The regulations take effect in phases, with risk-assessment obligations for new covered processing beginning in 2026. The CPPA has not yet issued specific guidance on which call-recording practices cross the threshold into "significant risk" territory, leaving businesses to apply a balancing test that weighs privacy risks against benefits to consumers, the business, and the public. The assessment must be documented and submitted according to recordkeeping and notice requirements still being clarified by the agency.
Call recording is standard across contact centers, healthcare, finance, and customer service operations, making this an immediate compliance concern for most service-oriented businesses in California. Attorneys advising clients in these sectors should audit current recording practices now to determine whether they constitute covered processing under the CPRA. The gap between routine operational practice and regulatory obligation creates material compliance risk, particularly where recordings contain sensitive personal information or feed into automated decision-making systems.