About Us
Charlyn Ho, founder and CEO of Rikka Law, walking in Washington DC

Who We Are

A boutique technology law firm that drives client success

Charlyn Ho, founder and CEO of Rikka Law, with an abstract technology handshake graphic representing the firm's leadership in technology and AI law

Our Leadership

Meet Charlyn Ho, CEO, Managing Member and Founder

Hand zooming in on a checkmark graphic representing Rikka Law's verified strategic partnerships

Partnerships

Proud to work alongside organizations shaping the future of technology & business

Magnifying glass on an orange background representing Rikka Law case studies and capability spotlights

Case Studies

Capability spotlights offering a closer look at real Rikka engagements

Graphic representing Rikka Law frequently asked questions

Frequently Asked Questions

Answers to the questions clients ask most

What We Do
Rikka Law R icon with a handshake over an abstract blue nodes background representing business and technology transactions legal services

Business & Technology Transactions

Practical legal guidance for the deals that drive your business.

Rikka Law R icon with a green lock over a dark circuit board background representing data privacy and cybersecurity legal services

Privacy & Cybersecurity

Stay compliant in an increasingly complex regulatory landscape

Rikka Law R icon with a VR headset over a dark abstract background representing legal services for startups and emerging technology companies

Startup & Formation

Smart AI-powered legal support built for startups and small firms

Rikka Law R icon with a robot hand over a dark abstract background representing AI governance and automation legal services

AI & Automation

Strategic counsel for organizations at every stage of their AI journey

Rikka Law R icon with a Lady Justice scales statue over a dark abstract greenish blue background representing legal staff augmentation and human capital management services

Human Capital Management

Flexible legal talent when you need it, without the overhead of a full-time hire

Rikka Law R icon with a notebook, pen, and glasses over a dark painterly abstract background representing Rikka Law's practical legal education and training programs for lawyers

Legal Education & Training

Advance your legal career with bespoke training programs

Resources
Abstract green illustration of a lightbulb with a brain inside representing Rikka Law's legal insights and technology law commentary

News & Insights

Analysis on the evolving intersection of law, technology, business, & policy

Before You Deploy AI podcast episode highlighted over an orange magnifying glass background representing Rikka Law's podcast series

Podcasts

Conversations on AI, law, and the technology shaping modern business

Woman holding a film clapperboard over a purple abstract background representing Rikka Law's video resources

Video Library

No-cost, straight-talk video guides on AI and technology law

The cover of Charlyn Ho's, founder and CEO of Rikka Law, upcoming book AI-Savvy Lawyer

AI-Savvy Lawyer

Get early access to Charlyn's book

Charlyn reviewing data privacy compliance checklist, representing Rikka Law's free compliance resources for businesses

Compliance Checklists

Free compliance checklists, ready to download

Rikka Academy logo over a repeating Rikka Law icon background with a dark purple overlay representing Rikka Academy's practical legal training platform for lawyer

Rikka Academy

Elevate Your Contract Drafting and Negotiation Skills

Contact Us
Rikka Academy

California Adopts Hotly Debated Privacy Act Rulemaking Package

All Rikka Posts
Rikka Law blog post illustration: The Final Phase is Complete: Living With New York's DFS Cybersecurity Framework
Headshot photo of Charlyn Ho, CEO Rikka Law Group | Co-Founder Enzio.ai at Rikka Law
Charlyn Ho
CEO Rikka Law Group | Co-Founder Enzio.ai
September 22, 2025·Insights

What’s the current status of these monumental regulations and why are they relevant to businesses nationwide?

After nearly a full year of controversial deliberation and a window for public comments, the California Privacy Protection Agency (CPPA) unanimously adopted sweeping new rules pertaining to cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT).

The rules now sit before the California Office of Administrative Law (OAL) for review under the Administrative Procedure Act’s six standards for enforceable law. In its review, the OAL is likely to scrutinize the necessity, clarity, and authority of the new rules closely.

If ratified, this significant rulemaking package, which falls under the California Consumer Privacy Act (CCPA), will be implemented in phases. Effective dates and deadlines are:

  • ADMT regulations become effective January 1, 2027.
  • Deadlines for cybersecurity audits are based on company revenue tiers. For companies grossing more than $100 million in revenue, the deadline is April 1, 2028. The deadline extends to April 1, 2030, for companies generating less.
  • Compliant risk assessment reports must be submitted by April 21, 2028, although the deadline for companies engaged in high-risk activities may be sooner.

The phased implementation timeline reflects the CPPA's recognition of the substantial operational changes required for compliance. The staggered deadlines for cybersecurity audits based on revenue tiers acknowledge that larger organizations typically have greater resources to implement these requirements while smaller businesses need additional time to develop the necessary infrastructure and expertise.

The rules will have significant and swift implications for businesses that operate in California and could ultimately emerge as the new standard for the nation’s data privacy and security landscape. Most notably, California’s progressive regulations will incur changes to cyber, risk, auditing, and ADMT protocols that were previously deemed acceptable.

The rules seem close to passing their final hurdle with OAL, so businesses nationwide would be wise to review and understand the implications and takeaways for their respective industries.

Legal Framework

For ADMT requirements, businesses must comply if they use automated decisionmaking technology, defined as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” Further, “substantially replace human decisionmaking” means that a business uses the technology’s output to make a decision without human involvement.

According to the rules, “human involvement” requires the human reviewer to:

  • Know how to interpret and use the technology’s output to make the decision;
  • Review and analyze the output of the technology, and any other information that is relevant to make or change the decision; and
  • Have the authority to make or change the decision based on their analysis in subsection (B).

Critically, the regulations specify that if a human reviews the technology's output and retains authority to make or alter the decision, the technology does not qualify as ADMT. If a company relies on ADMT in this way, it must give consumers certain protections: clear notice that ADMT is being used, the option to opt out, and the opportunity to challenge or appeal ADMT decisions.

The ADMT provisions mandate human oversight when significant decisions are involved. A “significant decision” is one connected to financial or lending services, housing, education, employment, or healthcare.

The CPPA also updated some of the existing rules under the CCPA, such us:

  • Requiring that exercising rights using the “Do Not Sell or Share My Personal Information” link should be the same or fewer than the number of steps for submitting a request to opt-in to the sale of personal information where the business offers a link for consumers to learn more about opting-in to the business’s sale or sharing of their personal information. While only minors under 16 are required to provide opt-in consent before sales can occur, this principle ensures that for all consumers, opting out remains at least as simple and accessible as opting in.
  • Toggles or buttons must clearly indicate the consumer’s choice. A consumer’s silence or failure to act affirmatively does not constitute consent.
  • Conspicuous link required under the CCPA must be on any webpage that collects personal information, not only homepage(s).

Here is a high-level breakdown of the most noteworthy waves of potential impact.

  • Proactive governance:
    The rules drive mandates forward for privacy-by-design and risk-by-design. Companies must think ahead about potential risks and plan accordingly.
  • Escalated risk definition:
    The rules dictate procedures for “significant risk.” Activities previously considered common may now fall into the “significant” category of risk under these new standards.
  • Transparency for increased consumer protections:
    The rules will enact new obligations for businesses to inform and educate consumers more overtly while providing provisions for them to opt out of or appeal automated systems.
  • Burdens of innovation:
    While the rules create new cost and operational burdens for companies, they also aim to create greater cushions and conveniences for businesses as they work to adopt new and emerging technologies.

In the absence of an overarching federal consumer privacy law, these developments from California and other states signal an increasing focus on data protection and consumer privacy rights at the state level. For businesses, this patchwork of data privacy regulations requires nuanced compliance strategies and operational adjustments tailored to the legal frameworks of each state. At the same time, the interaction between federal and state privacy laws remains somewhat uncertain, especially given the Administration’s recent effort to impose a moratorium on new state AI laws. While that initiative failed, similar proposals may resurface, adding further complexity to the regulatory landscape.

At Rikka, we are at the forefront of these regulatory changes, guiding companies to adapt and succeed in this evolving and challenging legal framework. Our team is always working quickly to decode legal developments so we can offer sophisticated, tailored solutions to our clients. Contact us today to ensure your company is prepared for these changes.