California’s Privacy Risk Assessment Rules Are Live. The 2028 Deadline Isn’t the Starting Gun.

There is a pattern that repeats in privacy compliance. A significant requirement takes effect. Enforcement or a filing deadline is set two years out. Companies see the two-year horizon and quietly defer. Then the two years arrive, and they discover that the underlying work — the inventories, the workflows, the vendor reviews, the internal governance — takes longer than they planned. The deadline was never the hard part.

California’s new privacy risk assessment regulations follow this pattern, with one important wrinkle: California went further than any other U.S. state by requiring businesses to actually file their assessments with a regulatory agency. Most data protection assessment laws treat the document as an internal governance artifact. California made it a government submission.

That changes the calculus considerably. And for businesses initiating new data processing activities in 2026, there is no two-year runway at all.

What Changed on January 1, 2026

The California Consumer Privacy Act, as amended by the California Privacy Rights Act and the regulations finalized by the California Privacy Protection Agency (CPPA) in September 2025, now requires covered businesses to conduct formal privacy risk assessments before initiating any processing activity that presents a “significant risk” to consumer privacy.

These regulations represent the most substantive expansion of CCPA obligations since the law took effect in 2020. The earlier CPRA amendments focused primarily on consumer-facing rights — the right to correct, the right to limit use of sensitive information, the expanded opt-out mechanisms. The 2026 regulations reach inward, into how businesses govern their own operations. Risk assessments, cybersecurity audits, and in some cases formal AI governance programs are now mandatory processes, not optional best practices.

Key dates:

ObligationDeadline
Risk assessments for processing activities begun before Jan 1, 2026Complete by December 31, 2027
Risk assessments for processing activities begun after Jan 1, 2026Complete before the activity begins
Submit 2026–2027 assessments to CPPAApril 1, 2028
Submit each subsequent year’s assessmentsApril 1 of the following year
Update assessments for material changesWithin 45 days of the change
Refresh cycle (absent material changes)At least every 3 years
Retention periodDuration of activity plus 5 years

The April 2028 filing date is when documents change hands — not when the underlying compliance obligation begins. Companies that treat 2028 as a starting point will arrive at April with assessments they haven’t conducted, for processing activities they’ve been running for two years without authorization.

California Is the First State to Require Filing

Multiple states now have data protection assessment obligations. Virginia’s CDPA, Colorado’s CPA, Connecticut’s CTDPA, Texas’s TDPSA, and several others all require businesses to conduct impact assessments before high-risk processing. What they do not require is that those assessments be submitted to anyone.

California changed that. Under the CPPA regulations, businesses must submit completed assessments to the California Privacy Protection Agency. A company executive must make the submission — this is not a staff-level task that can be delegated without accountability.

The CPPA or the California Attorney General can also request a full copy of any risk assessment at any time, and businesses must produce it within 30 days of that request. That 30-day production obligation means an assessment that hasn’t been documented — that exists only as informal internal discussions — will not satisfy the requirement when an enforcement inquiry arrives.

Assessments that other states treat as internal governance artifacts have, in California, become public filings. That distinction matters for how seriously organizations take the underlying work.

What Triggers a Risk Assessment

The regulations identify specific processing activities that require a risk assessment. Across the multi-state landscape, the triggering categories follow consistent themes:

1. Selling or sharing personal information

Any sale or sharing of personal information is a covered trigger. The definition of “sale” under the CCPA is broader than the commercial intuition of exchanging data for money — sharing personal information with a third party for cross-context behavioral advertising constitutes a sale even without direct monetary exchange.

This has direct implications for advertising technology. If an analytics or advertising vendor cannot represent that it will use your data exclusively within the scope of the direct business relationship and will not combine it with data from other sources, it likely does not qualify as a “service provider” under the CCPA. If it doesn’t qualify, the relationship may constitute a sale or sharing of personal information — which triggers an assessment requirement before you onboard the vendor.

Read that again: onboarding that vendor may itself be a covered processing activity requiring an assessment first. Many companies will have existing vendor relationships that were never assessed. Those are existing compliance gaps that predate the new regulations. For new vendor relationships entered into in 2026, the assessment cannot be deferred.

2. Targeted advertising

Behavioral advertising and cross-context advertising are explicitly covered. This captures most ad-tech stacks. Companies running retargeting campaigns, lookalike audience programs, or behavioral targeting through any third-party demand-side platform should be examining whether those arrangements have been assessed.

3. Sensitive personal information

The sensitive data category in CCPA/CPRA is broader than many compliance programs account for, particularly if those programs were designed primarily around HIPAA or financial data frameworks.

Under CPRA, sensitive personal information includes:

  • Social Security numbers and government IDs
  • Financial account numbers and access credentials
  • Precise geolocation data — defined as data that identifies location within a 1,850-foot radius
  • Racial or ethnic origin, religious or philosophical beliefs, union membership
  • The contents of mail, email, and text messages where the business is not the intended recipient
  • Genetic data
  • Biometric data processed for unique identification
  • Health or medical condition data
  • Sex life or sexual orientation data
  • Personal information of children under 16 where the business has actual knowledge of the child’s age

Two categories deserve special attention:

Precise geolocation is frequently collected without being treated as sensitive. Mobile apps that collect background location data, platforms that log IP addresses and resolve them to physical locations, advertising networks that receive location signals from device sensors — all of these may be collecting precise geolocation without flagging it as sensitive. The 1,850-foot threshold is not intuitive. Many companies will discover they are in-scope for sensitive data processing when they actually trace their data flows.

Health data outside HIPAA. HIPAA creates a protected category of health information held by covered entities and their business associates. It does not cover health information in every context. Wellness apps, fitness tracking platforms, employee wellness programs, healthcare analytics vendors serving non-covered entities, consumer health products — these companies may hold health-related information that falls entirely outside HIPAA’s scope and that has never been subject to health privacy regulation. Under CPRA, that data is sensitive regardless of HIPAA’s applicability. For companies in healthcare adjacent industries, this distinction may have significant operational implications.

4. Profiling for significant decisions

Automated decision-making technology (ADMT) that makes or materially influences decisions with legal or similarly significant effects on individuals triggers both a risk assessment requirement and new consumer rights obligations. Employment decisions, credit decisions, housing, education, healthcare — any algorithmic system that contributes to these outcomes falls within scope.

The ADMT consumer notice and opt-out requirements phase in fully on January 1, 2027, giving companies with AI-driven decision systems one year to build the governance infrastructure. That year will pass quickly for organizations that have not started.

What the Assessment Must Contain

The CPPA regulations specify what a compliant risk assessment must include. The list is substantive and does not permit a checkbox exercise:

  • Identification of the processing activity and a specific description of its purpose
  • Categories of personal information processed and their sources
  • Data retention periods — how long information is kept after collection
  • How the business will interact with individuals regarding the processing
  • Third parties who receive or access the personal information as part of the activity
  • Identification of privacy risks the processing creates, with specificity
  • Analysis of whether privacy risks outweigh the benefits to consumers, the business, and other stakeholders
  • Mitigation measures the business will implement to reduce identified risks
  • Involvement of relevant internal stakeholders — the people who actually work with the data and the system must be part of the assessment process, not just the legal or compliance team reviewing a document after the fact
  • External expertise where needed — the regulations specifically point to examples such as experts who can help identify and address algorithmic bias in ADMT systems

The operational implication is that risk assessments under the CPPA regulations cannot be completed in isolation by a privacy attorney drafting a template. They require cross-functional input — engineering, product, marketing, IT, HR, depending on the processing activity — and in some cases external technical or domain expertise.

That is a workflow, not a document. Organizations that do not have a workflow in place will need to build one.

The Multi-State Compliance Gap

California’s new filing requirement is new. The underlying obligation to conduct data protection assessments before high-risk processing is not — at least for companies subject to other state privacy laws that have been in effect for one to three years.

Virginia’s CDPA required assessments for high-risk processing activities effective January 1, 2023. Colorado’s CPA had equivalent requirements effective July 1, 2023. Connecticut, Texas, and several other states have followed. Most companies subject to those laws have not completed the assessments the laws required.

That is an existing compliance gap — independent of California’s new filing requirement — that has been accumulating for up to three years. The introduction of California’s more visible and more enforceable regime creates the opportunity to address it systematically. Companies that build a risk assessment program to comply with California’s requirements in 2026 and 2027 can use that same program to retroactively document the assessments other states have been requiring since 2023.

The practical argument for urgency is not just California enforcement. It is that multi-state assessment obligations are already overdue for many organizations, and California’s filing requirement creates both the incentive and the accountability structure to close those gaps.

Practical Steps for 2026

Step 1: Map your processing activities

Before you can determine which activities require assessments, you need an inventory. This means reviewing your data flows, vendor agreements, product features, advertising configurations, and analytics integrations. Prioritize activities that involve selling or sharing data, behavioral advertising, sensitive data categories, or automated decision-making.

Step 2: Audit your vendor roster for service provider qualification

For each third-party vendor that receives personal information, review whether the contractual relationship and the vendor’s actual data practices qualify it as a service provider under the CCPA. Vendors that combine your data with other sources, use data for their own business purposes, or serve customers outside your direct business relationship may not qualify. If they don’t qualify, the data transfer is potentially a sale — requiring an assessment before continuation.

Step 3: Re-examine your sensitive data inventory

Run your data inventory specifically against the CPRA sensitive data categories. Pay particular attention to precise geolocation (check mobile app integrations, ad networks, and any location-based features), health-adjacent data (check wellness programs, product analytics, and any data from health-related user activity), and data about consumers you have actual knowledge are under 16.

Step 4: Stand up an assessment workflow before onboarding new processing

For any new processing activity, vendor relationship, product feature, or advertising configuration beginning in 2026, the assessment must happen first. This requires a workflow — a formal intake and review process that routes new initiatives through privacy assessment before they go live. Organizations without this workflow will repeatedly face the choice between delaying launches and skipping assessments they’re legally required to complete.

Step 5: Document for production

Assessments must be producible within 30 days of a regulatory request. That means they must be documented, stored accessibly, and associated with the specific processing activities they cover. A culture of undocumented informal risk review will not satisfy this requirement.

Step 6: Identify who will make the executive submission

The CPPA requires an executive to make the formal filing. Identify who that will be, brief them on the obligation, and begin tracking which assessments will be submitted and when. The April 2028 submission covers 2026 and 2027 assessments — everything you do this year and next is going into that initial filing.

The Red Flag Problem

There is an enforcement dimension to the filing requirement that goes beyond fines. When a company files its 2028 submission and that submission is incomplete — covering only a fraction of the activities it was actually running — that incompleteness is itself a signal. The CPPA will be comparing what companies file against what they appear to have been doing based on their public-facing data practices, their privacy policies, their ad-tech configurations, and other observable signals.

A company that ran behavioral advertising for two years and files no assessment for that activity has not simply failed to file a document. It has documented, in the public record, that it initiated a covered processing activity without the legally required assessment. That is a substantively worse position than a company that never had to file at all.

The 2028 deadline does not create a two-year grace period for non-compliance. It creates a two-year window to build a program that results in a defensible filing. Those are different things.

Resources and Next Steps

The CPPA’s final regulations, effective January 1, 2026, are available through the California Code of Regulations. The agency has published guidance on the risk assessment requirements that is worth reviewing alongside the regulatory text.

For organizations subject to multi-state privacy obligations, the risk assessment frameworks required by Virginia, Colorado, Connecticut, and Texas are substantively similar to California’s — the differences are primarily in filing requirements and enforcement posture, not in the underlying analytical methodology. A single well-designed assessment template can address all of them.

The question in 2026 is not whether your organization will eventually need to address these requirements. The question is whether you are building the infrastructure now — before new processing activities go live, before vendors are onboarded, before the gap between what you’re doing and what you’ve documented becomes a liability you’re carrying into a regulatory examination.

Sources: California Privacy Protection Agency final regulations (Cal. Code Regs., tit. 11, div. 22, Sept. 2025); National Law Review analysis of 2026 CCPA risk assessment requirements; GoodSuite CCPA 2026 compliance analysis; Virginia Consumer Data Protection Act; Colorado Privacy Act; Connecticut Data Privacy Act.

This article is for informational purposes only and does not constitute legal advice. Organizations with specific compliance questions should consult qualified privacy counsel.