This past week, California finalized sweeping new privacy regulations that will significantly reshape compliance obligations for businesses operating in the state. Approved by the California Office of Administrative Law, these rules expand the California Consumer Privacy Act (CCPA) framework. Introducing new mandates around cybersecurity audits, risk assessments, and high-risk data processing activities. While enforcement deadlines are still a few years away, the scope and complexity of these requirements make early preparation essential.

The regulations create three major compliance pillars. First, businesses that engage in high-risk processing of personal information—such as handling sensitive data or conducting activities which could materially impact consumer privacy—must perform detailed risk assessments. These assessments go beyond technical security considerations to evaluate potential harms, bias, and fairness in data use. Companies will need to document safeguards and submit portions of these assessments to the California Privacy Protection Agency starting in 2028, with annual updates thereafter.

Second, the rules mandate annual cybersecurity assessments for larger organizations and those heavily reliant on personal data. Unlike previous self-attestation models, these audits must be independent and comprehensive. Covering security programs, vendor oversight, and incident response capabilities. Culminating in executive certifications submitted to regulators, signaling a shift toward accountability at the highest levels of corporate governance.

Third, the regulations impose obligations on businesses using automated decision-making technologies (ADMT) for significant decisions about consumers. This includes tools that influence hiring, lending, insurance, education, or healthcare access. Companies must provide clear, plain-language disclosure explaining how these systems work, what data they use, and whether human oversight exists. Consumers will also gain the right to opt out of being subject to ADMT for these decisions, requiring organizations to build mechanisms for intervention and reversal when necessary.

Although most compliance deadlines fall between 2027 and 2030, businesses cannot afford to wait. Mapping where high-risk processing and ADMT occur within operations is the first step. From there, organizations should develop risk assessment templates, draft disclosure language, and coordinate with security teams to plan for independent audits. Establishing governance frameworks now will prevent last-minute scrambles and demonstrate a proactive approach to regulators.

California’s move reflects a broader trend toward rigorous privacy enforcement and accountability. For businesses, this is more than a legal requirement—it is an opportunity to build trust with consumers and differentiate through responsible data practices. Those who act early will not only reduce compliance risk, but also position themselves as leaders in an era where privacy and security are central to digital trust. Webcheck Security can provide privacy compliance consulting services for your business as you are navigating such new developments as these.