Skip to Content
Strategy Law, LLP Strategy Law, LLP
Call Us Today! 408-478-4104
Top

California's New CCPA Rules Are Now in Effect. Is Your Business Ready?

CCPA label on a keyboard key
|

Estimated Reading Time: 8 minutes

When the California Consumer Privacy Act first took effect in January 2020, many business owners treated it as a concern for large tech platforms. Six years later, that assumption has become a huge risk.

As of January 1, 2026, a sweeping set of new CCPA regulations became enforceable, touching several areas that affect day-to-day operations. Businesses using automated tools, processing sensitive personal information, or handling large volumes of data may now face obligations that require far more than updating a privacy policy.

At Strategy Law, LLP, we work with startups, established enterprises, real estate companies, and financial institutions across Silicon Valley and the greater Bay Area. Increasingly, we hear the same question from clients: "Does this apply to us?" The answer for most businesses in California is almost certainly yes, and the consequences of getting it wrong have grown significantly.

Here is what you need to know about the 2026 changes, who they affect, and the practical steps your business should be taking right now.

The Law Has Grown. So Has Its Reach.

California’s privacy regime began with the California Consumer Privacy Act and expanded significantly after the California Privacy Rights Act took effect. The law now operates through a broader enforcement framework backed by the California Privacy Protection Agency, along with regulations that focus on how businesses actually collect, use, assess, and secure personal information.

These new rules specifically address three areas:

  • Automated decision-making technology (ADMT)
  • Mandatory risk assessments for high-risk data processing
  • Cybersecurity audit requirements

Together, they represent a significant shift from disclosure-based compliance to operational compliance. It is no longer enough to have the right privacy policy on yourwebsite. Your internal processes, vendor contracts, hiring systems, and data security programs must also meet the new standard.

The 2026 Rules: What Has Changed

Automated Decision-Making Technology (ADMT)

Perhaps the most consequential change for businesses involves ADMT. These are any systems that use computation to make or substantially replace human decisions. If your business uses AI-assisted hiring tools, automated loan underwriting, algorithmic tenant screening, or AI-driven performance evaluations, the 2026 rules now impose specific obligations.

Businesses using ADMT for "significant decisions" must now:

  • Provide consumers with a plain-language Pre-Use Notice before processing begins, explaining specifically how the ADMT works and what it decides. Generic language like "to improve our services" is not sufficient.
  • Allow consumers to opt out of ADMT-driven decisions or, alternatively, provide a meaningful human appeal process with a qualified reviewer who has real authority to override the system.
  • Respond to consumer access requests by explaining the logic of the ADMT, what factors influenced the outcome, and what decision was ultimately made.

Mandatory Risk Assessments

The new regulations require formal written risk assessments whenever a business engages in certain high-risk data processing activities. Triggers include: selling or sharing personal information; processing sensitive categories of data such as precise geolocation, biometric information, health data, racial or ethnic origin, or immigration status; using ADMT for significant decisions; and conducting systematic surveillance of employees or applicants, including via GPS tracking, video monitoring, or Wi-Fi analytics.

Risk assessment reports must involve appropriate stakeholders, document the purposes and risks of processing, and include a certification submitted to the CPPA. For employers using workplace monitoring tools, this obligation deserves immediate attention.

Cybersecurity Audits

Larger businesses that meet specific revenue and data-volume thresholds must now conduct independent cybersecurity audits on a rolling annual basis. The audit timeline is tied to revenue: businesses with 2026 gross revenues exceeding $100 million must complete their first audit by April 1, 2028; those with revenues between $50 million and $100 million face an April 2029 deadline; and smaller qualifying businesses have until April 2030.

The audit must be conducted by a qualified, independent professional operating free from management influence, and all relevant records must be retained for at least five years. Importantly, a company's auditor cannot have participated in designing or overseeing the very cybersecurity program being reviewed.

Who Is Covered: Thresholds That Catch More Businesses

The CCPA applies to for-profit businesses operating in California that meet at least one of three thresholds: annual gross revenue exceeding $26.625 million; buying, selling, or sharing the personal information of 100,000 or more consumers or households per year; or deriving 50 percent or more of annual revenue from selling consumer personal information.

Critically, a business does not need to be located in California to be subject to the law. If your company conducts transactions with California residents online, tracks their activity through cookies, or employs workers in California — even remotely — you may be a covered business.

The law also has no general business-to-business exemption. If your company collects email addresses, phone numbers, or job titles from California-based business contacts, that data is protected under the CCPA.

What This Means for M&A, Contracts, & Employment

These updates sit within a broader California privacy framework that affects several important aspects of running a business, including mergers and acquisitions, commercial contracts, and employment practices.

In mergers and acquisitions, personal information may be part of the assets involved in a deal. Under the CCPA, transferring personal information as part of a merger, acquisition, bankruptcy, or similar transaction is treated differently from a typical sale or sharing arrangement, as long as the information continues to be used consistently with the promises made when it was collected. If an acquiring party plans to use or disclose that information in a materially different way, it may need to give consumers prior notice. Privacy diligence is also worth addressing early in a transaction, including how the target handles notices, retention, vendor relationships, and consumer requests.

For vendor and service provider relationships, California law requires contracts to include specific privacy protections. Agreements should limit how personal information may be used, require the recipient to provide the required level of privacy protection, and give the business rights to monitor compliance and address unauthorized use. Businesses should also confirm that their vendors use reasonable security measures and can support the company’s CCPA compliance obligations.

In employment, the exemption that had limited parts of the CCPA’s application to employee and job applicant data expired on January 1, 2023. Covered employers should provide appropriate privacy notices and be prepared to respond to applicable requests involving workforce data, while also accounting for the many legal and operational reasons some records must be retained. Businesses should review HR, recruiting, monitoring, and retention practices with that in mind.

5 Steps Businesses Can Take Now

Regardless of where your business is in its compliance journey, the following steps represent a practical starting point:

  • Figure out what personal information you collect. Identify the types of data your business gathers, where it is kept, why you use it, and whether any outside vendors can access it.
  • Confirm whether the law applies to your business. Review the CCPA thresholds to see whether your company is covered based on revenue, data volume, or data-related income.
  • Update your notices, contracts, and internal policies. Make sure your privacy policy, employee and applicant notices, vendor agreements, and data retention practices reflect current California requirements.
  • Review any automated tools and high-risk data practices. If your business uses AI or other automated systems for hiring, housing, credit, healthcare, or similar decisions, or if you handle sensitive data, those activities may require added compliance steps.
  • Get your team and advisors involved. Train the employees who handle privacy requests and work with legal counsel to build a compliance plan that fits your business.

We Can Help Your Business Build a Defensible Program

California privacy obligations now touch multiple parts of a business at the same time. Employment practices, contract drafting, regulatory compliance, incident response, and commercial strategy can all be affected by how personal information is collected, used, and protected.

At Strategy Law, LLP, we help businesses evaluate privacy exposure, update policies and agreements, review internal practices, and respond to emerging compliance demands under California law. Our attorneys work with startups, established companies, real estate businesses, financial institutions, and other organizations that need practical legal guidance tailored to how they actually operate.

To discuss your company’s privacy compliance needs, contact Strategy Law, LLP at (408) 478-4104 or message us onlineto schedule a consultation.

This article is intended for general informational purposes only and does not constitute legal advice. Reading this post does not create an attorney-client relationship. For advice specific to your situation, please consult a licensed attorney.

Categories: