California has finalized sweeping amendments to its privacy regulations under the California Consumer Privacy Act (CCPA), introducing new compliance obligations for businesses. These changes, approved by the California Privacy Protection Agency (CPPA) and effective January 1, 2026, significantly expand requirements around risk assessments, automated decision-making technology (ADMT), and cybersecurity audits.

This article provides a comprehensive overview of what’s changing, why it matters, and how businesses, especially executives responsible for privacy and cybersecurity, should prepare.

Key Compliance Deadlines

• January 1, 2026: Risk Assessment requirements take effect for high-risk processing activities.
• January 1, 2027: ADMT compliance obligations begin, including transparency and opt-out rights.
• April 1, 2028 onward: Cybersecurity audit certifications due, phased by revenue thresholds.

Risk Assessments: Starting January 1, 2026

Businesses subject to California’s privacy law must conduct Risk Assessments for high-risk processing activities. These assessments are not generic—they must include:

• Purpose and necessity of processing.
• Categories of personal data involved.
• Potential negative impacts on consumers.
• Benefits and safeguards implemented.

Executives must attest under penalty of perjury that the assessment is accurate and complete. Updates are required every three years or within 45 days of material changes. Risk Assessments must be retained for the later of:

• The duration of processing, or
• Five years after completion.

By April 1, 2028, businesses must submit to the CPPA:

• An attestation confirming completion of required assessments for 2026 and 2027.
• A summary report including prescribed details.

What Counts as High-Risk Processing?

Under the amended regulations, high-risk activities include:

• Selling or sharing personal information (including for targeted advertising).
• Processing sensitive personal information (e.g., financial account details, health data, racial/ethnic origin, religious beliefs, precise geolocation, government IDs, genetic data).
• Using Automated Decision-Making Technology (ADMT) for significant decisions (credit, housing, employment, healthcare).
• Extensive profiling or surveillance in workplaces, schools, or public spaces.
• Training AI or ADMT using personal data for identification, profiling, or generative models.

Automated Decision-Making Technology (ADMT): Compliance from January 1, 2027

Businesses using ADMT for significant decisions must:

• Provide Pre-Use Notices explaining how ADMT works and consumer rights.
• Offer opt-out mechanisms (with exceptions if human review and appeal rights exist).
• Implement governance for fairness and bias mitigation.
• Obtain opt-in consent when ADMT processes sensitive personal information.

Cybersecurity Audits: Annual Requirements Starting 2028

Businesses meeting certain thresholds must conduct annual independent cybersecurity audits:

• Revenue over \$100M: First audit report due April 1, 2028.
• Revenue \$50M–\$100M: Due April 1, 2029.
• Revenue under \$50M: Due April 1, 2030.

Audits must be evidence-based and cover:

• Authentication and encryption.
• Access controls.
• Incident response.
• Vendor oversight.

Executives responsible for cybersecurity must certify audit completion and remediation of gaps.

Why This Matters for Executives

Attestations for both Risk Assessments and Cybersecurity Audits are made under penalty of perjury. False or incomplete certifications can lead to:

• Personal liability.
• Civil penalties of up to $7,500 per violation.
• Enforcement actions targeting both the company and the signing executive.

Action Plan for Businesses

1. Identify high-risk processing activities now.
2. Build governance frameworks for future compliance.
3. Conduct and document Risk Assessments before processing.
4. Prepare for CPPA reporting deadlines (April 2028 onward).
5. Update:
   • Privacy Policies for transparency and ADMT disclosures.
   • Data Processing Agreements (DPAs) to require vendor cooperation with risk assessments and audits.

Other States with Similar Requirements

The following US states also impose a requirement to undertake Data Protection Assessments, generally for processing sensitive personal information or selling personal information:

Texas	Virginia	Colorado
Connecticut	Delaware	Florida
Montana	Iowa	Tennessee
Indiana (Starting Jan 01/26)	Oregon	New Jersey
Kentucky (Starting Jan 01/26)	Maryland	Minnesota
Nebraska	New Hampshire	Rhode Island (Starting Jan 01/26)

Need help navigating CCPA compliance obligations?

Reach out to our team for practical, up-to-date guidance tailored to your business.