Now it’s personal: How the new CCPA regulations impose personal accountability on designated individuals

The California Office of Administrative Law recently approved the final California Consumer Privacy Act regulations on cybersecurity audits, risk assessments, and automated decision-making technology. These regulations represent a sea of change in U.S. privacy regulation in several respects. Perhaps most notably, the regulations impose a variety of obligations for businesses to designate certain individuals who are responsible for the business’s privacy, artificial intelligence, and cybersecurity practices. These individuals must also submit, under penalty of perjury, certain filings to the California Privacy Protection Agency. This personal aspect of the regulations will require companies to carefully consider which individuals to designate for these roles and how to ensure sufficient organizational support so that they can properly perform their designated roles. 

The new CCPA regulations will apply in phases over the next few years. Starting on 1 Jan. 2026, businesses will need to start performing risk assessments for new processing that presents significant risk to privacy or materially changes such existing processing activities. Businesses will need to comply with the ADMT requirements on pre-use notice, opt-out choice, and access by 1 Jan. 2027. Additionally, beginning 1 Jan. 2027, many businesses will enter the initial period subject to mandatory cybersecurity audits. Initial filings with CalPrivacy for certain risk assessments and cybersecurity audits are due no later than 1 April 2028. 

What are the qualifications and obligations for individuals submitting filings with CalPrivacy?