Digital Policy Alert logo

United States of America: California Consumer Privacy Act risk assessment regulations enter into force

Policy overview

Description

California Consumer Privacy Act risk assessment regulations enter into force

On 1 January 2026, the risk assessment provisions of the California Consumer Privacy Act (CCPA) regulations enter into force. From this date, businesses subject to these obligations must establish and maintain procedures to conduct risk assessments on their processing of personal information, ensuring that the scope, methods, and outcomes of such assessments are documented and integrated into organisational compliance frameworks.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
cross-cutting
Implementation Level
subnational
Government Branch
executive
Government Body
data protection authority

Complete timeline of this policy change

Hide details
2023-08-28
under deliberation

On 28 August 2023, the California Privacy Protection Agency (CPPA) released materials ahead of its …

2024-02-23
under deliberation

On 23 February 2024, the California Privacy Protection Agency (CPPA) published a Revised Draft of t…

2024-11-22
in consultation

On 22 November 2024, the California Privacy Protection Agency (CPPA) opened the public consultation…

2025-01-14
processing consultation

On 14 January 2025, the California Privacy Protection Agency (CPPA) closes the public consultation …

2025-03-28
under deliberation

On 28 March 2025, the California Privacy Protection Agency (CPPA) published updated draft regulatio…

2025-05-09
under deliberation

On 9 May 2025, the California Privacy Protection Agency (CPPA) published the Modified Text of Propo…

2025-09-23
adopted

On 23 September 2025, the California Office of Administrative Law approved the final regulations un…

2026-01-01
in force

On 1 January 2026, the risk assessment provisions of the California Consumer Privacy Act (CCPA) reg…

2028-04-01
in force

On 1 April 2028, businesses subject to the risk assessment provisions of the California Consumer Pr…