---
title: "CCPA / CPRA and Voice Biometrics for Healthcare AI in California, 2026"
description: "January 1, 2026 turned on California's risk assessments, cybersecurity audits, and ADMT regulations. Voice biometrics and health information are sensitive personal information under CPRA — here is what AI voice must do."
canonical: https://callsphere.ai/blog/vw5f-ccpa-cpra-voice-biometric-healthcare-california-2026
category: "AI Strategy"
tags: ["CCPA", "CPRA", "Voice Biometric", "California", "Healthcare AI"]
author: "CallSphere Team"
published: 2026-03-23T00:00:00.000Z
updated: 2026-05-07T16:29:56.191Z
---

# CCPA / CPRA and Voice Biometrics for Healthcare AI in California, 2026

> January 1, 2026 turned on California's risk assessments, cybersecurity audits, and ADMT regulations. Voice biometrics and health information are sensitive personal information under CPRA — here is what AI voice must do.

> California treats voice biometrics and health data as sensitive personal information. From January 1, 2026 the CCPA also turns on risk assessments, cybersecurity audits, and ADMT obligations — an AI voice agent in healthcare touches all three.

## What the rule says

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), defines sensitive personal information (SPI) at Cal. Civ. Code § 1798.140(ae). The category includes biometric information processed for the purpose of uniquely identifying a consumer (voiceprint included), health information not otherwise covered by HIPAA, and account-access credentials. CPRA gives consumers the right to limit use and disclosure of SPI under § 1798.121.

The California Privacy Protection Agency (CPPA) finalized regulations effective January 1, 2026 covering risk assessments, cybersecurity audits, and automated decision-making technology (ADMT). Risk assessments are required for processing presenting significant risk to consumer privacy, cybersecurity audits must follow defined methodology and be conducted by a qualified auditor, and ADMT regulations bring transparency, opt-out, and access rights to algorithmic decisions including AI-assisted clinical and administrative decisions where HIPAA does not preempt.

HIPAA preempts where it applies to "protected health information" held by a covered entity or business associate. SPI handled outside HIPAA scope — for example, voice marketing leads, intake before a treatment relationship, payment information — falls under CCPA/CPRA.

## What AI voice/chat must do

Treat voiceprints, voice-derived health signals, and recorded audio as SPI when they identify a consumer. Provide a "Limit the Use of My Sensitive Personal Information" link wherever required. Honor Global Privacy Control signals as opt-outs of sale and sharing. For ADMT — a triage classifier, lead scorer, sentiment-based routing — provide pre-use notice, an opt-out where required, and an access right to meaningful information about the logic. Run risk assessments on processing that combines voiceprints with profiling. Run cybersecurity audits if revenue thresholds and processing volume trigger them.

## CallSphere compliance posture

CallSphere is HIPAA and SOC 2 aligned. The Healthcare Voice Agent's 14 tools and post-call analytics live on the encrypted PostgreSQL `healthcare_voice` database — column-level encryption for direct identifiers, AES-256 at rest, TLS 1.3 in transit, KMS rotation every 90 days. Voiceprint generation is off by default; tenants opt in with consent capture. The audit trail captures every ADMT decision, model version, and feature contribution so a CCPA access request can be answered without engineering work. The platform powers 37 agents, 90+ tools, 115+ DB tables, 6 verticals, 50+ businesses at 4.8/5. Pricing $149 / $499 / $1,499; [14-day trial](/trial); 22% affiliate. California healthcare deployments anchor at [/industries/healthcare](/industries/healthcare); behavioral-health groups deploy through [/lp/behavioral-health](/lp/behavioral-health).

```mermaid
flowchart LR
A[CA Caller] --> B[Consent Capture]
B --> C{HIPAA\nPHI?}
C -- Yes --> D[HIPAA path]
C -- No --> E[CPRA SPI path]
E --> F[ADMT Notice]
F --> G[Opt-Out + GPC]
G --> H[Risk Assessment]
H --> I[Cyber Audit]
```

## Compliance checklist

1. Inventory voiceprints, voice-derived signals, and audio with identifiers; tag each as SPI where applicable.
2. Disable voiceprint generation by default and require explicit consent to enable.
3. Publish a Limit-the-Use-of-My-SPI link and honor it within timelines.
4. Detect and honor GPC signals on web and chat surfaces.
5. Stand up an ADMT inventory with logic-level descriptions per CPPA guidance.
6. Provide pre-use ADMT notice and opt-out where required.
7. Run risk assessments on each combination of SPI + profiling + ADMT.
8. Engage a qualified auditor for the annual cybersecurity audit if thresholds are met.
9. Sign SPAs/DPAs with every voice or AI sub-processor.
10. Train support staff to recognize and route SPI access requests within 45 days.

## FAQ

**If we are a HIPAA covered entity, is CCPA out of scope?**
Only for PHI. Marketing, sales, and pre-treatment intake are typically outside HIPAA and inside CCPA.

**Are voiceprints always biometric SPI?**
Yes when used to uniquely identify a consumer. Disable voiceprinting if you do not need it.

**Does ADMT cover lead scoring?**
Yes if the score materially affects an opportunity, service, or experience.

**What about employee voice data?**
California's employee CCPA carve-out expired in 2023; employee SPI is in scope.

## Sources

- CCPA — California Attorney General: [https://oag.ca.gov/privacy/ccpa](https://oag.ca.gov/privacy/ccpa)
- California Civil Code § 1798.140 — definitions: [https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140)
- CPPA — Risk Assessments, Cybersecurity, ADMT regulations: [https://cppa.ca.gov/regulations/](https://cppa.ca.gov/regulations/)
- California Civil Code § 1798.121 — limit use of SPI: [https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.121](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.121)
- California AG advisory on consumer privacy: [https://oag.ca.gov/privacy](https://oag.ca.gov/privacy)

---

Source: https://callsphere.ai/blog/vw5f-ccpa-cpra-voice-biometric-healthcare-california-2026