CCPA / CPRA and Voice Biometrics for Healthcare AI in California, 2026
January 1, 2026 turned on California's risk assessments, cybersecurity audits, and ADMT regulations. Voice biometrics and health information are sensitive personal information under CPRA — here is what AI voice must do.
California treats voice biometrics and health data as sensitive personal information. From January 1, 2026 the CCPA also turns on risk assessments, cybersecurity audits, and ADMT obligations — an AI voice agent in healthcare touches all three.
What the rule says
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), defines sensitive personal information (SPI) at Cal. Civ. Code § 1798.140(ae). The category includes biometric information processed for the purpose of uniquely identifying a consumer (voiceprint included), health information not otherwise covered by HIPAA, and account-access credentials. CPRA gives consumers the right to limit use and disclosure of SPI under § 1798.121.
The California Privacy Protection Agency (CPPA) finalized regulations effective January 1, 2026 covering risk assessments, cybersecurity audits, and automated decision-making technology (ADMT). Risk assessments are required for processing presenting significant risk to consumer privacy, cybersecurity audits must follow defined methodology and be conducted by a qualified auditor, and ADMT regulations bring transparency, opt-out, and access rights to algorithmic decisions including AI-assisted clinical and administrative decisions where HIPAA does not preempt.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
HIPAA preempts where it applies to "protected health information" held by a covered entity or business associate. SPI handled outside HIPAA scope — for example, voice marketing leads, intake before a treatment relationship, payment information — falls under CCPA/CPRA.
What AI voice/chat must do
Treat voiceprints, voice-derived health signals, and recorded audio as SPI when they identify a consumer. Provide a "Limit the Use of My Sensitive Personal Information" link wherever required. Honor Global Privacy Control signals as opt-outs of sale and sharing. For ADMT — a triage classifier, lead scorer, sentiment-based routing — provide pre-use notice, an opt-out where required, and an access right to meaningful information about the logic. Run risk assessments on processing that combines voiceprints with profiling. Run cybersecurity audits if revenue thresholds and processing volume trigger them.
CallSphere compliance posture
CallSphere is HIPAA and SOC 2 aligned. The Healthcare Voice Agent's 14 tools and post-call analytics live on the encrypted PostgreSQL healthcare_voice database — column-level encryption for direct identifiers, AES-256 at rest, TLS 1.3 in transit, KMS rotation every 90 days. Voiceprint generation is off by default; tenants opt in with consent capture. The audit trail captures every ADMT decision, model version, and feature contribution so a CCPA access request can be answered without engineering work. The platform powers 37 agents, 90+ tools, 115+ DB tables, 6 verticals, 50+ businesses at 4.8/5. Pricing $149 / $499 / $1,499; 14-day trial; 22% affiliate. California healthcare deployments anchor at /industries/healthcare; behavioral-health groups deploy through /lp/behavioral-health.
flowchart LR
A[CA Caller] --> B[Consent Capture]
B --> C{HIPAA\nPHI?}
C -- Yes --> D[HIPAA path]
C -- No --> E[CPRA SPI path]
E --> F[ADMT Notice]
F --> G[Opt-Out + GPC]
G --> H[Risk Assessment]
H --> I[Cyber Audit]
Compliance checklist
- Inventory voiceprints, voice-derived signals, and audio with identifiers; tag each as SPI where applicable.
- Disable voiceprint generation by default and require explicit consent to enable.
- Publish a Limit-the-Use-of-My-SPI link and honor it within timelines.
- Detect and honor GPC signals on web and chat surfaces.
- Stand up an ADMT inventory with logic-level descriptions per CPPA guidance.
- Provide pre-use ADMT notice and opt-out where required.
- Run risk assessments on each combination of SPI + profiling + ADMT.
- Engage a qualified auditor for the annual cybersecurity audit if thresholds are met.
- Sign SPAs/DPAs with every voice or AI sub-processor.
- Train support staff to recognize and route SPI access requests within 45 days.
FAQ
If we are a HIPAA covered entity, is CCPA out of scope? Only for PHI. Marketing, sales, and pre-treatment intake are typically outside HIPAA and inside CCPA.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
Are voiceprints always biometric SPI? Yes when used to uniquely identify a consumer. Disable voiceprinting if you do not need it.
Does ADMT cover lead scoring? Yes if the score materially affects an opportunity, service, or experience.
What about employee voice data? California's employee CCPA carve-out expired in 2023; employee SPI is in scope.
Sources
- CCPA — California Attorney General: https://oag.ca.gov/privacy/ccpa
- California Civil Code § 1798.140 — definitions: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.140
- CPPA — Risk Assessments, Cybersecurity, ADMT regulations: https://cppa.ca.gov/regulations/
- California Civil Code § 1798.121 — limit use of SPI: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.121
- California AG advisory on consumer privacy: https://oag.ca.gov/privacy
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.