Download our CCPA guide to learn the basics and best practices for data inventory, consumer rights requests, vendor management, and consent compliance.
After months of anticipation, the California Privacy Protection Agency (CalPrivacy) finalized and received approval for its California Consumer Privacy Act (CCPA) Regulations. The regulations include many new obligations for businesses in scope for CCPA, including cybersecurity audits, risk assessments, automated decision-making assessments and notices, and more.
We understand that privacy teams can’t tackle everything all at once, so here are some steps businesses should take now to prepare for the first phase of obligations that come into effect Jan. 1, 2026.
Table of Contents
Risk Assessments
Obligation: Similar to obligations in other state privacy laws, the CCPA Regulations put in place an obligation to assess privacy risk for certain processing that represents a heightened risk to California consumers. These include things like processing sensitive personal information, the sale or sharing of personal information, targeted advertising, certain uses of automated decision-making technology (ADMT) and training of ADMT.
The assessments must identify and document in a risk assessment report the categories of personal information to be processed, the specific business purpose, operational elements of the processing, the benefits to the business, consumer, or other stakeholders, any negative impacts to consumers, safeguards to mitigate risks, and whether the processing will move forward.
Businesses will need to submit reports on assessments conducted in 2026 and 2027, including who provided information for the assessment (except legal counsel), the date it was reviewed and approved, and name and positions of approvers (except legal counsel), to CalPrivacy by April 1, 2028.
Actions: Businesses that already have a risk assessment process in place have a leg up here. Conduct a gap assessment between your existing privacy risk assessment process and the obligations in the regulations and modify your process accordingly. For businesses that don’t have a privacy risk assessment process, it’s time to get moving! Review your processing activities for anything that meets the high-risk threshold, create a privacy risk process, policy, and questionnaire and get started—ticking off the highest risk areas first.
Classifying Minors’ Personal Information as Sensitive
Obligation: The personal information of California consumers under the age of 16 is now considered sensitive personal information (SPI) and is subject to the right to limit processing and privacy risk assessments, as is other types of SPI like race, religion, sexual orientation, and more. An important distinction from the Children’s Online Privacy Protection Act (COPPA), is that the CCPA Regulations cover all PI about a minor, as opposed to collected from, like under COPPA. Remember, the right to limit processing isn’t an absolute right, there are exceptions for things like performing the services expected and requested by the consumer. And the CCPA regulations have an exception to the risk assessment requirements for SPI processed in the employment context.
Actions: Revise your data classification to ensure that personal information of minors under age 16 is classified as SPI. Review privacy risk assessment policies and procedures to ensure this information is included in the scope of PI that requires assessment. Audit systems, technologies, and policies that dictate provision of rights to ensure the right to limit processing is applied to PI of minors.
Opt-Out Signals
Obligation: Businesses must provide a way for consumers to see the status of their opt-out request. Whether consumers opted out using a universal opt-out mechanism like Global Privacy Control or opted out through the business’s submission mechanism, businesses must display a consumer’s status related to opting out of sale or sharing.
Actions: For businesses that use third-party consent managers, check configurations and offerings to determine whether this can be done via the technology. Businesses that have bespoke or manual processes will need to work with web developers and IT teams to determine the best way to implement this obligation. CalPrivacy notes that this can be achieved by displaying “Opt-Out Request Honored” and a toggle or radio button in the consumer’s privacy settings, indicating on or off.
Access Request Modification
Obligation: Under CCPA, businesses are required to provide access to consumers’ PI for the past 12 months. The Regulations extend that timeframe to Jan. 1, 2022. Businesses that retain PI for longer than 12 months must give consumers the ability to request access to their PI going back to the beginning of 2022 when submitting an access request.
Actions: Businesses that use third-party privacy rights managers should check configurations and offerings to determine whether this can be done via the technology. Businesses that have bespoke or manual processes will need to work with web developers and IT teams to determine the best way to implement this obligation. Additionally, policies, processes, and discovery tools may need to be updated to provide for this new obligation.
Corrections and Data Integrity
Obligations: When a consumer submits a correction to their PI held by a business, the business must ensure that the correction remains and is not overwritten at a later date by inaccurate information collected from a third party. It must also communicate that correction to any service providers and contractors, which are also required to ensure the PI remains corrected. Additionally, businesses must provide consumers with the name of the source from which they received inaccurate information or alternatively inform the source of the inaccuracy and that it must be corrected.
Actions: Businesses must put in place technological mechanisms to block overwriting of PI submitted by consumers in systems and databases. Businesses must also ensure data inventory and mapping includes the sources of PI to enable correction of the PI or communication of the source to the consumer. Additionally, businesses must revise correction response procedures, templates, and/or technologies to provide information to the consumer about the source of inaccurate information or to inform the source that the PI is incorrect and must be corrected.
Health Data Obligation
Obligation: Where a business denies a correction related to a consumer’s health, it must include in the denial the consumer’s right to provide a 250-word statement related to the inaccurate information, which will be added to their records. Upon consumer request, the business must include the statement anytime it provides the contested information to another entity.
Actions: Businesses that process health information must revise correction response procedures, templates, and/or technologies to provide information to the consumer about their right to include the statement and provide a mechanism for consumers to submit a statement and request to make it available to third parties, service providers, and contractors.
Need help getting ready for the CCPA’s new requirements?
We’re here for you! With decades of privacy experience helping companies from fortune 50s to small startups, we can get your program up to speed with new obligations from the CCPA Regulations and any other compliance hurdles coming your way! Contact us today to talk through your CCPA readiness and next steps.
Downloadable Resource
Understanding the CCPA: A Guide for Getting the Basics Right
