The CCPA’s new risk assessment regulations take effect on January 1, 2026. Here’s where to start.

In our November Update on the CCPA risk assessment regulations, we outlined the key topics that businesses must include in their CCPA Risk Assessments. To help, we created a new CCPA Risk Assessment Template to help companies assess their risk and prepare for the updates. We’ve also put together some to-dos so you can take action.

CCPA Risk Assessments: To-Dos

The CCPA risk assessment regulations require businesses to undertake three high-level activities:

  • Risk Assessment (RA): An internal privacy risk assessment by the business that covers a list of mandatory elements set out in the regulations.
  • Risk Assessment Report (RA Report): Documentation of the business’s RA, which must include all of the required elements set forth in CCPA regulation §7152, except two: (1) the benefits of the processing to consumers, the business, and other stakeholders, and (2) the negative impacts of the processing to the stakeholders.
  • Annual Executive Submission (Exec Submission): A summary of a business’s RAs conducted in the previous calendar year. These submissions are due annually on April 1, beginning in 2028.

Timing Requirements

Timing for RAs

  • Beginning January 1, 2026, CalPrivacy or the California Attorney General can require businesses to produce their RA Reports upon demand, and they must provide them within 30 calendar days. This is the main reason why businesses should begin conducting their RAs in 2026.
  • For RA-covered processing activities initiated on or after January 1, 2026, businesses must conduct a RA before beginning the processing. This is yet another reason not to wait.
  • For RA-covered processing activities initiated prior to January 1, 2026, and that continue after that date, businesses must conduct a RA no later than December 31, 2027.

Timing for CalPrivacy Exec Submissions

Separately from the RA and RA Reports, the regulations require businesses to submit an annual Exec Submission to CalPrivacy’s website. The Exec Submission is a summary report of the business’s RAs conducted in the previous year.

An Exec Submission for RAs conducted in 2026 and 2027 must be submitted no later than April 1, 2028. Submissions for RAs conducted after 2027 must be completed no later than April 1 following any year during which the business conducted the RAs. For example, for RAs conducted in 2028, the business must submit to CalPrivacy no later than April 1, 2029.

Exec Submissions must be filed by a member of the business’s executive management team who has knowledge of the RAs. CCPA regulation §7157(c) requires the submission to be made – and attested to under penalty of perjury – by a member of the business’s executive management team who:

  • Is directly responsible for the business’s risk-assessment compliance;
  • Has sufficient knowledge of the business’s risk assessment to provide accurate information; and
  • Has the authority to submit the risk assessment information to CalPrivacy.

The New SafeGuard Privacy California Risk Assessment Template

To assist with RAs, our legal content team developed a comprehensive California Risk Assessment Template. This template includes:

  • Each of the required elements from CCPA regulation §7152 that must be covered by the RA
  • Detailed instructions for completing the RAs and Exec Submissions

Next Steps:

The new CCPA risk assessment regulations are substantial and detailed. Especially for new processing activities and those that involve a material change to existing processing activities, businesses should begin working on them early in 2026.

Interested in the template? Contact us or schedule a demo to get started today.