CCPA Compliance California: 2026 Updates and Business Obligations
Doing Business in CALIFORNIA? CCPA Is Here to Stay
If you’re operating any part of your business in California, there’s a new acronym to learn: CCPA. And it’s here to stay. It stands for the California Consumer Privacy Act, and it affects how businesses collect, use, and disclose personal information. California has always led the nation in privacy protections, and its laws continue to evolve with new compliance requirements for businesses of all sizes.
What Is the CCPA?
Many California companies are already painfully aware of the CCPA. Few outside the state who do business there are fully prepared for it—and all will regret being unprepared.
Insurance professionals working with California-based clients and those doing business in California should be discussing compliance with clients urgently.
The California Consumer Privacy Act (CCPA) was passed on June 28, 2018, and took effect on January 1, 2020. It provides privacy rights for consumers and forces companies that conduct business in California to implement fundamental changes to their privacy programs. For many insured clients who may not even have a privacy program in place, it is mission-critical from a risk management perspective.
California consumers now have rights somewhat similar to those provided in the European Union’s General Data Protection Regulation (GDPR), including:
The right to know what personal information is collected
The right to access that information
The right to request deletion of personal information
The right to opt out of the sale or sharing of personal information
The CCPA allows fines of up to $2,500 per violation and $7,500 per intentional violation, with no cap on the total amount of fines. The law also provides a period of 30 days to cure alleged violations before fines can be assessed.
How the EU Made Privacy Urgent
When the EU introduced the GDPR, it published guidelines and sizable fines well in advance to ensure compliance would be taken seriously. Fines under GDPR can reach as high as 2–4% of global revenue, and enforcement actions have followed swiftly. Early GDPR fines, such as the €50M penalty against Google in 2019, underscored the seriousness of these new obligations and set a precedent for privacy enforcement worldwide.
The CCPA modeled some of its consumer privacy protections on GDPR’s principles, and California’s enforcement landscape has continued to evolve in ways that reflect global privacy trends.
What Does California Do to Businesses in Violation?
The CCPA allows state enforcement of privacy requirements and empowers California consumers to bring certain actions. The ability to cure violations within 30 days is intended to give businesses a chance to fix problems before fines are imposed. However, the law’s enforcement mechanisms and expanded 2026 regulations mean businesses must act proactively to avoid risk.
2026 Status: CCPA’s Evolving Requirements
As of 2026, the CCPA continues to grow beyond its original framework. Recent regulatory changes enacted by the California Privacy Protection Agency (CPPA) extend and clarify compliance obligations for businesses handling California residents’ data:
Updated Regulations Effective January 1, 2026
California finalized updated CCPA regulations effective January 1, 2026. These updates strengthen existing compliance obligations and introduce new requirements. Many of the new provisions businesses must prepare for include: mandatory risk assessments, enhanced transparency requirements, and expanded consumer rights processes.
Risk Assessments and Cybersecurity Audits
Under the updated regulations, businesses must conduct risk assessments for processing activities that present a significant risk to consumer privacy. Certain risk assessment documentation and attestation summaries must be submitted to the CPPA by April 1, 2028. Larger organizations may also be required to undergo cybersecurity audits and submit certifications of completion.
Expand Consumer Rights and Opt-Out Mechanisms
The updated CCPA regulations clarify consumer access rights, including:
More detailed privacy policy disclosures
Meaningful opt-out mechanisms, such as confirmations for opt-out requests
Global Privacy Control (GPC) preferences honored by businesses
Access to historical data back to January 1, 2022
These changes reflect a broader trend toward enhancing consumer control and transparency over personal data.
New Tools Like DROP
In 2026, California launched the Delete Request and Opt-out Platform (DROP), which allows residents to submit a single request for data brokers to delete their personal information. Registered data brokers must begin processing these requests starting August 1, 2026, and must comply within prescribed time frames.
These ongoing updates underscore that CCPA compliance is not a one-time effort but a continuous process.
What Can Trusted Advisors Do?
All professional advisors should:
Offer privacy risk assessments and educate clients about privacy regulations
Encourage adoption of cybersecurity best practices such as documented privacy policies, data inventories, and risk management strategies
Drive executive-led cybersecurity initiatives that encompass workforce training and documented planning
Advocate for risk transfer strategies and robust incident response plans
Clients often do some degree of business with California companies or interact with Californians’ personal information. Helping them understand their compliance obligations not only strengthens their privacy posture but also reduces potential liability.
Don’t leave clients uninformed. tekrisq can help you assess CCPA exposures and propose strategies that clients can put into place now to meet ongoing and future compliance requirements
tekrisq can help
tekrisq helps small and mid-sized businesses understand application security as part of a broader, risk-based cybersecurity strategy.
Rather than focusing only on tools, tekrisq evaluates how applications are built, deployed, and maintained. Application security risks are often uncovered during a vulnerability assessment, helping organizations prioritize remediation based on real-world impact.
Learn more about tekrisq and how we support organizations:
To discuss your information security posture or schedule a consultation.
