By Sagar Shankaran, Founder of CallSphere
January 1, 2026 turned on California's risk assessments, cybersecurity audits, and ADMT regulations. Voice biometrics and health information are sensitive personal information under CPRA — here is what AI voice must do.
Key takeaways
California treats voice biometrics and health data as sensitive personal information. From January 1, 2026 the CCPA also turns on risk assessments, cybersecurity audits, and ADMT obligations — an AI voice agent in healthcare touches all three.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), defines sensitive personal information (SPI) at Cal. Civ. Code § 1798.140(ae). The category includes biometric information processed for the purpose of uniquely identifying a consumer (voiceprint included), health information not otherwise covered by HIPAA, and account-access credentials. CPRA gives consumers the right to limit use and disclosure of SPI under § 1798.121.
The California Privacy Protection Agency (CPPA) finalized regulations effective January 1, 2026 covering risk assessments, cybersecurity audits, and automated decision-making technology (ADMT). Risk assessments are required for processing presenting significant risk to consumer privacy, cybersecurity audits must follow defined methodology and be conducted by a qualified auditor, and ADMT regulations bring transparency, opt-out, and access rights to algorithmic decisions including AI-assisted clinical and administrative decisions where HIPAA does not preempt.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
HIPAA preempts where it applies to "protected health information" held by a covered entity or business associate. SPI handled outside HIPAA scope — for example, voice marketing leads, intake before a treatment relationship, payment information — falls under CCPA/CPRA.
Treat voiceprints, voice-derived health signals, and recorded audio as SPI when they identify a consumer. Provide a "Limit the Use of My Sensitive Personal Information" link wherever required. Honor Global Privacy Control signals as opt-outs of sale and sharing. For ADMT — a triage classifier, lead scorer, sentiment-based routing — provide pre-use notice, an opt-out where required, and an access right to meaningful information about the logic. Run risk assessments on processing that combines voiceprints with profiling. Run cybersecurity audits if revenue thresholds and processing volume trigger them.
CallSphere is HIPAA and SOC 2 aligned. The Healthcare Voice Agent's 14 tools and post-call analytics live on the encrypted PostgreSQL healthcare_voice database — column-level encryption for direct identifiers, AES-256 at rest, TLS 1.3 in transit, KMS rotation every 90 days. Voiceprint generation is off by default; tenants opt in with consent capture. The audit trail captures every ADMT decision, model version, and feature contribution so a CCPA access request can be answered without engineering work. The platform powers 37 agents, 90+ tools, 115+ DB tables, 6 verticals, 50+ businesses at 4.8/5. Pricing $149 / $499 / $1,499; 14-day trial; 22% affiliate. California healthcare deployments anchor at /industries/healthcare; behavioral-health groups deploy through /lp/behavioral-health.
flowchart LR
A[CA Caller] --> B[Consent Capture]
B --> C{HIPAA\nPHI?}
C -- Yes --> D[HIPAA path]
C -- No --> E[CPRA SPI path]
E --> F[ADMT Notice]
F --> G[Opt-Out + GPC]
G --> H[Risk Assessment]
H --> I[Cyber Audit]
If we are a HIPAA covered entity, is CCPA out of scope? Only for PHI. Marketing, sales, and pre-treatment intake are typically outside HIPAA and inside CCPA.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
Are voiceprints always biometric SPI? Yes when used to uniquely identify a consumer. Disable voiceprinting if you do not need it.
Does ADMT cover lead scoring? Yes if the score materially affects an opportunity, service, or experience.
What about employee voice data? California's employee CCPA carve-out expired in 2023; employee SPI is in scope.
Written by
Sagar Shankaran· Founder, CallSphere
Sagar Shankaran is the founder of CallSphere, where he builds production AI voice and chat agents deployed across healthcare, hospitality, real estate, and home services. He writes about agentic AI, LLM engineering, and shipping voice agents that handle real calls in production.
See how AI voice agents work for your industry. Live demo available -- no signup required.
AWS HealthScribe became the open scribe layer EHR vendors built on top of in 2026. Here's the API surface, the per-encounter pricing, the BAA terms.
The April 5 to May 5 2026 vertical voice AI cycle reset the buyer playbook for SMB and mid-market. Pricing patterns, integration depth, vendor selection, and the build-vs-buy line.
Apollo, Manipal, and Narayana scaled AI agents across Bangalore in 2026. Here's the deployments across radiology, intake, and follow-up, the costs.
Notable's AI agents now handle scheduling, intake, and revenue cycle for 6,000+ clinics in 2026. Here's the multi-agent architecture, the per-clinic pricing.
Abridge raised $250M in April 2026 at a $2.7B valuation. We break down the deployment numbers, the EHR integrations across Epic and Cerner. The Q2 2026 buyer briefing.
Enterprise CIO Guide perspective on Hippocratic AI's deployment numbers show healthcare voice agents are moving from pilot to production across major US health systems.
© 2026 CallSphere LLC. All rights reserved.