California data privacy law just got more demanding. The California Privacy Protection Agency (CPPA) finalized a package of new regulations in 2025 that took effect on January 1, 2026, layering fresh obligations onto the existing California Consumer Privacy Act (CCPA). The headline deadlines, retroactive risk assessments, automated decision-making rules, and the first cybersecurity certifications, phase in through 2027 and 2028. That can sound far off, but the compliance work takes months to build, so for many San Diego businesses the time to start is now.
Does the CCPA Apply to You?
The CCPA generally covers businesses that meet any one of three thresholds: gross annual revenue over $25 million, buying or selling or sharing the personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing personal information. If you meet a threshold and operate in California, the obligations apply even if you are headquartered elsewhere.
What Changed on January 1, 2026?
Three new requirements stand out.
First, mandatory privacy risk assessments. Before starting any processing that presents a significant risk to consumer privacy, a business must document the purpose, the categories of personal information, anticipated consumer counts, disclosure recipients, and a weighing of benefits against harms such as unauthorized access, discrimination, or economic harm. Processing that began before January 1, 2026 must be assessed retroactively by December 31, 2027.
Second, new rules for automated decision-making technology (ADMT). If you use algorithms or AI scoring to make significant decisions about employment, credit, housing, or insurance, you must give consumers a plain-language pre-use notice explaining the logic, outputs, and impacts, and you must offer a meaningful opt-out. Existing deployments must comply by January 1, 2027.
Third, expanded access rights. The 12-month lookback limit is gone. Consumers may request all personal information collected about them, except data collected before January 1, 2022, and a business cannot require account creation to submit a request.
Cybersecurity Audits, Phased In
Businesses whose processing presents a significant risk to consumer security face mandatory annual cybersecurity audits, with the first certification deadline phased in by revenue:
| Annual Revenue | First Certification Due to the CPPA |
|---|---|
| Over $100 million | April 1, 2028 |
| $50M to $100 million | April 1, 2029 |
| Under $50 million | April 1, 2030 |
A qualified auditor evaluates the program against 18 enumerated components, such as multifactor authentication, encryption, access controls, and incident response, to the extent each applies to the business. The business does not submit the full audit; a member of executive management responsible for the audit files an annual written certification of completion with the agency.
Practical Steps
Audit your data map so you know what you collect, where it goes, and who can access it. Update your privacy policy so consent is as easy to withdraw as to give, and link it on every page that collects information. Build a documented risk-assessment process before new processing begins. Review HR, marketing, and loan-processing tools for ADMT obligations. Enforcement is heightening, not moderating, and compliant systems take time to build.
Bayside Counsel helps San Diego businesses build practical CCPA compliance programs. Contact us to assess where you stand before enforcement reaches you.