What qualified as compliant under the California Consumer Privacy Act (CCPA) in 2022 may not clear the bar in 2026. The regulations that took effect January 1, 2026, represent the law’s most significant expansion to date, introducing new requirements around artificial intelligence, cybersecurity, risk management, and consumer rights.
For businesses that haven’t revisited their compliance programs since the CCPA first launched, the gap between where they are and where they need to be may be larger than they think.
A Quick Recap: What the CCPA Was, and What It’s Become
The California Consumer Privacy Act took effect in 2020 as the first comprehensive consumer privacy law in the country. It gave California residents meaningful rights over their personal data: the right to know what was collected, the right to delete it, and the right to opt out of its sale. For businesses, it meant new disclosure obligations, updated privacy policies, and a process for handling consumer requests.
In 2023, the California Privacy Rights Act (CPRA) built on that foundation, expanding rights and establishing the California Privacy Protection Agency (CPPA) as the dedicated enforcement body. But the 2026 regulations go further still. Where earlier updates focused primarily on consumer-facing rights and disclosures, the new rules reach into how businesses operate internally; requiring formal governance processes, documented risk assessments, and in some cases, annual third-party audits.
CCPA compliance used to mean having the right disclosures in place. Now it means having the right programs in place.
What’s Actually New: The Key Changes
Automated Decision-Making Technology (ADMT)
If your business uses algorithms or AI tools to make or inform significant decisions about people, you now have new obligations. The regulations define ADMT as technology that processes personal information and uses computation to make or materially influence decisions with legal or similarly significant effects, such as those related to employment, credit, housing, education, or healthcare.
Businesses using ADMT for these purposes must provide consumers with clear pre-use notices, honor opt-out requests and respond to consumer requests for access with meaningful information about how the technology works and what decisions it informs. Full ADMT notice and opt-out requirements phase in on January 1, 2027, giving businesses time to prepare, but that window is shorter than it sounds.
Risk Assessments
This is one of the most significant changes in the new regulations. Beginning in 2026, businesses must conduct formal risk assessments before initiating any data processing activities that present a “significant risk” to consumer privacy. For processing activities already underway before January 1, 2026, those assessments must be completed no later than December 31, 2027.
Activities that trigger a risk assessment include selling or sharing personal information, processing sensitive personal data, using ADMT for significant consumer decisions, and using automated processing to infer characteristics about employees, job applicants, or students based on systematic observation.
Each assessment must be a substantive written report. It needs to document the purpose of processing, the categories of data involved, the potential harms to consumers, the safeguards in place to mitigate those harms, and a determination of whether the privacy risks outweigh the benefits. Stakeholders involved in the processing activity must participate in the assessment, and an authorized decision-maker must sign off.
Assessments for new activities must be reviewed at least every three years and updated within 45 days of any material change. All versions must be retained for a minimum of five years.
Starting April 1, 2028, businesses must submit an annual certified summary to the CPPA, signed by an executive under penalty of perjury, covering the number of assessments completed, the data categories involved, and the time period covered. The CPPA or California Attorney General can also request a full copy of any risk assessment at any time, and businesses must produce it within 30 days.
Cybersecurity Audits
Businesses whose data processing presents a “significant risk” to consumer security (generally those with over $25 million in annual revenue that process personal data of more than 250,000 consumers, or sensitive data of more than 50,000) must begin conducting annual cybersecurity audits. Audit deadlines are phased in based on revenue:
- Businesses with annual gross revenue exceeding $100 million must submit their first audit certification by April 1, 2028
- Businesses between $50 million and $100 million, by April 1, 2029
- Businesses under $50 million, by April 1, 2030
Audits must be conducted by qualified, objective, and independent professionals, either internal or external. If conducted internally, auditors must report to executives not responsible for cybersecurity and must exercise impartial judgment. Audits cannot rely primarily on executive attestations; they must be grounded in documents, testing, and interviews.
The scope is broad, covering authentication practices, encryption, access controls, patch management, vulnerability testing, incident response, data retention and disposal, and oversight of third-party vendors, among other areas. A written audit report must be produced and submitted to executive management, and businesses must retain audit documentation for five years.
Expanded Right to Know
Previously, consumers could request access to personal information collected in the 12 months before their request. That limit is gone. Businesses that retain personal information for longer than 12 months must now be able to respond to requests covering data collected as far back as January 1, 2022, and that look-back window will continue to expand in step with a business’s actual retention practices.
Neural Data and Expanded Sensitive Information
The definition of “sensitive personal information” has been expanded to include neural data, information generated by brain activity. This joins an existing list that includes Social Security numbers, financial account data, precise geolocation, health information, and biometric data. Data relating to consumers under the age of 16 is also now classified as sensitive, requiring heightened handling.
Dark Pattern Prohibitions
The new regulations take a harder stance on interface design. Businesses can no longer use consent flows or opt-out mechanisms that are designed, even subtly, to discourage consumers from exercising their rights. Specific prohibited practices include requiring more steps to opt out than to opt in, making a “yes” button more visually prominent than a “no,” treating the act of closing a pop-up as implied consent, and creating false urgency around consent decisions. Regulators have made clear they’ll look not just at what businesses ask consumers, but how they ask it.
What This Means for SMBs
It’s easy to assume that regulations this detailed are aimed at large enterprises. But the CCPA applies to any for-profit business that does business in California, collects California residents’ personal information, and meets at least one of the following thresholds: annual gross revenue exceeding $25 million, data on 100,000 or more consumers or households, or 50% or more of annual revenue derived from selling or sharing personal information.
That scope captures a significant number of small and mid-sized businesses, particularly those in e-commerce, SaaS, healthcare, financial services, and any industry that relies on third-party data or advertising technology.
For SMBs, the most immediate exposure is likely around the practical requirements that took effect January 1st: updated privacy policies, compliant opt-out mechanisms, dark pattern prohibitions, and the expanded Right to Know. These are visible, auditable, and relatively straightforward to assess.
The risk assessment requirements are more demanding and often get underestimated. If your business sells or shares personal data, uses any form of automated decision-making, or processes sensitive personal information, you are likely required to conduct a formal risk assessment and to have it completed for existing activities by the end of 2027. That timeline may feel distant, but building the internal process, identifying the right stakeholders, and producing documentation that meets the regulatory standard takes time.
What You Should Do Now
Audit your current privacy policy and disclosures. Check whether your privacy policy reflects the updated requirements, including disclosures about service providers and contractors, channel-specific notices for apps and connected devices, and the expanded Right to Know.
Review your consent flows and interface design. Walk through your opt-in and opt-out mechanisms with fresh eyes. If any step makes it harder to opt out than to opt in, that’s a problem under the new rules.
Map your data and identify high-risk processing activities. Understand what personal data you collect, where it goes, how long you keep it, and whether any of your processing activities (particularly around ADMT or sensitive data) trigger the risk assessment requirement.
Determine whether cybersecurity audit obligations apply to you. Review the revenue and volume thresholds carefully. If you’re close to a threshold, build monitoring into your annual planning process so you’re not caught off guard.
Start building your risk assessment process now. Even if your deadline is December 31, 2027, the time to design the process, identify stakeholders, and draft your first assessment is well before that. Businesses that have conducted DPIAs under GDPR or Data Protection Assessments under Virginia or Colorado law can adapt those frameworks as long as they meet California’s specific content requirements.
Talk to a privacy professional. The 2026 regulations are detailed and, in some places, technical. If you’re unsure whether your business is in scope or where to start, a privacy attorney or compliance consultant can help you prioritize.
Compliance Has Evolved, Has Your Program?
The 2026 CCPA updates represent a meaningful shift in what privacy compliance looks like, from a set of disclosures to a genuine governance program. For businesses that have kept up with the law’s evolution, many of these changes will be manageable. For those who haven’t revisited their compliance programs in a while, now is the time.
GoodSuite Can Help You Get There
The 2026 CCPA updates demand more than revised disclosures, they require a security infrastructure you can stand behind. Cybersecurity audits, access controls, incident response, vendor oversight: the new rules reach deep into how your business operates day to day.
At GoodSuite, we work with California businesses to build the IT foundations and documented security programs that compliance now requires. Start with a Cyber Risk Assessment to understand where your gaps are, then let’s build a plan together.
About GoodSuite
GoodSuite is a boutique Managed Services provider that helps businesses simplify, secure, and support their technology environment. Their services include Managed IT, Cybersecurity, Cloud Solutions, Backup and Disaster Recovery, Managed Print Services, and VoIP phone systems, along with office technology such as copiers and printers. Based in California, GoodSuite supports organizations across Southern California and throughout the United States with proactive service and strategic technology guidance.
