The CPPA will enforce compliance. Assessments must be updated whenever material changes occur and at minimum every three years, then retained for the duration of processing or five years, whichever is longer. Companies that completed assessments in 2026 or 2027 must submit an attestation and summary to the CPPA by April 1, 2028. Those completing assessments after 2027 face ongoing annual submission obligations.
Attorneys should treat this as active enforcement risk, not future planning. Mid-2026 marks the transition from preparation to operational compliance, with the first reporting deadline already in motion. Firms lacking a formal risk-assessment workflow—particularly those processing sensitive data, deploying automated decision-making systems, or handling high-volume consumer information—face immediate exposure. The CPPA has already adopted these rules as part of its 2024–2025 regulatory package; compliance is not optional.