California Consumer Privacy Act (CCPA)

California Just Raised the Bar on Privacy. Again.

If your business collects data from California residents, the rules changed on January 1, 2026. The California Consumer Privacy Act, now amended by CPRA, introduced new requirements for cybersecurity audits, risk assessments, and automated decision-making technology that most businesses haven't caught up with yet.

This isn't the same CCPA from 2020. The California Privacy Protection Agency has teeth now, and the compliance requirements have expanded significantly. Businesses that were "compliant enough" last year may not be this year.

We help you understand where you stand, close the gaps, and build the documentation that holds up when someone asks for it.

The 2026 Regulations Are a Significant Expansion

The CCPA you read about in 2020 focused on consumer rights: access, deletion, opt-out. The 2026 regulations go deeper into how your business actually operates.

Cybersecurity audits are now mandatory for qualifying businesses. If you meet the revenue or data processing thresholds, you'll need to conduct regular cybersecurity audits and be prepared to submit documentation to the California Privacy Protection Agency.

Risk assessments are required for processing activities that pose significant risk. That includes AI and automated decision-making, processing sensitive personal information, and activities involving data from minors. Assessments must be completed before those activities begin, and a senior executive must submit annual attestations.

Sensitive personal information protections expanded. Neural data is now classified as sensitive personal information. Data from anyone under 16 is automatically classified as sensitive. The definition keeps growing, and your data handling practices need to keep pace.

The enforcement agency is active. The CPPA isn't waiting. They have rulemaking authority, audit power, and a track record of updating requirements. This isn't a static compliance target. It's a moving one.

We Don't Just Explain the Law. We Get You Compliant.

A lot of compliance content on the internet tells you what CCPA requires. We assume you already know you need to comply. What you actually need is someone who can assess where you stand, identify the gaps, and help you close them.

CCPA compliance applies to for-profit businesses that meet any of these thresholds:

Annual gross revenue exceeding $26.625 million (2025-2026 adjusted figure). Processing personal information of 100,000 or more California residents or households annually. Deriving 50% or more of annual revenue from selling or sharing personal information.

If you're a California-based business or you serve California customers and hit any of those thresholds, you're covered. And with the 2026 regulatory expansion, the practical requirements are more demanding than they were even a year ago.

We work with businesses nationwide that need to comply with California privacy law. You don't have to be in California to be subject to CCPA if you're processing California residents' data

CCPA
Frequently Asked Questions

Privacy compliance isn't getting simpler. But it doesn't have to be your problem.