EBOOK

2026 CCPA Compliance Guide for New Requirements

How to comply with new rules for privacy assessments, automated decisionmaking, & cybersecurity audits
By submitting this form, you confirm that you have read and understood Privado’s Privacy Policy.
Thank You. Please check your email for your download. While you’re here, feel free to check other resources.
Oops! Something went wrong while submitting the form.

On September 22, 2025, CalPrivacy finalized new requirements for privacy risk assessments, automated decisionmaking technology (ADMT) opt outs, & cybersecurity audits that went live on January 1, 2026. This guide details everything privacy teams need to know to help their organizations comply at scale.

What’s in the guide

  • Requirement summary for risk assessments, ADMT opt outs, & cybersecurity audits (what businesses need to do by when)
  • Best practices to operationalize new compliance processes
  • Compliance roadmap: what to do now (2026 – 2030)
  • What tooling is needed
  • How Privado AI automates assessments & audits for scalable CCPA compliance

This is not just another privacy-notice update. The 2026 package is structurally different: it imposes operational obligations that can only be met by coordinating across privacy, security, engineering, product, and HR.

Starting January 1, 2026: A formal privacy risk assessment must be completed before initiating any new data processing with "significant risk" to consumer privacy. All assessments must be submitted annually to CalPrivacy via a summary + attestation package starting April 1, 2028.

Starting January 1, 2027: All business using ADMT to make "significant decisions" (employment, housing, lending, healthcare, education, insurance, essential goods and services), must issue a pre-use notice, offer an opt out, and honor a new right to access the logic, outputs, and decision rationale. ADMT use also triggers a mandatory risk assessment.

Starting April 1, 2028: Large businesses whose processing presents significant risk to consumer security must submit an independent annual cybersecurity audit against 18+ control areas for the previous calendar year. In 2029 and 2030, medium and small businesses will be phased in.

Download this comprehensive guide to learn how to start building efficient compliance processes today.

Get started