CCPA Final Regulations: A Comprehensive Guide for Business Compliance

Effective January 1, 2026, amendments to the California Consumer Privacy Act (“CCPA”) establish unprecedented protections for consumer data.1 The reforms emphasize the CCPA’s continued focus on mitigating risks to consumers’ personal information, creating heightened expectations proper protections to be implemented.

Understanding these regulatory updates and their business implications is essential for effective compliance. This is the first in a series of articles that will examine key provisions of the CCPA Final Regulations and provide actionable guidance for organizations navigating these requirements.

New Obligations

The CCPA Final Regulations strengthen privacy protection and data security across several critical dimensions. Beyond refining existing transparency requirements, the regulations introduce substantial new obligations in three primary areas:

  • Cybersecurity Audits – Mandatory independent assessments to verify security measures and compliance.
  • Risk Assessments – Systematic evaluation of risks inherent in data processing activities.
  • Automated Decision-Making Technology (“ADMT”) – Governance requirements for businesses that use ADMT to make significant decisions regarding consumers.

Failure to comply can result in significant enforcement actions, including administrative fines, monetary damages per consumer per incident, and civil penalties.2 Organizations should begin compliance preparations immediately to meet implementation timelines outlined below.

Annual Cybersecurity Audit Requirements

Recognizing the critical importance of cybersecurity, the CCPA now mandates annual independent audits that assess 18 control areas, for businesses meeting specific risk-based criteria.3 These audits verify the security and integrity of personal and sensitive information, with initial submissions required by April 1, 2028, for qualifying organizations.

Applicability Criteria
The audit requirement applies to businesses that:

  • Derive 50% or more of revenue from selling or sharing data; and/or
  • Generate annual revenue exceeding $25 million (inflation-adjusted), while processing substantial volumes of personal or sensitive information.

Core Requirements
Organizations meeting these thresholds must:

  • Conduct annual independent cybersecurity audits and the audits must be performed by qualified, objective, independent professionals using accepted auditing standards, such as those adopted by the American Institute of CPAs.
  • Obtain written certification from an executive management team member responsible for cybersecurity compliance, attesting to audit completion and findings.
  • Submit a written certification of compliance annually to the California Consumer Privacy Protection Agency (“CPPA”) and be prepared to provide the audits if required by enforcement action by the CCPA or any other legal proceeding.

Audit Scope
Audits must comprehensively address:

  • Systems and Data Environment Overview – The regulations require a description of the business’s information systems and the specific evidence examined.
  • Industry Standards Alignment – Verification of “reasonable security” against recognized frameworks (NIST, ISO, etc.). Businesses may utilize cybersecurity reports prepared for other purposes.
  • Gap Analysis and Remediation – Identification of any gaps or weaknesses and documentation of the businesses’ plan to address discovered vulnerabilities.
  • Breach and Incident Analysis – Reports must include copies of notices to California consumers affected by a data breach and copies of notices to California agencies regarding the breach.

Implementation Timeline
Audit certifications must be submitted via the CPPA website by April 1 of the year following the audit year, with staggered compliance dates based on company size:

  • April 1, 2028: Businesses with revenue exceeding $100 million
  • April 1, 2029: Businesses with revenue between $50–$100 million
  • April 1, 2030: Businesses with revenue under $50 million

Ongoing Obligations
Organizations must submit annual audit results to the CPPA following each audit year and retain all audit documentation for a minimum of five years.

Risk Assessments for High-Risk Processing

Risk assessments serve as essential tools for identifying and mitigating privacy risks, enabling regulatory compliance and demonstrating organizational commitment to data protection. The updated regulations require risk assessments for businesses engaged in certain high-risk data processing activities.

Applicability Criteria
Risk assessments serve as essential tools for identifying and mitigating privacy risks, enabling regulatory compliance and demonstrating organizational commitment to data protection. The updated regulations require risk assessments for businesses engaged in certain high-risk data processing activities.

  • “Selling” or “sharing” personal information (as those terms are broadly defined under the CCPA)
  • Processing "sensitive personal information" (as defined under the CCPA)
  • Using ADMT to make significant decisions or using personal information to train ADMT
  • Using automated technology to infer personal attributes under certain circumstances

Assessment Components
Risk assessments must include:

  • Detailed description of processing activities
  • Comprehensive risk and benefit analysis
  • Documented mitigation measures
  • Evaluation of less intrusive alternatives
  • Service provider contracts and oversight

Implementation Timeline and Ongoing Obligations
Ideally, organizations impacted by these new requirements would have started conducting assessments in January of this year. Those that have not should begin in earnest. In this initial phase, organizations have roughly two years to complete assessments for all ongoing activities, with their first certified report due to the CPPA by April 1, 2028, and annually thereafter.

  • January 1, 2026: Begin conducting risk assessments
  • December 31, 2027: Complete assessments for all ongoing activities
  • April 1, 2028: Submit annual certified reports to CPPA

Organizations must continue to conduct risk assessments for processing activities that meet the threshold described above and report the following to the CPPA:

  • An attestation that required risk assessments were completed.
  • A summary of their risk assessment information.

Governance Requirements for ADMT

Next year, expanded governance obligations will apply to ADMT and technologies that make significant decisions about consumers. Such technologies include machine learning, statistical analysis and artificial intelligence systems that execute or facilitate decision-making processes.

Core Requirements

  • Pre-Use Notices – Inform consumers before collecting data for ADMT purposes.
  • Transparency and Appeal Rights – Explain ADMT logic, inputs, outputs, data sources and underlying assumptions and provide consumers with appeal mechanisms.
  • Opt-Out Mechanisms – Display distinct opt-out links on websites.
  • Opt-In Consent – Obtain explicit consent for collecting or processing sensitive data and minors’ information.
  • Human Review Exception – Provide an option for consumers to request meaningful human oversight for any ADMT that falls under the scope of this regulation.

Compliance Preparation Roadmap

Figure 1 - CCPA Final Regulations Timeline

CCPA timeline: Jan 2026 start risk assessments, Jan 2027 ADMT compliance, Dec 2027 complete assessments, April 2028 cyber audit.

Conclusion

The CCPA Final Regulations represent a substantial advancement in privacy protection and data governance, with stringent timeline obligations and significant non-compliance penalties. Organizations operating in California or serving California consumers must prioritize proactive compliance preparation now, including rigorous audits, comprehensive risk assessments and transparent data practices. By following the implementation timelines and requirements outlined in this guide and acting immediately to strategically address compliance gaps, organizations should be able to effectively navigate this regulatory landscape while protecting both operational integrity and consumer trust.

Footnotes:

1: Cal. Code Regs. tit. 11, §§ 7000–7304 (2026).

2: “California Privacy Protection Agency Announces 2025 Increases for CCPA Fines and Penalties,” California Privacy Protection Agency (December 2024).

3: Id (page 77).

Related Insights

Related Information

Published

April 13, 2026

temp Key Contacts

Steven Stein

Senior Managing Director

Colleen Yushchak

Senior Managing Director

Most Popular Insights

  1. Beyond Cost Metrics: Recognizing the True Value of Nuclear Energy
  2. Finally, Pundits Are Talking About Rising Consumer Loan Delinquencies
  3. A New Era of Medicaid Reform
  4. Turning Vision and Strategy Into Action: The Role of Operating Model Design
  5. The Hidden Risk for Data Centers That No One is Talking About

Sign up to get access to FTI Consulting Insights

Subscribe