California’s landmark privacy law, the California Consumer Privacy Act (CCPA), underwent a major expansion that took effect January 1, 2026. Regulators have described these updates as the most significant change to the law since it was first enacted.
The new rules go well beyond consumer opt-outs and privacy notices. They introduce formal risk assessment requirements, recurring cybersecurity audits for certain businesses, and stricter oversight of artificial intelligence, sensitive data processing, and the handling of minors’ information.
For small and mid-sized businesses that collect large amounts of personal data, handle sensitive information, or use automated decision-making tools, this is a meaningful shift. Privacy compliance now requires deeper documentation, stronger technical safeguards, and executive-level accountability.
Here is what SMBs should know, now that the regulations are in effect.
What Has Changed Under CCPA?
The updated regulations expand the focus from transparency to accountability.
Consumer rights still matter. Businesses must continue to honor opt-outs, maintain data accuracy, manage sensitive personal information properly, and disclose how data is used.
The major change is this: certain businesses must now complete formal risk assessments for processing activities that present “significant risk” to consumer privacy. Some organizations must also conduct recurring cybersecurity audits.
These requirements apply not only to new projects, but also to existing data processing activities that meet the risk threshold. Companies cannot limit their review to future initiatives. They must evaluate what they are already doing with personal data.
Does This Apply to Your Business?
A key question for SMB leaders is whether their company meets the new thresholds.
A business is considered to present “significant risk” to consumers’ security if it:
- Generated more than $25 million in annual gross revenue in the preceding year and processes the personal information of more than 250,000 consumers, or sensitive personal information of more than 50,000 consumers; or
- Derives 50 percent or more of its annual revenue from selling or sharing personal information.
For many mid-sized organizations, especially those involved in digital commerce, healthcare-adjacent services, SaaS platforms, or data-driven marketing, these thresholds may be closer than they appear.
Even if your company does not meet the cybersecurity audit requirement, you may still be required to conduct risk assessments based on how you process personal information.
What Triggers a Mandatory Risk Assessment?
Risk assessments are required for processing activities that present a significant privacy risk. Several common business practices fall into this category.
Selling or Sharing Personal Information
Businesses that sell or share consumer data, particularly within advertising or analytics ecosystems, must conduct formal assessments.
Processing Sensitive Personal Information
Sensitive personal information includes health data, precise geolocation, financial account details, biometric identifiers, and similar categories. Organizations handling this type of information at scale should assume assessment requirements may apply.
Automated Decision-Making Technology
If your business uses automated systems to make significant decisions about consumers, a risk assessment is required.
This may include:
- Credit or lending decisions
- Employment screening
- Insurance eligibility
- Service qualification determinations
The rules also apply to profiling individuals based on systematic observation, including job applicants, employees, students, or contractors.
Inference Based on Sensitive Locations
Automated processing tied to an individual’s presence at healthcare facilities, schools, shelters, legal service offices, or places of worship is specifically addressed in the regulations.
Training AI Systems
Using personal information to train automated decision-making systems, facial recognition tools, emotion recognition systems, or identity verification technologies also triggers a risk assessment.
For businesses experimenting with AI tools, this point is critical. The requirement applies not only when systems are deployed, but also during training and development.
What Must a CCPA Risk Assessment Include?
The regulations require a detailed, written analysis. A CCPA risk assessment must evaluate whether the privacy risks of processing outweigh the benefits to the business, consumers, stakeholders, and the public.
Each assessment must include:
1. Clear Purpose
A specific explanation of why personal information is being collected and used. Broad or generic descriptions are not acceptable.
2. Categories of Data
Identification of all categories of personal information involved, including sensitive data, along with documentation of data minimization practices.
3. Operational Details
Businesses must document:
- How data is collected
- How it is processed
- How long it is retained
- How consumers interact with the business
- The approximate number of consumers affected
- The categories of third parties involved
4. Automated Decision-Making Information
If automated systems are used, the business must explain:
- The logic behind the system
- Assumptions and limitations
- The output generated
- How that output influences significant decisions
5. Analysis of Potential Harm
The assessment must consider risks such as:
- Unauthorized access or disclosure
- Discrimination
- Economic harm
- Reputational damage
- Psychological harm
- Loss of control over personal information
6. Safeguards and Mitigation
Businesses must describe the safeguards in place to reduce risk, such as encryption, access controls, network segmentation, bias testing, and privacy-enhancing technologies.
7. Executive Approval
An authorized decision-maker must approve the assessment, and the names and positions of stakeholders involved must be documented.
Ongoing Deadlines and Reporting Requirements
For new high-risk processing activities that begin after January 1, 2026, risk assessments must be completed before processing starts.
Existing qualifying activities must be assessed by December 31, 2027.
Assessments must be reviewed at least every three years and updated within 45 days of any material change in processing or risk. All versions must be retained for at least five years.
Beginning April 1, 2028, businesses must submit an annual summary to the California Privacy Protection Agency (CPPA) that includes:
- The time period covered
- The number of assessments completed
- The categories of data assessed
- An executive certification under penalty of perjury
Regulators may also request a copy of any individual risk assessment, which must be provided within 30 days.
Why This Is Also a Cybersecurity Issue
Although these requirements sit within a privacy regulation, they are technical in nature.
A defensible risk assessment depends on:
- Accurate system inventories
- Documented access controls
- Verified encryption standards
- Logging and monitoring practices
- Vendor oversight
- Incident response procedures
Many SMBs have reasonable security practices in place. The challenge is documentation, formal review, and cross-functional coordination.
Risk assessments require evidence. They must demonstrate testing, analysis, and structured governance. Executive sign-off alone is not enough.
For growing businesses, privacy compliance and cybersecurity governance now operate together.
What SMBs Should Do Now
With the regulations in effect, businesses should take action.
- Confirm Whether You Meet the Thresholds
Review revenue, consumer data volumes, and sensitive data categories. - Map Your Data Flows
Understand what data you collect, where it is stored, how long it is retained, and who has access. - Inventory Automated Systems
Identify any automated decision-making, profiling, or AI-based tools in use or in development. - Review Existing Assessments
If you operate in other regulated regions, evaluate whether current impact assessments align with California’s requirements. - Strengthen Technical Controls
Review authentication practices, encryption, vendor oversight, logging, and monitoring. - Align Legal, IT, and Security Teams
Privacy compliance cannot function in isolation from technical operations. Coordination is required.
What Businesses Should Be Doing Now
The expansion of CCPA reflects a broader regulatory shift. Privacy laws are increasingly tied to demonstrable cybersecurity practices, documented governance, and executive accountability.
For SMBs handling large volumes of data or integrating AI-driven tools, these requirements introduce a new level of structure. Compliance now depends on technical visibility, clear documentation, and ongoing oversight.
Organizations that begin reviewing their privacy and security posture now will be better positioned to meet upcoming assessment and reporting deadlines without unnecessary disruption.
If you are unsure whether your current cybersecurity and data governance practices would withstand a formal CCPA risk assessment, now is the time to evaluate them. Many businesses find that outside expertise helps bring clarity, structure, and accountability to what can otherwise feel overwhelming.
How The Swenson Group Can Help
CCPA’s expanded requirements introduce new documentation, technical, and oversight expectations that go well beyond traditional privacy compliance. Formal risk assessments require visibility into your systems, clear data mapping, and documented safeguards that stand up to regulatory review.
The Swenson Group works alongside businesses to bring structure and clarity to that process. From mapping data flows and strengthening network security to documenting technical controls and supporting ongoing governance, our team helps ensure your technology environment aligns with today’s regulatory expectations.
If you are evaluating your readiness for CCPA’s new risk assessment requirements, now is the time to act. Contact The Swenson Group to start a conversation about strengthening your cybersecurity posture and building a compliance framework designed for long-term stability.
About TSG
The Swenson Group (TSG) is an award-winning Bay Area Managed Service Provider that has helped thousands of organizations achieve more by leveraging cost effective technologies to be more productive, secure and cost effective. Services include Managed Print, Document Management, IT Services and VoIP. Products include MFPs, Copiers, Printers and Production Systems, Software and Solution Apps. For the latest industry trends and technology insights visit TSG’s main Blog page.
