and addressing implicit bias. By treating fairness and transparency as core compliance priorities, institutions can not only meet regulatory obligations but also build greater trust with consumers in an era where algorithmic accountability is increasingly under the spotlight. It is imperative that businesses subject to the CCPA, evaluate their use of ADMT and establish a process to determine, on an ongoing basis, the applicability of the cybersecurity audit, and privacy risk assessment requirements for their business.
