United States of America: Office of Administrative Law adopted regulations under California Consumer Privacy Act including risk assessment regulations

Office of Administrative Law adopted regulations under California Consumer Privacy Act including risk assessment regulations

On 23 September 2025, the California Office of Administrative Law approved the final regulations under the California Consumer Privacy Act (CCPA), including requirements on risk assessments. Businesses subject to the risk assessment obligations must begin compliance on 1 January 2026, establishing internal processes to evaluate and document the impact of their data processing activities. By 1 April 2028, such businesses are required to submit to the CPPA both an attestation confirming that all required risk assessments have been completed and a summary of their risk assessment information. These measures form part of the regulatory package aimed at enhancing consumer protection and ensuring that organisations implement structured evaluation and accountability mechanisms in their data processing operations.

Original source

Scope

Policy Area

Data governance

Policy Instrument

Data protection regulation

Regulated Economic Activity

cross-cutting

Implementation Level

subnational

Government Branch

executive

Government Body

data protection authority

Complete timeline of this policy change

Hide details

2023-08-28

under deliberation

On 28 August 2023, the California Privacy Protection Agency (CPPA) released materials ahead of its …

2024-02-23

under deliberation

On 23 February 2024, the California Privacy Protection Agency (CPPA) published a Revised Draft of t…

2024-11-22

in consultation

On 22 November 2024, the California Privacy Protection Agency (CPPA) opened the public consultation…

2025-01-14

processing consultation

On 14 January 2025, the California Privacy Protection Agency (CPPA) closes the public consultation …

2025-03-28

under deliberation

On 28 March 2025, the California Privacy Protection Agency (CPPA) published updated draft regulatio…

2025-05-09

under deliberation

On 9 May 2025, the California Privacy Protection Agency (CPPA) published the Modified Text of Propo…

2025-09-23

adopted

On 23 September 2025, the California Office of Administrative Law approved the final regulations un…

2026-01-01

in force

On 1 January 2026, the risk assessment provisions of the California Consumer Privacy Act (CCPA) reg…

2028-04-01

in force

On 1 April 2028, businesses subject to the risk assessment provisions of the California Consumer Pr…

Description

Office of Administrative Law adopted regulations under California Consumer Privacy Act including risk assessment regulations

Scope

Complete timeline of this policy change