Seven Critical CCPA Compliance Changes Taking Effect January 1, 2026

CCPA Privacy Law Harry Richt January 1, 2026

Contents show

The California Privacy Protection Agency (CPPA) has issued guidance on seven major regulatory updates that businesses must prepare for before January 1, 2026. These amendments to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) regulations represent some of the most significant compliance changes since the original law took effect, introducing new obligations around risk assessments, data accuracy, youth privacy protections, and consumer rights verification.

For businesses operating in California or processing California residents’ personal information, these changes require immediate attention and preparation. Here’s what you need to know.

1. Mandatory Risk Assessments for High-Risk Processing Activities

Perhaps the most significant change: businesses must now conduct formal privacy impact assessments before engaging in several categories of processing activities. This requirement, outlined in Article 10 of the regulations, applies before a business:

Sells or shares personal information
Processes sensitive personal information
Uses or trains automated decision-making technologies

What Risk Assessments Must Include

These aren’t cursory compliance checks. The regulations specify that risk assessments must identify and document:

Purpose and Scope:

The business’s specific purpose for conducting the processing activity
The categories of personal information involved
The operational elements and systems that will handle the data

Impact Analysis:

Benefits the activity provides to the business and consumers
Potential negative impacts to consumers’ privacy
Risks to consumer privacy rights

Safeguards and Mitigation:

Relevant safeguards implemented to address identified risks
How these safeguards mitigate negative impacts
Documentation of risk-benefit balancing

This requirement aligns California with European Union GDPR data protection impact assessment (DPIA) requirements, creating a more robust privacy governance framework. For businesses already conducting privacy compliance assessments, these new mandatory risk assessments may require enhanced documentation and more granular analysis.

Practical Implementation Considerations

Businesses should immediately:

Inventory all current activities involving selling/sharing personal information, processing sensitive personal information, or using automated decision-making technologies, including via AI and related governance
Develop standardized risk assessment templates aligned with Article 10 requirements
Establish processes for conducting assessments before launching new processing activities
Designate responsibility for risk assessment oversight and approval
Create documentation retention protocols for completed assessments

The CPPA has indicated that risk assessments may be requested during investigations or audits, making proper documentation critical, and that such submissions will be mandatory in future years, specifically slated as 2028. For guidance on building effective privacy compliance programs that incorporate risk assessment workflows, structured processes are essential.

2. Opt-Out Verification and Status Confirmation

Under the new regulations (§§ 7025(c)(6), 7026(g)), businesses must provide consumers with a verifiable means to confirm the status of their opt-out requests. This applies to all opt-out requests, including:

Manual opt-out requests submitted through website forms or other channels
Global Privacy Control (GPC) signals and other opt-out preference signals
Requests to opt-out of selling personal information
Requests to opt-out of sharing personal information for cross-context behavioral advertising

Implementation Methods

The CPPA provides specific examples of acceptable verification methods:

Website Display Indicators:

Displaying “Opt-Out Request Honored” messaging on the website
Showing status in user account privacy settings
Using toggle switches or radio buttons to indicate current opt-out status

Account-Based Verification:

Privacy dashboard showing all active opt-out preferences
Email confirmations with ongoing status access
Ability to query current opt-out status through customer service

This requirement addresses a significant gap in previous regulations. Many businesses processed opt-out requests but provided no mechanism for consumers to verify their requests were honored or check their current status. The new rule ensures transparency and gives consumers confidence their privacy choices are being respected.

GPC Implementation Challenges

For businesses implementing Global Privacy Control recognition, this requirement adds complexity. When a browser sends a GPC signal, the business must:

Recognize and honor the signal
Provide confirmation to the user that the signal was received and honored
Maintain the opt-out status across the user’s sessions
Allow the user to verify their current opt-out status

This is particularly challenging for businesses that don’t maintain user accounts, as they must implement session-based or cookie-based status verification mechanisms.

3. Extended Timeline for Requests to Know

Consumers submitting requests to know (also called data access requests or subject access requests) now have significantly expanded rights. Previously, businesses could limit responses to the 12 months preceding the request.

The New Lookback Requirement

The updated regulations require that businesses provide access to personal information going back to January 1, 2022, to the extent they retain such information. This means:

If a business retains personal information for 36 months, a consumer’s request to know in 2026 must include data from January 2022 forward
The lookback period will continue expanding until it reaches the business’s maximum retention period
Businesses cannot arbitrarily limit responses to 12 months if they actually retain data longer

Practical Implications

This change has significant operational implications:

Data Retrieval Systems:

Systems must be capable of retrieving historical data across extended timeframes
Archived data must remain accessible for consumer requests
Legacy systems or data migrations must preserve accessibility

Response Complexity:

Longer data histories mean more voluminous responses
Businesses must ensure they can deliver comprehensive responses within the 45-day response timeline (with possible 45-day extension)
Data mapping must account for historical data locations and formats

Retention Policy Alignment:

This requirement creates tension between keeping data for consumer access rights and data minimization principles
Businesses must balance privacy-by-design concepts (minimizing data retention) with the need to provide comprehensive access
Data retention schedules should be documented and defensible

For businesses with comprehensive state privacy law compliance obligations across multiple jurisdictions, California’s extended lookback requirement may represent the most demanding standard.

4. Enhanced Requirements for Requests to Correct

The new regulations significantly strengthen consumer correction rights under § 7023(i). When a business receives a request to correct inaccurate personal information, new disclosure obligations apply.

Source Identification Requirement

Businesses must now either:

Option 1: Inform the Consumer

Provide the consumer with the name of the source from which the inaccurate information originated
This applies even if the business didn’t create the inaccurate data itself

Option 2: Inform the Source

Notify the original source that the information is incorrect
Inform the source that the data must be corrected
Document this notification

Why This Matters

This requirement addresses a critical weakness in data correction rights. Previously, businesses could correct data in their own systems but had no obligation to address the source of ongoing inaccurate data. This led to situations where:

Corrected data would be overwritten by subsequent feeds from the original source
Consumers had to submit multiple correction requests as inaccurate data reappeared
The original source of misinformation was never notified or corrected

The new rule creates accountability throughout the data ecosystem. Particularly for businesses that obtain personal information from data brokers, this requirement adds operational complexity but significantly enhances data accuracy.

Implementation Challenges

Tracking Data Lineage:

Businesses must maintain records of data sources for each data element
Data mapping and data flow documentation becomes critical for correction request compliance
Systems must be able to trace information back to its origin

Vendor Management:

Data processing agreements must address correction notification obligations
Businesses must establish protocols for notifying vendors and data suppliers
Contracts should include response times for source corrections

Documentation Requirements:

Each correction request must document either consumer notification of source or source notification
Records must demonstrate compliance with whichever option the business selected

5. Maintaining Data Accuracy Over Time

Section 7023(c) introduces an ongoing obligation that extends beyond the initial correction: businesses must ensure that corrected information remains corrected. This addresses a common problem where corrections are implemented but later overridden.

The Data Broker Challenge

The regulations specifically call out a common scenario: businesses that receive regular data feeds from data brokers or other third-party sources. The requirement:

If a consumer requests correction and the business honors it, that correction must persist
When the business receives subsequent data updates from brokers or other sources, it must prevent those updates from overriding the correction
The business must implement technical and procedural safeguards to maintain data accuracy

Technical Solutions

Businesses typically need to implement:

Data Quality Flags:

Mark corrected fields in databases with special flags indicating consumer correction
Configure data ingestion processes to preserve flagged corrections
Implement exception handling for correction-protected fields

Prioritization Rules:

Establish data hierarchy rules that prioritize consumer-corrected data over vendor-supplied data
Create conflict resolution processes when new data contradicts corrections
Document the business logic for handling data conflicts

Monitoring and Alerts:

Implement monitoring to detect when corrections might be at risk of override
Create alerts when incoming data would overwrite consumer corrections
Establish review processes for potential data quality conflicts

This requirement reflects California’s increasingly sophisticated approach to data privacy compliance, recognizing that privacy rights must be implemented through ongoing technical controls, not just one-time responses.

6. Consumer Statements for Contested Health Data

Section 7023(f)(3) creates a unique new right specific to health information. When a business denies a consumer’s request to correct health information, the consumer may submit a written statement contesting the accuracy.

The Statement Right

Consumer Rights:

Submit a statement of up to 250 words contesting the health information’s accuracy
Request that this statement be made available to anyone who received the contested information

Business Obligations:

Accept and retain the 250-word consumer statement
Upon consumer request, provide the statement to any person or entity to whom the business previously disclosed the contested information
Maintain records of where contested health information was disclosed

Why This Matters

This provision recognizes that health information is particularly sensitive and that disagreements about accuracy can have significant consequences. The right to attach a statement is modeled on similar rights under HIPAA and state medical records laws, but extended to the broader category of health information under California law.

Covered Health Information Includes:

Medical records and diagnoses
Prescription and medication information
Health insurance information
Biometric health data from wearables and apps
Mental health information
Genetic data
Any information about past, present, or future physical or mental health

For businesses in healthcare, health technology, employee wellness monitoring, or any sector processing health-related data, this creates new operational requirements.

Implementation Requirements

Statement Management System:

Mechanism for consumers to submit 250-word statements
Database for storing statements linked to contested health records
Processes for including statements when disclosing the underlying data

Disclosure Tracking:

Maintain detailed records of all disclosures of health information
Be able to identify recipients of specific health data elements
Implement processes for providing consumer statements to past recipients

Response Procedures:

Evaluate health data correction requests under appropriate standards
Document reasons for denial if correction request is rejected
Notify consumers of their right to submit a 250-word statement
Implement the statement within required timeframes

7. Youth Data Classified as Sensitive Personal Information

One of the most significant substantive changes: personal information of consumers under 16 years old is now categorized as sensitive personal information under the CCPA. This dramatically expands privacy protections for minors.

What This Change Means

Sensitive Personal Information Status:

All personal information about individuals under 16 is now “sensitive personal information”
This triggers the right to limit use and disclosure
Businesses must honor requests to limit processing of youth data

Right to Limit Implications: When processing personal information of consumers under 16, businesses must:

Only use it for purposes enumerated in § 7027(m) (permitted purposes), OR
Honor consumer requests to limit use and disclosure to permitted purposes only

The Permitted Purposes Under § 7027(m)

Businesses can process sensitive personal information (including all data about minors) without triggering the right to limit only for these purposes:

Performing services reasonably expected by consumers
Detecting security incidents and protecting against malicious activity
Debugging and error correction
Short-term, transient use
Performing services on behalf of the business
Quality and safety verification
Providing advertising or marketing (if not cross-context behavioral advertising)
Undertaking internal research for technological development
Undertaking activities to verify or maintain quality or safety

If a business uses youth data for purposes outside this list, such as selling or sharing for cross-context behavioral advertising, it must provide a clear method for limiting such uses.

Practical Compliance Steps

Age Detection:

Implement age verification or age estimation mechanisms
Identify users under 16 at point of data collection
Flag youth data in systems for special handling

Use Limitation:

Audit current uses of data from users under 16
Ensure uses align with permitted purposes under § 7027(m)
Implement controls to prevent impermissible uses of youth data

Right to Limit Interface:

Provide clear mechanism for consumers (or their parents) to request limitation
Implement the “Limit the Use of My Sensitive Personal Information” link
Honor limitation requests within required timeframes

COPPA Coordination:

This CCPA requirement operates alongside federal Children’s Online Privacy Protection Act requirements
For users under 13, both COPPA parental consent and CCPA sensitive data protections apply
Ensure compliance systems address both frameworks

This change reflects California’s strong policy position that children’s privacy deserves heightened protection, consistent with recent legislative trends expanding youth privacy protections.

Additional Compliance Deadlines and Requirements

The CPPA’s guidance notes that the seven items above are not exhaustive. Businesses should be aware of additional requirements that may apply:

Cybersecurity Audits

For certain businesses, particularly those processing significant volumes of personal information or operating in high-risk sectors, cybersecurity audits may be required. These audits must:

Assess the business’s cybersecurity practices
Evaluate compliance with reasonable security requirements
Be conducted by qualified independent auditors
Be updated periodically based on risk

For businesses subject to other security frameworks like NYDFS Cybersecurity Regulation, coordination between compliance programs is essential.

Automated Decision-Making Technology

Beyond the risk assessment requirement, businesses using automated decision-making technologies face additional obligations:

Notice requirements informing consumers about automated decisions
Rights to opt-out of certain automated profiling
Access rights specific to automated decision-making logic
Non-discrimination protections

For comprehensive guidance, see our analysis of AI governance requirements and AI chatbot compliance.

Data Broker Registration

Businesses meeting California’s data broker definition must register with the CPPA and comply with specific disclosure and consumer rights obligations.

Enforcement and Penalties

The CPPA continues to demonstrate its commitment to active enforcement. Businesses should note:

Civil Penalties:

Up to $2,500 per violation
Up to $7,500 per intentional violation or violations involving minors
Penalties can accumulate quickly across multiple consumers

Private Right of Action:

For certain data breaches, consumers can sue directly
Statutory damages of $100-$750 per consumer per incident

Recent Enforcement Examples: As detailed in our analysis of CPPA enforcement actions, the agency is actively investigating and bringing enforcement actions, including recent settlements with major retailers.

Preparing for January 1, 2026: An Action Plan

With the effective date approaching, businesses should take immediate steps:

Q4 2025 (Now)

Assessment Phase:

Conduct comprehensive audit of current CCPA compliance status
Identify gaps relative to January 2026 requirements
Review all processing activities requiring risk assessments
Inventory data flows from third-party sources (particularly data brokers)
Assess current age detection and youth data handling practices

Planning Phase:

Develop risk assessment templates and processes
Design opt-out status verification mechanisms
Enhance data subject access request systems for extended lookback
Plan correction request process updates
Map data sources for correction obligation compliance

November-December 2025

Implementation Phase:

Deploy technical solutions for maintaining corrected data
Implement opt-out status verification features
Update privacy notices and disclosures
Configure systems to flag youth data as sensitive
Establish right to limit mechanisms for sensitive data

Testing Phase:

Test consumer rights request workflows
Verify opt-out confirmation mechanisms work correctly
Validate data correction persistence across data updates
Test youth data controls and limitations
Conduct user acceptance testing on new features

January 2026 and Beyond

Launch and Monitor:

Activate all new compliance features January 1, 2026
Monitor consumer rights requests for issues
Track metrics on request volumes and response times
Document risk assessments for all qualifying activities
Establish ongoing review cycles for compliance

Continuous Improvement:

Gather feedback on new processes
Refine workflows based on operational experience
Monitor CPPA guidance and enforcement actions
Update privacy compliance programs based on evolving requirements

Coordination with Other Privacy Laws

California businesses subject to multiple privacy regimes should coordinate compliance efforts:

State Privacy Laws: The U.S. now has comprehensive privacy laws in multiple states. Many requirements similar to these California updates are emerging in:

Virginia Consumer Data Protection Act (VCDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Utah Consumer Privacy Act (UCPA)
And many others taking effect in 2025-2026

Federal Privacy Laws:

COPPA requirements for users under 13
HIPAA for covered entities and business associates
GLBA for financial institutions
Sector-specific requirements

International Privacy Laws:

GDPR for businesses with EU operations or EU customer data
Other international frameworks requiring coordination

The most effective compliance strategies identify common requirements across frameworks and implement unified solutions rather than creating siloed compliance programs for each law.

The Broader Context: California’s Privacy Leadership

These updates reflect California’s continuing evolution as the de facto national privacy standard. The state has:

Expanded from basic notice and choice to comprehensive privacy governance
Moved from reactive compliance to proactive privacy program requirements
Strengthened consumer rights with verification and transparency mechanisms
Enhanced protections for vulnerable populations (minors)
Addressed real-world data accuracy challenges in the broker ecosystem

As noted in our analysis of comprehensive privacy law development, California continues to set trends that other states follow. Businesses should view CCPA compliance not as a California-specific obligation but as preparation for nationwide privacy requirements.

Get Guidance on 2026 CCPA Compliance

The January 1, 2026 updates represent the most significant expansion of CCPA obligations since the CPRA amendments took effect in 2023. From mandatory risk assessments to extended data access rights to youth data protections, businesses face complex new requirements with potentially significant penalties for non-compliance.

Preparing for these changes requires:

Technical implementation across data systems and consumer-facing interfaces
Process development for risk assessments, corrections, and enhanced consumer rights
Policy updates reflecting new obligations
Training for teams handling consumer requests
Ongoing monitoring and compliance management

Don’t wait until January 2026 to start preparing. The technical and operational changes required for compliance take time to implement properly.

How We Can Help

RICHT provides comprehensive privacy compliance services, including:

CCPA/CPRA compliance assessments and gap analysis
Privacy program development and implementation
Privacy policy and notice drafting
Data mapping and data flow analysis
Privacy impact assessment frameworks
Consumer rights request process design
Multi-state privacy compliance strategies
Vendor contract review and data processing agreement negotiation

Additional Resources

This article provides general information about California privacy law developments and should not be construed as legal advice. Privacy compliance requirements vary based on your specific business model, data practices, and jurisdictions. Consult with legal counsel to address your particular compliance needs.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.