Stay informed and subscribe. Signup

Prepare for Impact: CCPA Risk Assessment Regulations Now in Effect

February 23, 2026

By Josh Arkulary

New California privacy regulations governing privacy risk assessments took effect on January 1, 2026, and the clock is ticking toward critical enforcement deadlines on December 31, 2027, and April 1, 2028. Ever since the California Privacy Protection Agency’s (CPPA) regulations took effect, California has been aggressively enforcing its comprehensive privacy law as discussed in our prior analysis of California’s evolving privacy enforcement landscape. We expect enforcement of the new regulations to accelerate in 2026 and beyond.

The Mandate: Critical Deadlines, Criteria, and Preparedness

These regulations were promulgated under the California Privacy Rights Act and California Consumer Privacy Act (collectively, “CCPA”). The CCPA’s finalized rules build upon previous regulations, requiring impacted companies to take a more proactive approach to risk management. This evolution of the CCPA shares DNA with global standards like the European Union’s General Data Protection Regulation (GDPR) and other laws, including GDPR’s data protection impact assessments (DPIAs), but with a California-specific approach.

January 1, 2026, also marked the effective date of new CCPA requirements addressing cybersecurity audits and automated decision‑making technology (ADMT), further reinforcing California’s move toward proactive privacy and security oversight.

What To Do

As of January 1, 2026, the CCPA requires businesses to complete a risk assessment before initiating any personal information processing activity involving “significant risk.” See 11 CCR § 7150(a). Businesses must be prepared to demonstrate compliance, as either the CPPA or the California Attorney General, each of which are tasked with CCPA enforcement, may request a copy of a risk assessment at any time. Upon request, the business must provide the assessment within 30 days.

Conducting a prior evaluation of significant risk processing and completing risk assessments are critical not only for timely compliance, but also for ensuring readiness for future reporting obligations. To prepare for enforcement and completing risk assessments, businesses should proactively review all data processing activities to identify, inventory and “map” any processing that meets the significant risk threshold. These may include activities involving the sale or sharing personal information, ADMT activities, or the processing of sensitive personal information.

Key Dates

  • January 1, 2026: All in-scope businesses must complete risk assessments for any new significant risk processing activities initiated on or after this date.
  • December 31, 2027: Risk assessments must be completed for significant risk processing activities initiated prior to January 1, 2026, that have continued thereafter.
  • April 1, 2028: All in-scope businesses must submit their first annual certification and required risk assessment documentation to the CPPA.

When Is a Risk Assessment Required?

Not all data processing requires a formal assessment. The CCPA’s "significant risk" threshold may be met if a business engages in certain processing activities, such as:

  • Selling or sharing personal information, including the use of third-party ad-tech and pixels for targeted advertising.
  • Processing sensitive personal information, such as precise geolocation, biometric data, or health information.
  • Automated decision-making technology (ADMT) that uses personal information to make a “significant decision” concerning a consumer’s employment, finances, or health in a manner that replaces human decision-making.
  • Systematic monitoring, including profiling employees or consumers in public, work, or educational settings.

What Is a Risk Assessment Under the New Regulations?

A CCPA risk assessment is designed to answer an overarching question: Do the risks to consumers’ privacy from the processing outweigh the benefits of the proposed processing activity for the consumer, the business, other stakeholders, and the public? To answer that question, businesses must evaluate the nature and impact of the processing and expressly document whether they will proceed with, modify, or decline the activity based on the assessment. At a high level, the risk assessment analysis focuses on considerations such as:

  • The purpose and necessity of the processing, including whether it is reasonably necessary and proportionate to the stated business objective.
  • The categories of personal information processed, including whether sensitive personal information is involved.
  • The scope and context of the processing, such as the affected populations and the use of novel or emerging technologies.
  • Reasonably foreseeable privacy risks and related harms to consumers.
  • The benefits of the processing and how those benefits compare to the identified privacy risks.
  • Safeguards and mitigation measures implemented to reduce risks and protect personal information.
  • Any residual risk after mitigation and whether remaining risks are acceptable in light of the benefits.
  • The final outcome and documented decision to proceed with, modify, or decline the processing.

Taken together, the extent and depth of these considerations reinforce that a risk assessment is meant to function as a substantive decision‑making tool to support the CCPA’s risk/benefit balancing determination.

“These assessments are not only required under the new CCPA regulations but are valuable because they force organizations to take a hard look at how their data practices align with their business goals and risk tolerance. Under the CCPA, privacy risk assessments help companies identify gaps and demonstrate responsible data stewardship now, while also laying groundwork that can support compliance efforts down the road and in other jurisdictions.”
- Josh Arkulary, Associate Attorney

How Gardner Law Can Help

If you have questions about the CCPA’s new risk assessment requirements or other privacy matters, or if you need experienced counsel to help design, enhance, or implement privacy or AI governance programs, contact Gardner Law. Our attorneys have deep experience advising drug and device manufacturers of all sizes on both commercial and pre-commercial privacy, AI, and cybersecurity matters.