ARTICLE
26 January 2026

Navigating The 2026 CCPA Updates

BS
Ballard Spahr LLP

Contributor

Ballard Spahr LLP logo
Ballard Spahr LLP—an Am Law 100 law firm with more than 750 lawyers in 18 U.S. offices—serves clients across industries in litigation, transactions, and regulatory compliance. A strategic legal partner to clients, Ballard goes beyond to deliver actionable, forward-thinking counsel and advocacy powered by deep industry experience and an understanding of each client’s specific business goals. Our culture is defined by an entrepreneurial spirit, collaborative environment, and top-down focus on service, efficiency, and results.
Explore Firm Details
As forecasted, effective January 1, 2026, businesses that are subject to the California Consumer Privacy Act (CCPA) must comply with newly-updated regulations.
United States California Privacy
Kelsey A. Fayer,Matt Thornton, and Gregory Szewczyk
Your Author LinkedIn Connections
Kelsey A. Fayer’s articles from Ballard Spahr LLP are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in Canada
  • with readers working within the Banking & Credit, Chemicals and Technology industries

As forecasted, effective January 1, 2026, businesses that are subject to the California Consumer Privacy Act (CCPA) must comply with newly-updated regulations. For some businesses, complying with these updates will require the implementation of or updates to policies and procedures related to, among other things, risk assessments, cybersecurity audits, and the use of Automated Decision-Making Technologies. Businesses should review the updated regulations to determine if they might be affected and, if so, implement a plan to promptly ensure compliance.

Outlined below are just a few of the most notable CCPA updates businesses should be aware of:

  1. Risk Assessments
    • Businesses who engage in certain processing activities, including selling or sharing personal information, will need to conduct risk assessments. For new processing activities (beginning after January 1, 2026), risk assessments must be conducted prior to commencement of the new activity. Businesses that conduct a risk assessment in the prior calendar year must submit an attestation of the risk assessment to the California Privacy Protection Agency ("Agency") by April 1 of the following year.
    • For activity that occurred prior to January 1, 2026, and continued thereafter, businesses must conduct a risk assessment by December 31, 2027, and provide attestation on or before April 1, 2028.
    • Risk assessments completed for other state laws can demonstrate compliance if they check the boxes of CCPA's regulations as well.
  2. Automated Decision-Making Technology (ADMT) Rules
    • The updated regulations impose new requirements for businesses that use ADMT to make "significant decisions" about consumers. Those requirements will take effect in 2027. "Significant decisions" include granting or denying services like financial or lending products, housing, educational admissions or opportunities, job or contracting opportunities and compensation, or healthcare services.
    • Obligations associated with ADMT use include:
      • Providing consumers with pre-use notice of and access to information describing the manner in which ADMT is used and informing them of their associated opt-out and access rights;
      • Offering consumers ADMT opt-out, unless an exception applies;
      • Conducting risk assessments, as applicable; and
      • Updating privacy notices, as applicable.
  3. Cybersecurity Audits
    • The CCPA regulations will require certain businesses to conduct mandatory cybersecurity audits. The scope of the audits contains a long list of specifics, which generally tracks established audit standards such as the NIST Cybersecurity Framework. Businesses will also have to submit annual certifications of completion to the Agency.
    • While the deadlines for submitting certifications begin in 2028, businesses should be aware that implementing compliant cybersecurity programs—which often must include, among other things, incident response management, access controls, data inventory, retention and disposal procedures, and vendor oversight—often requires collaboration across businesses and can be very time consuming.
  4. Broadened Definition of "Sensitive Personal Information"
    • The updates also imported the statutory definition of "sensitive personal information," with the addition of "personal information collected and analyzed concerning a consumer's health, sex life, or sexual orientation," and "personal information of consumers that the business has actual knowledge [or willfully disregards] are less than 16 years of age."
    • With the broadened definition, businesses should reassess their need for notices, opt-outs, and back-end procedures related to the Right to Limit.
  5. Other Notable Updates
    • Stricter requirements relating to the use of dark patterns, highlighting the need for careful consideration relating to cookie banners and opt-out menus;
    • Additional notice requirements for businesses that disclose personal information collected through augmented or virtual reality devices;
    • Updates to data subject rights procedures; and
    • New transparency requirements, including in-app privacy policy posting requirement.

Although many of the deadlines outlined above seem distant, businesses should be auditing their current processing activities for compliance now rather than discovering potential issues right before the applicable deadlines expire.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Kelsey A. Fayer
Kelsey A. Fayer
Photo of Matt Thornton
Matt Thornton
Photo of Gregory Szewczyk
Gregory Szewczyk
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More