CCPA Risk Assessments: The New 2026 Requirement Your Business Can't Ignore

As of January 1, 2026, the CCPA has a new requirement that most California businesses haven't heard of yet: mandatory risk assessments for data processing activities that present "significant risk to consumers' privacy."

This isn't a future regulation. It's live right now. And on April 1, 2028, a member of your executive team will need to sign a certification, under penalty of perjury, confirming that your business completed those assessments.

If that timeline surprises you, you're not alone. Most businesses are still focused on the cybersecurity audit requirement. The risk assessment obligation is separate, it's already in effect, and it covers processing activities that nearly every mid-size California business performs daily.

What Triggers a Risk Assessment

The regulations identify six categories of data processing that require a risk assessment. If your business does any of the following, you're on the hook:

1. Selling or sharing personal information. This includes the use of third-party cookies, tracking pixels, and advertising technologies that send consumer behavior data to external companies. CalPrivacy has already fined businesses for exactly this type of processing. If you run targeted ads or use analytics tools that share data with third parties, this applies to you.
2. Processing sensitive personal information. The CCPA defines this broadly: biometric data, children's data (under 16), account login credentials, Social Security numbers, driver's license numbers, health data, and precise geolocation. If you collect any of these categories, a risk assessment is required.
3. Using automated decision-making technology (ADMT) for significant decisions. If you use algorithms or AI to make decisions that meaningfully affect consumers, like approving applications, setting prices based on individual profiles, or determining eligibility for services, you need an assessment.
4. Automated processing to infer personal characteristics in work or education settings. Think employee monitoring software that tracks productivity, tools that assess worker aptitude, or educational platforms that profile student behavior.
5. Automated processing based on presence in sensitive locations. If you're inferring information about consumers based on their visits to medical facilities, religious institutions, or similar locations, that requires an assessment.
6. Processing personal information to train AI systems. If you use consumer data to train automated decision-making tools, facial recognition, emotion recognition, or identity verification systems, a risk assessment is mandatory.

Look at that list and count how many apply to your business. For most companies processing California consumer data, it's at least two or three.

What a CCPA Risk Assessment Actually Involves

This isn't a checkbox exercise. The regulations require you to document a thorough analysis of each qualifying processing activity. Here's what each risk assessment needs to cover:

Identify the processing activity. Describe what personal information you're collecting, from whom, and for what purpose. Be specific. "Marketing purposes" isn't sufficient. You need to document the actual data flows.

Assess the benefits. Document the benefits the processing provides to your business, the consumer, the public, and any other stakeholders. The regulations require you to weigh these benefits against the privacy risks.

Assess the risks. Identify the specific privacy risks the processing creates for consumers. This includes risks of unauthorized access, data misuse, discrimination, loss of autonomy, and any other negative impacts on consumers' rights.

Weigh benefits against risks. This is the core of the assessment. You need to demonstrate that the benefits of the processing activity outweigh the risks to consumers' privacy. If they don't, you either need to implement additional safeguards or stop the processing.

Document safeguards. Describe the technical and organizational measures you've implemented to mitigate the identified risks. This is where your cybersecurity controls, access management, encryption, and data minimization practices come into play.

The April 2028 Certification Deadline

Here's where this gets serious. For all risk assessments conducted during 2026 and 2027, your business must file a certification with CalPrivacy by April 1, 2028. That certification must include:

• A designated point of contact for the business
• The time period covered by the risk assessment
• The categories of personal and sensitive personal information involved
• The signature of a member of your executive management team who is responsible for the assessment's compliance

That last bullet is the one that should get your attention. This isn't something you can delegate to a junior compliance analyst and forget about. An executive has to sign their name to it, under penalty of perjury, attesting that the assessments were done properly.

When a C-suite executive's personal liability is attached to a compliance requirement, it tends to get funded quickly. If you've been struggling to get budget for privacy compliance work, the risk assessment certification requirement is your leverage.

How Risk Assessments Connect to Cybersecurity Audits

If you've been tracking the CCPA cybersecurity audit requirement, you might wonder how risk assessments fit in. They're separate but deeply related.

The cybersecurity audit evaluates whether your security controls are adequate to protect the personal information you process. The risk assessment evaluates whether the processing itself is justified and properly safeguarded.

In practice, the two overlap significantly. The safeguards you document in your risk assessment are the same controls your cybersecurity audit will evaluate. Your data inventory feeds both processes. Your vendor contracts matter for both. If you approach them as isolated compliance projects, you'll do the same work twice.

The smart approach: build one unified data governance framework that feeds both your risk assessments and your cybersecurity audit. Map your data flows once. Document your controls once. Then use that foundation to produce both deliverables.

Common Mistakes Businesses Are Already Making

The risk assessment requirement has been in effect for less than two months, but patterns are already emerging among businesses trying to comply:

Treating it as a one-time project. Risk assessments aren't a file-and-forget exercise. The regulations require you to update assessments when processing activities change materially. If you add a new analytics tool, switch advertising platforms, or start collecting a new category of personal information, your existing assessments need to be revisited.

Underestimating what counts as "selling or sharing." Many businesses don't realize their use of standard marketing technologies qualifies. If your website loads third-party scripts that transmit consumer behavior data to advertising networks, that's sharing personal information under the CCPA. CalPrivacy has already taken enforcement action on exactly this point.

Conducting assessments without involving technical staff. A risk assessment that only reflects legal counsel's understanding of data flows will have gaps. Your IT team knows where data actually goes. Your marketing team knows which tools process consumer data. Risk assessments require cross-functional input to be accurate.

Ignoring employee data. The risk assessment requirement applies to consumer, employee, and commercial personal information. If you use employee monitoring software, automated scheduling tools, or AI-assisted HR platforms, those processing activities may trigger the requirement too.

A Practical Timeline for Getting This Done

April 2028 feels far away. It isn't. Here's a realistic timeline for a mid-size business starting from scratch:

Months 1-2: Data inventory. You can't assess risks for processing activities you haven't identified. Map every system, vendor, and process that touches personal information. This is the foundation for everything else.

Months 3-4: Identify triggering activities. Cross-reference your data inventory against the six categories that require risk assessments. Prioritize by volume of data and sensitivity.

Months 5-8: Conduct assessments. Work through each triggering activity. Document the data flows, benefits, risks, and safeguards. Get cross-functional input from IT, legal, marketing, and HR.

Months 9-10: Implement gaps. Your assessments will reveal safeguards that should exist but don't. Build those controls. Update vendor contracts. Tighten access management. Document everything.

Months 11-12: Executive review and sign-off. Present the completed assessments to your executive team. Get the designated executive comfortable with what they're signing. Address any concerns before the certification deadline.

That's a 12-month process. If you start in Q1 2027, you're cutting it close. If you start now, you have breathing room to do it right.

What Happens If You Don't Comply

The CCPA's penalty structure applies: up to $2,500 per violation, or $7,500 per intentional violation. Given that risk assessments cover processing activities that may affect thousands or millions of consumers, the math gets uncomfortable fast.

But fines aren't the only risk. The certification requirement means CalPrivacy will have a clear, verifiable record of which businesses complied and which didn't. There's no ambiguity, no gray area. You either filed the certification by April 2028 or you didn't. That kind of binary compliance makes enforcement straightforward.

CalPrivacy has also stated publicly that they have hundreds of open investigations, many targeting businesses that don't know they're under scrutiny. A missing risk assessment certification is the easiest possible enforcement trigger. It requires zero investigation. They just check whether you filed.

Start With What You Know

You don't need to boil the ocean. Start with the processing activities you already know about: your marketing technology stack, your customer database, any sensitive personal information you collect. Do a rough inventory this week. Identify which of the six triggering categories apply. That gives you a scope and a starting point.

The businesses that treat risk assessments as an extension of their existing compliance work will handle this efficiently. The ones that treat it as a separate, isolated project will spend twice the time and money. And the ones that ignore it entirely will be the first enforcement targets when April 2028 arrives.