The California Privacy Protection Agency didn’t just update its rulebook in 2026 — it fundamentally changed what compliance looks like in practice. The latest CCPA regulations, which took effect this April, establish formal requirements around privacy risk assessments and set the clock ticking on a reporting obligation to the CPPA that kicks in beginning April 2028.
For many organizations, the policy side is already handled. Assessment templates have been updated. Privacy notices have been revised. The governance language looks right on paper. What’s proving far more difficult is building the operational infrastructure that makes these assessments repeatable, auditable, and defensible at scale — the kind of infrastructure that holds up when a regulator asks to see not just what you assessed, but how.
The Gap Between Policy and Practice
There’s a meaningful difference between having a privacy risk assessment framework and being able to demonstrate how that framework actually operates. The new CCPA obligations push companies squarely into the second category.
Starting in 2028, covered businesses will need to report on their risk assessments to the CPPA. That reporting requirement changes the stakes around documentation in a way that policy language alone can’t address. Regulators reviewing those submissions won’t just want to know that assessments were completed — they’ll want to understand when they were conducted, what data processing activities or systems were evaluated, how risks were scored and prioritized, what mitigation steps were approved, and who had accountability for the outcomes.
Most organizations are not currently structured to answer those questions quickly or cleanly. Assessment outputs tend to live in static documents or spreadsheets. Workflow history is thin or nonexistent. Approval records are scattered across email threads and shared drives. That’s a documentation problem that becomes a compliance problem the moment a reporting deadline arrives.
Three Operational Challenges Showing Up Consistently
Ownership is diffuse and accountability is unclear. Privacy risk assessments sit at the intersection of legal, privacy, security, IT, product, and compliance — and in most organizations, no single function owns the process end-to-end. That fragmentation worked well enough when assessments were informal. Under a mandatory, reportable framework, it creates real operational friction. Critical questions about who scopes assessments, who validates risk conclusions, and who has authority to approve mitigation plans tend to surface only when a process stalls or a decision gets contested. Getting those questions answered before they become urgent is one of the highest-value investments organizations can make right now.
Evidence architecture hasn’t kept pace with governance intent. Many companies can demonstrate, at a conceptual level, that privacy risk assessments are part of their governance framework. Far fewer can produce organized, timestamped evidence showing how a specific assessment moved through the process — what was evaluated, how risks were rated, what review or approval occurred, and what changed as a result. The gap between “we do assessments” and “here’s an auditable record of how we did this one” is where regulatory exposure tends to concentrate as reporting deadlines approach.
Governance structures are layering faster than coordination can keep up. Privacy risk assessments no longer operate in a standalone compliance lane. They increasingly intersect with AI governance programs, cybersecurity risk frameworks, vendor risk management, and enterprise risk management more broadly. The result is growing structural complexity — multiple committees reviewing overlapping risk domains, different scoring methodologies operating in parallel, and competing organizational priorities that don’t always resolve cleanly. Without deliberate coordination across these programs, duplicated effort, inconsistent risk decisions, and slowed review cycles become predictable outcomes.
What Effective Preparation Actually Looks Like
Organizations making meaningful progress on these requirements share a common orientation: they’re treating privacy risk assessments as an operational discipline rather than a compliance document exercise. That distinction shows up in practical ways — designated owners with defined accountability, workflow tools that generate evidence as a natural byproduct of the process, and governance coordination mechanisms that align rather than silo the various risk programs touching privacy.
The companies investing in that infrastructure now are building something that serves them beyond the CPPA reporting deadline. Defensible, well-documented risk assessment processes are also credibility assets in litigation, vendor negotiations, and customer conversations where privacy practices are increasingly subject to scrutiny.
April 2028 may feel distant. The operational work required to get there confidently is not. Organizations that treat the next two years as a runway — rather than waiting for the deadline to sharpen the urgency — will be in a materially better position when the CPPA comes looking for proof.
