California Consumer Privacy Act (CCPA)
California Just Raised the Bar on Privacy. Again.
If your business collects data from California residents, the rules changed on January 1, 2026. The California Consumer Privacy Act, now amended by CPRA, introduced new requirements for cybersecurity audits, risk assessments, and automated decision-making technology that most businesses haven't caught up with yet.
This isn't the same CCPA from 2020. The California Privacy Protection Agency has teeth now, and the compliance requirements have expanded significantly. Businesses that were "compliant enough" last year may not be this year.
We help you understand where you stand, close the gaps, and build the documentation that holds up when someone asks for it.
The 2026 Regulations Are a Significant Expansion
The CCPA you read about in 2020 focused on consumer rights: access, deletion, opt-out. The 2026 regulations go deeper into how your business actually operates.
Cybersecurity audits are now mandatory for qualifying businesses. If you meet the revenue or data processing thresholds, you'll need to conduct regular cybersecurity audits and be prepared to submit documentation to the California Privacy Protection Agency.
Risk assessments are required for processing activities that pose significant risk. That includes AI and automated decision-making, processing sensitive personal information, and activities involving data from minors. Assessments must be completed before those activities begin, and a senior executive must submit annual attestations.
Sensitive personal information protections expanded. Neural data is now classified as sensitive personal information. Data from anyone under 16 is automatically classified as sensitive. The definition keeps growing, and your data handling practices need to keep pace.
The enforcement agency is active. The CPPA isn't waiting. They have rulemaking authority, audit power, and a track record of updating requirements. This isn't a static compliance target. It's a moving one.
We Don't Just Explain the Law. We Get You Compliant.
A lot of compliance content on the internet tells you what CCPA requires. We assume you already know you need to comply. What you actually need is someone who can assess where you stand, identify the gaps, and help you close them.
-
We evaluate your current data practices, security controls, and documentation against the current CCPA/CPRA requirements. You get a clear, prioritized report showing where you're compliant, where you're exposed, and what to fix first. Not a 100-page document. Actionable findings you can use.
-
Where your current security posture doesn't meet CCPA requirements, we implement the controls. Access management, data encryption, monitoring, incident response procedures. The technical work that actually protects the data and satisfies the auditor.
-
Policies, procedures, risk assessments, training records. When the CPPA or your insurance provider asks for documentation, you hand it over without scrambling. We build and maintain the evidence package so it's ready before you need it.
-
CCPA isn't a one-time project. The regulations are actively evolving. We monitor changes, update your documentation, and adjust your controls so you stay compliant as the law continues to expand.
CCPA compliance applies to for-profit businesses that meet any of these thresholds:
Annual gross revenue exceeding $26.625 million (2025-2026 adjusted figure). Processing personal information of 100,000 or more California residents or households annually. Deriving 50% or more of annual revenue from selling or sharing personal information.
If you're a California-based business or you serve California customers and hit any of those thresholds, you're covered. And with the 2026 regulatory expansion, the practical requirements are more demanding than they were even a year ago.
We work with businesses nationwide that need to comply with California privacy law. You don't have to be in California to be subject to CCPA if you're processing California residents' data
CCPA
Frequently Asked Questions
-
CPRA amended CCPA in 2020 and most of its provisions took effect January 1, 2023. They're not separate laws. CPRA expanded and modified CCPA, and what people call "CCPA" today includes all the CPRA amendments. The 2026 regulations further expand the requirements around cybersecurity audits, risk assessments, and automated decision-making technology.
-
Probably not fully. The 2026 regulations introduced significant new requirements that didn't exist when most businesses did their initial compliance work. Cybersecurity audit obligations, risk assessment requirements for AI and automated processing, expanded sensitive personal information definitions, and new enforcement mechanisms all need to be evaluated against your current practices.
-
CCPA focuses specifically on consumer privacy rights and how businesses handle personal information. HIPAA covers health information. CMMC covers defense contractor cybersecurity. There's overlap in the security controls, but the specific requirements, documentation, and enforcement mechanisms are different. If you're subject to multiple frameworks, we can help you build a unified compliance program that satisfies all of them without duplicating effort.
-
It depends on the size of your business, the volume of personal information you process, and how far your current practices are from compliance. We give you a clear picture during a Strategy Session and scope the engagement based on what you actually need.
-
Yes. That's what makes us different. We assess the gaps AND implement the controls. Your data encryption, access management, monitoring, incident response procedures, all of it. You don't need to hire a separate firm to act on what we find.