Key Takeaways:
- The California Privacy Rights Act now requires documented risk assessments for high-risk data activities.
- Businesses must disclose the use of automated decision-making and provide opt-outs.
- Risk assessment and automated decision-making technology compliance are enforceable as of 2026.
—
The California Privacy Rights Act (CPRA) expanded and amended the original California Consumer Privacy Act (CCPA), and several of its most impactful changes are now in effect. As of January 1, 2026, organizations that meet the CPRA thresholds are required to conduct privacy risk assessments and provide disclosures related to automated decision-making technologies (ADMT).
The original CCPA regulations and the initial set of CPRA amendments were implemented with more extended transition periods between adoption and enforcement, allowing organizations meaningful time to prepare for compliance. In contrast, the most recent CPRA regulatory amendments became effective on a much shorter timeline and are already enforceable — providing significantly less runway for implementation.
This article outlines the conditions that trigger mandatory risk assessments and ADMT compliance, explains the implications for your organization, and provides guidance on approaching these tasks in a way that supports long-term compliance and operational clarity.
Background: Risk Assessments and ADMT Requirements
The CPRA places new responsibilities on businesses that process personal data in ways that could significantly affect consumers. This includes profiling, behavioral targeting, or use of sensitive information such as health, financial, or geolocation data. Businesses using algorithms or systems that automate eligibility, pricing, or access to decisions are also subject to the law.
Under Article 10 of the statute, businesses must conduct a risk assessment before initiating processing activities that present significant risk to consumers’ privacy — including:
- Selling or sharing personal information
- Processing sensitive personal information (except for limited employment-related purposes like payroll or benefits)
- Using ADMT for significant decisions about consumers
- Using automated processing to infer or extrapolate characteristics (e.g., intelligence, health, preferences) based on (1) employment or educational context, or (2) presence in sensitive locations
- Processing personal information to train ADMT or biometric technologies (e.g., facial recognition, emotion recognition)
These assessments must show the risks such processing poses to individuals, weigh those risks against the potential benefits to the business and society, and describe the steps taken to mitigate harm. Importantly, these assessments are not one-time documents; they must be kept and made available to the California Privacy Protection Agency (CPPA) upon request.
In parallel, Article 11 shows new obligations for businesses using ADMT. These obligations apply when a system is used to make significant decisions about consumers that replace or substantially replace human decision-making. Before using ADMT, companies must show the use of such systems, explain how the technology works in plain terms, and provide consumers with the ability to opt out in many cases.
These rules are now active and part of the broader privacy framework in California.
What This Means for Your Organization
For-profit organizations that meet CPRA applicability thresholds — generating more than $26.625 million in annual gross revenue, processing the personal data of more than 100,000 California consumers or households, or deriving 50% or more of annual revenue from selling or sharing consumers’ personal information — are classified as covered businesses for purposes of privacy compliance. While covered‑business status alone does not automatically trigger risk‑assessment or ADMT obligations, these organizations should closely monitor and prepare for these requirements.
In practical terms, if your organization meets the criteria for a risk assessment or ADMT compliance, you should already be able to prove the following:
- That privacy risk assessments have been completed for any high-risk data use
- That those assessments are documented, reviewed internally, and stored for future access
- That the use of automated systems for decisions affecting consumers is clearly disclosed
- That opt-out processes are available and functioning as intended
The CPPA has the authority to investigate and enforce these requirements, and civil penalties may apply for violations. These new mandates reflect a broader shift toward transparency and accountability in data use — one that affects not only how businesses collect information but also how decisions are made with it.
Approaching Compliance in Practice
Organizations vary widely in their capacity to manage privacy risk internally. While some have dedicated privacy officers or compliance teams, others are only beginning to integrate privacy into their broader governance strategy. Regardless of where your business falls on that spectrum, a structured approach can help bring clarity to the process.
One of the first steps is to take inventory of how personal data is used across your organization. This includes identifying all activities that involve selling or sharing personal information, processing sensitive personal information, or engaging in ADMT or profiling based on systematic observation. Even within the same company, different departments may have vastly different data practices — and risk levels.
Once these higher-risk uses are found, your organization should develop a consistent framework for conducting and documenting risk assessments. The CPRA does not prescribe a particular format, but it does require that assessments articulate the specific purpose for the processing, identify categories of personal and sensitive personal information involved, describe operational details, and evaluate the benefits of the processing against reasonably foreseeable negative impacts to consumer privacy. This framework should be scalable and repeatable, especially since business practices evolve, and assessments may need to be updated over time.
For organizations using automated decision-making systems, transparency is now a regulatory requirement. Disclosures should be presented in plain language and available before or when data is collected. This might involve updating privacy notices, revising consent flows, or developing new user-facing content to support transparent communication with consumers. Where opt-outs are needed, a process for handling those requests must be created and kept in accordance with the CPRA’s requirements for clarity, ease of use, and avoidance of dark patterns.
Finally, all documentation — whether related to risk assessments or ADMT disclosures — should be treated as part of a broader compliance program. This means tracking when documents were last reviewed, who handles maintaining them, and how they are available in a regulatory inquiry.
Next Steps for Your Business
Compliance with Articles 10 and 11 of the CPRA is now part of doing business in California. These requirements change how organizations evaluate the risks of their data practices, how they communicate with consumers, and how they document internal decisions.
To begin evaluating your current position, ask:
- Have we found and documented all data uses that may cause significant risk?
- Have we conducted privacy risk assessments for those activities?
- Are we using automated decision-making systems in a way that affects consumers — and if so, have we disclosed that usage clearly?
- Are opt-out mechanisms in place, and are those requests being tracked?
If your organization is still developing responses to these questions, the time to act is NOW. Compliance is no longer a matter of preparation — it is a legal obligation and enforcement is already underway. More importantly, getting it right today sets out a foundation for transparency, accountability, and consumer trust going forward.
Whether you’re reviewing existing documentation or starting from the ground up, consider bringing together legal, compliance, privacy, and IT leadership to align a path forward. The sooner you formalize your approach, the better position you’ll be in to meet regulatory expectations with clarity and confidence.
How MGO Can Help
MGO’s IT Risk and Cybersecurity team helps organizations that handle California resident data understand where they stand before regulators start asking questions. As a California-rooted accounting and consulting firm operating under Public Company Accounting Oversight Board (PCAOB) and U.S. Securities and Exchange Commission (SEC)-level quality standards, we bring independence, rigor, and real-world perspective to privacy and cybersecurity assessments.
Our cybersecurity professionals are actively supporting companies as they evaluate their CPRA compliance posture and implement the cybersecurity audits and privacy risk assessment processes now required under the law. We help translate regulatory expectations into clear, defensible documentation and repeatable processes that support long-term compliance.
If you would like to confirm your current posture and identify potential gaps, reach out to our team today.