California's 2026 CCPA Risk Assessments: New Requirements for Businesses

The California Consumer Privacy Act (CCPA) has introduced new requirements for businesses regarding privacy risk assessments in 2026. Companies using cookies for behavioral advertising or engaging in activities that pose a 'significant risk' to consumer

privacy must conduct written risk assessments. These assessments are mandatory for processing sensitive information, including data of children under 16, and for using automated decision-making technologies. The final regulations, released in September 2025, outline that existing activities must have assessments completed by December 31, 2027, while new practices require assessments before processing begins. The assessments must evaluate privacy risks versus consumer benefits and be submitted to the California Privacy Protection Agency by April 1, 2028.