The CPPA will enforce compliance through executive certifications submitted under penalty of perjury, beginning April 1, 2028, for assessments covering 2026 and 2027. Companies must conduct triennial reviews thereafter or within 45 days of material changes, and retain assessment records for five years. Pre-existing processing activities have until December 31, 2027 to complete assessments. The requirement applies broadly across finance, HR tech, healthcare AI, and ad tech sectors.
Attorneys advising affected clients should prioritize immediate compliance for any new processing activities launched in 2026. The assessments must weigh consumer harms against business benefits and document specific safeguards such as encryption or privacy-enhancing technologies. This marks the first state mandate tying executive liability directly to privacy risk documentation, setting a precedent as federal regulators and other states intensify scrutiny of AI and data practices. The April 2028 certification deadline will arrive quickly for companies still building compliance infrastructure.