States across the country are enacting privacy laws that regulate how businesses handle consumer’s personal data and digital information, in hopes of giving the consumer greater control over their data.

In 2025, privacy laws in Delaware, Iowa, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee took effect. Maryland, Indiana, Kentucky, and Rhode Island will follow in 2026. These laws require companies to be more transparent about how they collect, use, and share personal data. In some cases, consumers now have the right to delete their data, opt into sharing data, or prevent companies from selling consumer personal data.

Here in California, new rules have also been approved under the California Consumer Privacy Act (CCPA). The California Privacy Protection Agency (CPPA) recently finalized regulations that strengthen consumer rights and set higher standards for businesses. These regulations fall into three main categories:

Automated Decision-Making Technology (ADMT)

ADMT is defined as technology that processes personal information to replace, or substantially replace, human decision-making . Businesses using ADMT to make businesses decisions like hiring, housing, financial services, educational opportunities, or healthcare, must:

  • Provide clear notice to consumers, explaining how the ADMT works (logic, purpose, consequences).
  • Offer an opt-out option, with at least two methods to submit a request.
  • Allow consumers to appeal ADMT-based decisions
  • Deadlines: Compliance must be met before January 1, 2027.

Risk Assessments

A risk assessment is the process of identifying potential threats, evaluating how likely they are to occur, and analyzing their potential impact. 

Businesses must perform regular risk assessments when data processing activities pose significant privacy or security risks. This includes the selling or processing of personal information, the use of ADMT,  and using automated processing to infer a consumer’s decision making and behaviors. Businesses must update these assessments at least every three years and submit a summary report to the CPPA.

Deadlines: Businesses will have until December 31, 2027 to complete their risk assessments, with the first summary reports due to the CPPA by April 1, 2028 

Cybersecurity Audits

When handling large amounts of consumer data, businesses must also conduct independent cybersecurity audits to ensure their systems meet security standards. The cybersecurity audits must be done by a qualified and objective auditor, who can be internal or external to the organization. The audit must include:

  • An overview of audited systems and data environments
  • An evaluation of cybersecurity programs aligned with industry standards for “reasonable security”
  • A gap analysis and remediation actions
  • A breach and incident review for the audit period

Deadlines:

  • Businesses with annual revenue over $100 million: first audit due by April 1, 2028 (for 2027 activities).
  • Other businesses: staggered compliance, with all covered entities audited by April 1, 2030 
  • All other covered businesses must complete audits on a staggered schedule, with full compliance by April 1, 2030.

While these laws primarily regulate businesses, they’re designed to protect consumers like you. The ability to control how your data is handled and sold gives individuals a greater say in how their digital footprint is managed. As faculty, researchers, and members of the UCSB community, understanding these rights can help you make informed choices when interacting with companies, apps, and online services.

Don’t forget to check out UCSB’s lineup of UCCAM events this month! Students, staff, faculty, family, and friends are all encouraged to join and learn. The UC Cyber Champions group also has a full list of systemwide events occurring throughout October. We appreciate your engagement and hope you stay cyber safe!

Additional Resources: