What Businesses Must Know About CCPA/CPRA’s Next Phase

TECHNICAL

Businesses across all industries can take steps to align CCPA/CPRA requirements with existing regulations while strengthening governance and documentation.

CCPA risk assessments and CPRA cybersecurity audits raise compliance expectations. Is your organization ready?

The state of California’s privacy law continues to evolve, and the next phase of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), introduces significant new compliance obligations for businesses. Beginning in 2026, certain organizations must conduct formal privacy risk assessments for high-risk data processing activities, followed by mandatory cybersecurity risk audits starting in 2027. These requirements reflect a shift toward more proactive governance, accountability, and documentation of how companies manage consumer data.

Understanding how these obligations work – and how they interact with existing financial services regulations such as the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) – is critical for organizations preparing their privacy and cybersecurity programs for the years ahead.

Sign up to receive the latest insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Subscribe now

At a glance

Effective Jan. 1, 2026: Certain businesses must complete privacy risk assessments under regulations promulgated by the California Privacy Protection Agency (CPPA), as amended by the CPRA.
Effective April 1, 2027: Certain businesses must perform a cybersecurity risk audit under CCPA as amended by CPRA.

	CCPA, as amended by CPRA	Privacy risk assessment	CCPA cybersecurity audit
At a glance	The CCPA is a privacy law that establishes protections for California consumers. The CPRA is an amendment to CCPA that broadens protections to individuals beyond customers, such as employees and job applicants. The CPPA is the enforcement body for the CCPA/CPRA.	A privacy risk assessment is a mandatory privacy analysis of each high-risk data processing activity. The purpose is to evaluate the risks of personal data processing and to stop the processing activity or mitigate risk as appropriate.	A CCPA cybersecurity audit is a requirement to complete a periodic cybersecurity audit of the organization, following, at a minimum, a set of prescribed controls.
Defined	The CCPA (Cal. Civ. Code Section 1798.100 et seq.) is amended by the CPRA (Proposition 24) and implements regulations adopted by the CPPA.	A privacy risk assessment is a documented assessment that evaluates whether processing of personal information presents significant risk to consumers’ privacy or security, including weighing benefits against risks to consumer rights. It often is referred to in regulations as a risk assessment for high-risk processing activities.	A CCPA cybersecurity audit is a documented audit required for businesses whose processing presents significant risk to consumers’ security. It is focused on evaluating the effectiveness of technical and organizational safeguards protecting personal information.
Applicability	The CCPA applies to businesses in California that meet one or more criteria: Earn revenue over $25 million Buy, sell, or share personal information of 100,000 or more California residents or households annually Derive 50% or more of annual revenues from selling or sharing personal information	A privacy risk assessment is required for businesses whose processing activities present significant risk to consumers’ privacy, including: Processing sensitive personal information Large-scale profiling or automated decision-making Selling or sharing personal information Using personal information for behavioral advertising Processing large volumes of personal information	A CCPA cybersecurity audit applies to businesses operating in California that meet one or more criteria: Report that 50% or more of revenue comes from selling or sharing consumer personal data or Earn revenue over $25 million and handle personal information of 250,000 California consumers and households or Handle sensitive personal information of 50,000 or more California consumers and households
Effective dates	The CCPA became effective Jan. 1, 2020. CPRA amendments became effective Jan. 1, 2023, with lookback to Jan. 1, 2022, for certain data.	This requirement became effective Jan. 1, 2026. Risk assessments must be completed for in-scope high-risk processing activities and updated periodically (for example, annually or upon material changes to processing).	This requirement becomes effective April 1, 2027. Cybersecurity risk audits must be performed and updated on a regular cadence (for example, annually or as required by regulation), and documentation must be maintained for regulatory review.
Actions required	Organizations must establish an enterprisewide privacy governance program addressing notice, consumer rights, data minimization, purpose limitation, and vendor management. Organizations can perform a privacy gap assessment to evaluate current state and strategically plan for compliance improvement and program maturity.	Organizations should establish a privacy risk assessment program, focused on personal data processing, inclusive of: Data inventory and mapping, including sensitive personal information Identification of high-risk processing activities Documented balancing test, for example, benefits versus risks to consumers An assessment of safeguards mitigating identified risks Integration with product development and change management Board or executive oversight and documentation retention	Organizations should plan and execute an independent cybersecurity audit of the company’s people, processes, and technology, inclusive of: An enterprise cybersecurity audit aligned to recognized framework, such as the National Institute of Standards and Technology Cybersecurity Framework, and inclusive of CPPA-prescribed controls An evaluation of administrative, technical, and physical safeguards Testing of specific evidence-based controls such as access controls, encryption, incident response, and vendor security A senior management-authored attestation letter submitted to the CPPA that describes the approach and confirms that results are understood and being addressed

How the CCPA/CPRA compares to GLBA and FCRA

For financial services organizations, the CCPA/CPRA operates alongside – not in place of – GLBA and FCRA. GLBA focuses primarily on the protection and disclosure of nonpublic personal information within financial services organizations and emphasizes privacy notices and safeguarding requirements via the Safeguards Rule. FCRA governs the collection, use, and sharing of consumer report information and applies primarily to consumer reporting agencies and users of consumer reports.

CCPA/CPRA, by contrast, is broader in scope and consumer-rights driven. It grants California residents affirmative rights, such as access, deletion, and correction, that extend beyond GLBA’s notice-based framework.

Certain data regulated by GLBA or FCRA might be exempt from CCPA/CPRA. These exemptions are limited and activity-specific, meaning financial services organizations often still maintain significant categories of personal information that remain fully subject to CCPA/CPRA, such as marketing, website tracking, and human resources data.

GLBA exemption

The GLBA exemption applies to personal information collected, processed, sold, or disclosed pursuant to the GLBA and its implementing regulations. It is important to note that the GLBA exemption is only applicable if the data is used for a financial product or service. Data collected for other purposes, such as marketing, is not exempt and is subject to compliance with CCPA.

Exempt data example: Personal information used to underwrite, service, or manage existing loan
Non-exempt data example: Personal information obtained from third parties for marketing purposes

FCRA exemption

The FCRA exemption applies to personal information collected, processed, sold, or disclosed pursuant to FCRA. The exemption generally applies to personal information that is part of a consumer report or used for FCRA-regulated purposes, such as credit eligibility determinations. If the same personal information is used outside of an FCRA-regulated purpose, it may still be subject to CCPA/CPRA requirements.

Exempt data example: Credit report information used to evaluate a consumer’s eligibility for credit
Non-exempt data example: Consumer information originally obtained from a credit bureau but later used for marketing or analytics purposes unrelated to credit eligibility

In short, GLBA and FCRA are sector-specific and safeguard-focused; CCPA/CPRA is rights-based, broader in scope, and increasingly risk assessment-driven. For financial services organizations, compliance maturity under GLBA and FCRA provides a strong foundation, but it is not sufficient to meet CPRA’s expanded governance and documentation expectations.

Cybersecurity Security assessments Privacy Regulation and compliance Technical