CalPrivacy’s New Regulations: The Heavy Burden of Personal Accountability

California’s privacy landscape has shifted dramatically with the California Office of Administrative Law’s recent approval of final regulations covering cybersecurity audits, risk assessments, and automated decision-making technology under the California Consumer Privacy Act (CCPA). These rules don’t just create new compliance boxes to check they fundamentally transform how businesses approach privacy by placing unprecedented personal liability on specific executives.

A Revolutionary Approach to Privacy Enforcement

What makes these regulations particularly groundbreaking is their focus on individual accountability. Unlike traditional regulatory frameworks that target corporations as abstract entities, CalPrivacy’s new requirements mandate that specific, named individuals within organizations take personal responsibility for privacy, AI, and cybersecurity practices. These designated executives must sign attestations under penalty of perjury, creating a level of personal exposure previously uncommon in U.S. privacy regulation.

This personal dimension requires organizations to think strategically about personnel decisions, organizational structures, and support systems needed to ensure designated individuals can fulfill their responsibilities without bearing unreasonable personal risk.

Implementation Timeline: What’s Coming and When

The regulatory requirements roll out in stages:

January 1, 2026 – Organizations must begin conducting risk assessments for new processing activities that present significant privacy risks or substantially modify existing high-risk processing operations.

January 1, 2027 – Compliance with automated decision-making technology (ADMT) requirements becomes mandatory, including pre-use notifications, opt-out mechanisms, and access rights. This date also marks the beginning of the first compliance period for mandatory cybersecurity audits for many businesses.

April 1, 2028 – Initial submissions of risk assessments and cybersecurity audit reports to CalPrivacy are due.

Who Can Sign? The Executive Management Requirement

Risk Assessment Submissions

The pool of individuals eligible to submit risk assessments to CalPrivacy is deliberately narrow. Qualified submitters must satisfy multiple criteria:

• Executive Management Status – The individual must serve on the organization’s executive management team, typically limiting candidates to a dozen or fewer people in most companies.
• Direct Responsibility – They must have direct oversight of the organization’s risk assessment compliance program.
• Sufficient Knowledge – The individual needs comprehensive understanding of the business’s risk assessment practices to ensure accuracy.
• Submission Authority – They must possess organizational authority to submit assessments to CalPrivacy on behalf of the company.

Beyond meeting these qualifications, the designated individual must provide personal contact information including their full name, title, telephone number, and email address. Most significantly, they must sign an attestation declaring that all risk assessment information submitted is “true and correct,” with this declaration made under penalty of perjury under California law.

The perjury exposure creates substantial personal stakes for executives. Organizations must carefully evaluate which executive team members are genuinely qualified and willing to accept this responsibility. Many companies are considering implementing internal sub-certification processes, where functional managers certify information in their domains to support the executive’s attestation similar to the cascading certification process used for financial statement accuracy under Sarbanes-Oxley.

Cybersecurity Audit Submissions

If anything, the requirements for submitting cybersecurity audits are even more restrictive. Qualified individuals must:

• Serve on the executive management team
• Bear direct responsibility for cybersecurity audit compliance
• Possess sufficient audit knowledge to ensure accurate submissions
• Have authority to submit certifications to CalPrivacy

A critical wrinkle emerges for organizations choosing to conduct audits internally rather than engaging external auditors. If performed in-house, the internal auditor must report to an executive management team member who does not have direct cybersecurity program responsibility. This structure explicitly prevents the Chief Information Security Officer (CISO) from submitting the report—it must come from a different executive responsible for audit compliance rather than operational security.

The attestation for cybersecurity audits goes further than risk assessments. The submitting executive must declare not only that the certification is “true and correct,” but also that the organization “has not made any attempt to influence the auditor’s decisions or assessments.” Given that auditors rely on interviews with company personnel and internal evidence, this creates a delicate situation where executives may want sub-certifications from individuals and managers who participated in the audit process to confirm no undue influence occurred and that information provided was complete and accurate.

Additional Designated Individuals in Risk Assessments

The regulations don’t stop with submission authority they also require identifying other individuals involved in the risk assessment process across three distinct categories:

Approval and Review Personnel – Risk assessments must document the date of review and approval along with the names and positions of everyone who reviewed or approved the assessment.

Processing Participants – Any individual whose job duties involve participating in the processing activities covered by the risk assessment must review and approve that assessment.

Information Contributors – The assessment must list the names of individuals who provided information for the risk assessment, with an exception for legal counsel providing legal advice.

These requirements demand thoughtful, risk-based decisions about inclusion. Organizations need to strike a balance between comprehensive involvement and practical documentation, always with an eye toward ensuring the risk assessments are genuinely accurate and complete.

Designated Individuals in Cybersecurity Audits

Cybersecurity audit reports carry their own designation requirements:

• The report must identify up to three individuals (by title) responsible for the organization’s cybersecurity program.
• The auditor’s name, affiliation, and relevant qualifications must be documented.
• The most senior auditor must sign and date a certification stating they conducted an independent review, exercised objective and impartial judgment, and did not primarily rely on management assertions.

Critical Decisions Organizations Must Make Now

The personal accountability dimension of these regulations creates extraordinary challenges. Organizations face questions that blend operational compliance with personal risk management:

Internal vs. External Cybersecurity Audits?

External audits may cost more and present scheduling challenges, but they simplify compliance by removing concerns about auditor independence and eliminating the procedural complexity of having internal auditors report to executives outside the cybersecurity chain of command.

Internal audits offer cost advantages and intimate knowledge of systems, but require careful management of auditor independence, protection from undue influence, and proper reporting structures to non-cybersecurity executives.

Who Should Submit Cybersecurity Audits?

This decision often depends on the internal-versus-external audit choice, but the executive management team requirement significantly narrows the candidate pool. Organizations must identify which executive can credibly attest to audit accuracy and lack of influence while having sufficient cybersecurity audit oversight responsibility.

Who Should Submit Risk Assessments?

Similar constraints apply here—the executive management team limitation reduces options, requiring careful evaluation of which executives have the necessary knowledge, authority, and willingness to accept personal liability for risk assessment accuracy.

Should Sub-Certifications Be Implemented?

Given that submitters must attest that reports are “true” and “correct” under penalty of perjury, formal or informal sub-certification processes deserve serious consideration. Cascading certifications from functional managers and key contributors can provide greater confidence and distribute accountability more fairly across teams that generate the underlying information.

How to Determine Risk Assessment Participants?

No universal formula exists, but organizations should examine current decision-making processes and governance structures to identify a consistent, repeatable approach for determining which individuals should be included in assessments. The goal is ensuring risk assessments are genuinely true and correct, not merely checking boxes.

Does D&O Insurance Need Updating?

Directors and Officers liability insurance helps manage risks for individuals and organizations facing professional liability claims. Organizations should review their D&O coverage to confirm it extends to individuals submitting filings to CalPrivacy, helping these executives gain assurance they’re covered for good-faith errors or omissions in filings and related compliance activities.

The Road Forward: Start Planning Now & Use Captain Compliance To Automate CalPrivacy Requirements

Complying with CalPrivacy’s new regulations demands significant upfront investment in proactive privacy, cybersecurity, and AI compliance infrastructure. The personal accountability provisions add layers of complexity by forcing organizations to think carefully about who participates in due diligence, who signs off on assessments, and how to protect individuals taking on these responsibilities. Luckily if you use Captain Compliance and our privacy software tools you can automate a large part of your CalPrivacy requirements and our automated DSARs and Global Privacy Control Compliance Consent Banner software has been an industry leader and highly recommended by the biggest privacy lawyers in the world.

While the staggered implementation timeline provides breathing room, organizations that wait until deadlines approach will find themselves scrambling. Smart companies are beginning now to:

• Map out which executives meet qualification criteria for submissions
• Design robust sub-certification processes to support executive attestations
• Evaluate internal audit capabilities against the benefits of external auditors
• Review and potentially enhance D&O insurance coverage
• Build governance structures that appropriately distribute accountability
• Create training programs so designated individuals understand their responsibilities

The transformation CalPrivacy is driving extends beyond operational compliance it’s forcing a cultural shift where privacy, security, and AI governance become executive-level concerns with personal consequences. Organizations that embrace this reality and build appropriate support systems will navigate these requirements successfully. Those that treat them as mere paperwork exercises risk exposing both their executives and their organizations to significant liability.