How California's Latest CCPA Rulemaking Push Affects Employees and Employers

Is CalPrivacy Gearing Up to Change CCPA Regulations Again? What the 2026 Rulemaking Push Means for Employees and Employers

Photo by ArrN Capture on Unsplash

Key Takeaways

• On April 20, 2026, California's privacy watchdog launched new preliminary rulemaking targeting employee and job applicant data privacy under the CCPA.
• Public comments are due May 20, 2026—but enforceable rules are unlikely to arrive before 2027 at the earliest.
• A sweeping prior round of CCPA rules covering AI decision-making and cybersecurity audits already took effect January 1, 2026.
• A $1.35 million enforcement penalty in late 2025 signals the CPPA is done warming up—it is actively using its authority.

What Happened

If you thought California's privacy regulators had taken a breath, think again. On April 20, 2026, the California Privacy Protection Agency (CPPA)—the state's dedicated privacy watchdog—launched a fresh round of preliminary rulemaking, asking the public to weigh in on potential new rules under the California Consumer Privacy Act (CCPA). This new effort zeroes in on two areas that have created real friction for employers: how privacy notices should be written specifically for workers and job applicants, and what practical obstacles prevent employees from actually exercising their CCPA privacy rights.

The CPPA is exploring seven specific questions on each of these two tracks. Think of this like the agency holding an open town hall before drafting any actual rules—it is collecting feedback before pen meets paper. If you want to influence the outcome, the deadline for submitting preliminary comments is May 20, 2026. Even so, legal experts caution that formal rulemaking, if pursued, is unlikely to produce enforceable regulations before 2027.

This new push does not happen in isolation. The CPPA closed a separate preliminary comment period on April 6, 2026, covering Opt-Out Preference Signals (OOPS)—automated tools that allow consumers to signal their privacy preferences directly to websites. Meanwhile, a massive prior round of CCPA regulations covering risk assessments, cybersecurity audits, and automated decision-making technology was finalized by California's Office of Administrative Law on September 23, 2025, and took effect January 1, 2026. California's privacy machine is running on multiple tracks simultaneously, and the legal technology industry is working overtime to help businesses keep up.

Photo by Numan Ali on Unsplash

Why It Matters for You

Here is the simplest way to understand what is happening: California built a privacy rulebook in 2018. Voters upgraded it in 2020. Now regulators are writing new chapters faster than most companies can finish reading the last one. That pace carries real consequences whether you are a job seeker, an employee, or a business owner—and the stakes just got higher.

Start with what is already law. Legal analysts at Greenberg Traurig called the January 2026 CCPA regulations "one of the most significant expansions of consumer privacy obligations in California since the CCPA's original enactment," requiring businesses to overhaul their risk assessment and audit programs entirely. That is not fine print—it is a full system reset for how companies document, protect, and account for the personal data they collect.

One of the most consequential new obligations involves cybersecurity audits. Think of these like mandatory financial audits—except instead of verifying your balance sheet, auditors verify your data security practices. The deadlines are staggered by company size: businesses with annual revenues over $100 million must submit cybersecurity audit certifications by April 1, 2028; companies earning between $50 million and $100 million have until April 1, 2029; and smaller businesses under $50 million get until April 1, 2030. Do not mistake those distant deadlines for breathing room—building audit-ready documentation infrastructure takes years, not weeks.

If your business uses algorithms or AI systems to make significant decisions about people—think loan approvals, housing applications, job screenings, or healthcare recommendations—the Automated Decision-Making Technology (ADMT) compliance obligations become enforceable on January 1, 2027. Privacy counsel at Wiley Law observed that these finalized rules signal California is "moving closer to a GDPR-style accountability framework." GDPR (the EU's General Data Protection Regulation, widely considered the world's strictest consumer privacy law) requires documented risk assessments, algorithmic transparency, and individual rights over automated decisions. California is now demanding similar rigor from businesses operating within its borders. Legal technology solutions that automate risk assessment documentation are becoming critical infrastructure for compliance teams navigating this shift.

For employers specifically, attorneys at Paul Hastings cautioned that the new round of preliminary rulemaking on employee data "could significantly reshape employer privacy compliance in California," particularly for companies that assumed employment records were largely off-limits under CCPA's core consumer rights framework. If new rules take hold, workers could gain expanded rights to access, correct, or delete their employment data.

Enforcement is no longer a distant threat. The CPPA approved a $1.35 million CCPA enforcement penalty in late 2025—a clear signal the agency is not just writing rules, it is wielding them. And starting August 1, 2026, data brokers (companies that buy, aggregate, and sell personal information) must access the CPPA's new DELETE Request and Opt-Out Platform, known as DROP, at least once every 45 days. The DROP platform launched in January 2026 as part of the same regulatory wave. Together, these moves paint a picture of a regulator moving from setup to enforcement mode—fast.

The AI Angle

The new ADMT rules put artificial intelligence squarely in California's regulatory crosshairs—and that is where AI legal tools are becoming indispensable. Any business using AI-driven systems to screen job applicants, approve loans, or triage healthcare decisions must now document how those systems work and give affected individuals the right to opt out or appeal. This is a compliance challenge at a scale that manual processes simply cannot handle.

Contract review platforms are already being used to scan vendor and employment agreements for data-sharing clauses that trigger ADMT obligations. Legal software suites built for privacy compliance are automating audit trail generation, risk flagging, and notice drafting. Law firm automation tools are helping privacy teams monitor regulatory updates in real time, so businesses learn about new CPPA guidance before it becomes a violation notice. The OOPS rulemaking track—whose preliminary comment period closed April 6, 2026—is especially relevant for tech companies, and legal software vendors are already building automated signal-detection features into their compliance dashboards. For businesses without dedicated privacy counsel, these tools provide a critical early-warning system that manual tracking simply cannot match.

What Should You Do? 3 Action Steps

1. Submit Your Comments Before May 20, 2026

The CPPA's preliminary comment window on employee and applicant data privacy closes May 20, 2026. If your business employs people in California—or hires California residents remotely—this rulemaking directly affects your HR operations. You do not need to be a lawyer to participate; the CPPA accepts input from anyone. Consider working with employment counsel or using AI legal tools to draft a concise, factual comment that reflects your operational realities. Businesses that engage early often see their concerns reflected in final rules.

2. Map Your Cybersecurity Audit Timeline Today

Do not wait until your deadline is six months away. Identify which revenue tier your business falls into and work backward from your certification date. Companies earning over $100 million face an April 1, 2028 deadline—which sounds far away until you account for vendor security assessments, legal reviews, board approvals, and remediation time. Legal software with built-in compliance calendar features can automate milestone tracking and flag gaps in your documentation before auditors do. Law firm automation resources can also help you build the policy library an audit requires.

3. Inventory Your AI Decision Systems Before January 2027

If your company uses automated tools to screen employees, approve applications, or make recommendations in financial services, housing, or healthcare, catalog those systems now. The ADMT rules become enforceable January 1, 2027, and the $1.35 million penalty issued in late 2025 shows the CPPA will act when businesses fall short. Use contract review software to identify where AI vendor agreements lack transparency provisions, and deploy legal technology platforms to document your AI workflows, map affected individuals' rights, and build opt-out mechanisms into your products well before the deadline arrives.

Frequently Asked Questions

What does the new 2026 CPPA rulemaking mean for California employees and job applicants who want to protect their privacy?

The CPPA's April 20, 2026 preliminary rulemaking explores whether employees and job applicants should have stronger, more clearly written CCPA rights in the workplace context. The agency is asking seven specific questions about whether current privacy notice language works for employment settings and what barriers prevent workers from exercising rights like data access and deletion. If formal rules follow—likely no earlier than 2027—employers may need to overhaul their HR privacy notices, add new worker rights disclosures, and create internal workflows for responding to staff data requests. AI legal tools that automate rights-request tracking and notice generation are already being used by larger employers to prepare for this possibility.

How do the January 2026 CCPA cybersecurity audit requirements affect small and mid-size businesses in California?

The new cybersecurity audit rules apply to businesses at every revenue level, with staggered deadlines: over $100 million by April 1, 2028; $50 million to $100 million by April 1, 2029; and under $50 million by April 1, 2030. Smaller businesses have more time, but they still need to build audit-ready documentation infrastructure well before their deadline. Think of a cybersecurity audit like a tax audit—the records need to exist before the auditor arrives, not be assembled afterward. Legal software with documentation templates and compliance tracking features is a practical starting point for businesses without large privacy teams.

Is California's CCPA now basically the same as Europe's GDPR after the 2026 regulatory updates?

It is closer than ever, though not identical. Privacy counsel at Wiley Law observed that the finalized ADMT and cybersecurity audit rules signal California is "moving closer to a GDPR-style accountability framework." Both regimes now require documented risk assessments, some form of algorithmic transparency, and individual rights over automated decisions. However, GDPR (the EU's General Data Protection Regulation) differs from CCPA in scope, how it handles cross-border data transfers, and the size of penalties it can impose (GDPR fines can reach 4% of global annual revenue). Companies operating in both markets should work with counsel experienced in both frameworks rather than assuming the rules are interchangeable.

What is the CPPA's DROP platform and does it create obligations for my business if we are not a registered data broker?

DROP stands for DELETE Request and Opt-Out Platform—a system launched by the CPPA in January 2026 that allows consumers to submit deletion and opt-out requests to data brokers in a single place. Starting August 1, 2026, registered data brokers must access the platform at least once every 45 days and process any requests received through it. If your business is not a registered data broker, DROP's direct obligations do not apply to you. However, if you share customer data with third-party data brokers as part of your advertising or analytics stack, you may face indirect exposure. AI legal tools that map your data-sharing relationships can quickly identify whether any of your partners fall under DROP's requirements—and whether those relationships need to be disclosed or restructured.

Can AI tools and legal software actually help my company prepare for the CCPA ADMT deadline before January 2027?

Yes—and many businesses are already deploying them for exactly this purpose. Contract review platforms can scan vendor agreements for data-processing clauses that trigger ADMT obligations, flagging gaps before regulators do. Legal software suites built for privacy compliance can auto-generate risk assessment templates, identify high-risk AI use cases within your product stack, and produce audit-ready documentation on demand. Law firm automation tools are being used to monitor CPPA regulatory updates in real time, so your compliance team is notified when new guidance drops rather than discovering it after a violation notice arrives. The core principle: start the documentation work now. Waiting until late 2026, when the January 2027 deadline is imminent, leaves no margin for the remediation that almost always follows a serious audit.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Please consult a qualified attorney for guidance specific to your situation.