Long-Delayed Wave of CCPA Regulations Starts Crashing to Corporate Shores

Bryan Clark, Gabriel Henriquez, Blaine Kimrey
Vedder
Contact
LinkedIn
Facebook
X
Send
Embed

Vedder

As of January 1, 2026, a revised and expanded set of regulations under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (CCPA) is officially in effect. Promulgated by the California Privacy Protection Agency (CPPA) and approved by the Office of Administrative Law, these regulations represent the most detailed articulation to date of how California expects businesses to operationalize privacy compliance.[1] While the regulations are now effective, not every obligation requires immediate implementation. Several of the most complex requirements, most notably those governing automated decision making technology (ADMT), risk assessments, and cybersecurity audits, are subject to future compliance deadlines extending into 2027 and beyond. Nevertheless, understanding which requirements apply today, versus those that require near-term preparation, is critical for businesses and their counsel as enforcement expectations continue to evolve.

Enforcement Focus on Accountability and Operational Practices

Importantly, the 2026 regulations don’t alter the CCPA’s core statutory rights. Instead, they clarify expectations regarding accountability, documentation, and technical execution. The CPPA has made clear that privacy compliance is no longer viewed as a policy exercise alone, but as an ongoing governance function that must be demonstrable, auditable, and operationally embedded.[2] This maturation of the regulatory framework is significant because enforcement is expected to focus less on formalistic compliance and more on whether a business’s actual data practices align with its public representations, internal controls, and risk management processes. In essence, what a business does with personal information matters more than what its policies say it does.

Immediate Consumer Transparency and Notice Obligations

Several obligations became operative January 1, with a particular emphasis on consumer-facing transparency and choice. Businesses must now provide clear confirmation when a consumer’s request to opt out of the sale or sharing of personal information has been honored, including requests submitted through the Global Privacy Control signal.[3] Opt-out mechanisms may not require more steps than opting in, and passive actions, such as closing a cookie banner without making an affirmative selection, cannot be treated as consent.[4]

In addition, privacy policies must more specifically describe the categories of personal information disclosed to service providers and contractors for business purposes during the preceding 12 months, increasing enforcement risk for generic or boilerplate disclosures.[5] Mobile applications must include a direct link to the applicable privacy policy within the app’s settings, and connected devices, including IoT, AR, and VR environments, must provide required notices before or at the point of collection.[6] These requirements are enforceable now and focus squarely on how consumers experience and exercise their rights in practice.

Sensitive Personal Information and Protections for Minors

The regulations also clarify and expand the treatment of sensitive personal information. Notably, personal information relating to consumers under the age of 16 is expressly treated as sensitive personal information, even when it would not otherwise fall within an enumerated sensitive category.[7] This clarification heightens compliance expectations for businesses that interact with minors, including through online services, educational platforms, and advertising technologies, and underscores California’s continued emphasis on heightened protections for younger consumers.

Automated Decision-Making, Risk Assessments, and Future Compliance Obligations

One of the most consequential additions to the regulatory framework concerns ADMT. The regulations define ADMT broadly to include systems that use computation to replace or substantially replace human decision-making.[8] Where ADMT is used to make decisions that produce legal or similarly significant effects, such as decisions relating to employment, credit, housing, education, or access to essential services, businesses will be required to provide enhanced disclosures, meaningful opt-out rights, and access to information about how those decisions are made.[9] Although these rules were effective as of January 1, 2026, the compliance deadline for existing uses of ADMT is January 1, 2027. Businesses deploying new ADMT systems on or after that date must comply at the time of deployment, reflecting California’s expectation that 2026 serve as a preparation period rather than a grace period.[10]

The regulations also formalize risk assessments as a central compliance obligation for higher-risk processing activities. Covered activities include selling or sharing personal information, processing sensitive personal information, using ADMT for significant decisions, and engaging in extensive profiling.[11] Businesses must conduct risk assessments before initiating such processing. While the obligation to perform assessments is effective now, businesses are not required to submit annual summaries of risk assessments to the CPPA until 2027.[12] Significantly, the regulations require submission of summary attestations rather than full assessments, while preserving the Agency’s authority to request complete documentation on short notice. California’s approach underscores the expectation that risk assessments be substantive, contemporaneous, and defensible.

Cybersecurity, Vendor Governance, and Organizational Readiness

Another notable development is the introduction of mandatory cybersecurity audits for businesses whose processing of personal information presents significant security risk.[13] Although the audit requirement is effective in 2026, certification deadlines are phased based on revenue thresholds. Businesses with annual gross revenues exceeding one hundred million dollars must submit audit certifications beginning April 1, 2028, with later deadlines applicable to smaller businesses.[14] These audits must be independent, evidence-based, and tailored to the business’s size and complexity, requiring cybersecurity measures that are commensurate with the risk of unauthorized access or disclosure of personal information and the operational and legal consequences that follow.

Finally, the regulations reinforce strict distinctions between businesses, service providers, and contractors. Contractual language alone is no longer sufficient. Businesses must ensure that downstream entities process personal information only within the permitted scope and that appropriate oversight mechanisms are in place.[15] In practice, this places renewed emphasis on vendor management, data mapping, and internal governance structures that reflect operational reality rather than theoretical compliance.

Takeaways

Ultimately, the 2026 CCPA regulations function as a roadmap for how enforcement is expected to unfold now and over the next several years. Businesses should prioritize immediate compliance with consumer-facing requirements while using 2026 to inventory higher-risk processing activities, assess ADMT usage, and prepare for forthcoming risk assessment and cybersecurity audit obligations. Organizations that treat this period as an opportunity to build durable compliance infrastructure will be better positioned as regulatory scrutiny continues to increase. 

[1] Cal. Civ. Code § 1798.185 – CCPA Regulations.

[2] Cal. Civ. Code § 1798.100(a); 11 Cal. Code Regs. § 7001.

[3] Cal. Civ. Code § 1798.135(b); 11 Cal. Code Regs. § 7026.

[4] 11 Cal. Code Regs. §§ 7004 – 7005.

[5] Cal. Civ. Code § 1798.130(a)(5); 11 Cal. Code Regs. § 7011.

[6] 11 Cal. Code Regs. §§ 7012 – 7013.

[7] Cal. Civ. Code § 1798.140(ae); 11 Cal. Code Regs. § 7027.

[8] 11 Cal. Code Regs. § 7001.

[9] Cal. Civ. Code § 1798.185(a)(16); 11 Cal. Code Regs. §§ 7060 – 7063.

[10] 11 Cal. Code Regs. § 7063.

[11] Cal. Civ. Code § 1798.185(a)(15); 11 Cal. Code Regs. § 7150.

[12] 11 Cal. Code Regs. § 7152.

[13] Cal. Civ. Code § 1798.185(a)(14); 11 Cal. Code Regs. § 7120.

[14] 11 Cal. Code Regs. § 7123.

[15] Cal. Civ. Code § 1798.140(ag) – (ah); 11 Cal. Code Regs. § 7051.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Vedder

Written by:

Vedder
Vedder
Contact
more
less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Vedder on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide