Think of the first CCPA post in this series as building the plumbing: identifying personal information, standing up consumer rights processes, reviewing disclosures, and assigning governance ownership. Crossing the CCPA-to-CPRA bridge means inspecting what flows through those pipes and deciding how privacy risk will be managed over time.

CPRA did not replace CCPA. It amended it, added new rights and obligations, and sharpened the expectation that businesses can demonstrate how they evaluate, govern, and secure personal information. The result is a practical shift from a rights-based compliance posture to a risk-based accountability posture.

That shift matters now. The California Privacy Protection Agency's final regulations covering cybersecurity audits, privacy risk assessments, automated decisionmaking technology (ADMT), insurance, and CCPA updates became effective January 1, 2026. Some compliance obligations are phased, including ADMT requirements beginning January 1, 2027 and certain cybersecurity audit and risk assessment submissions beginning April 1, 2028.

The following six phases pick up where the earlier CCPA readiness work left off. They are practical, sequenced steps for moving from initial preparation into a program that can keep pace with CPRA-era accountability.

Phase 7: Expand the Personal Information Inventory Into a Data Flow and Risk Map

The personal information inventory you built for CCPA cataloged what you collect. CPRA-era readiness asks a broader set of questions: why you process it, where it moves, who receives it, what risks it creates, and whether the business still needs that dataset in the first place.

Revisit every data category in the inventory and attach it to business purpose, collection point, system of record, retention period, access model, vendor recipient, and consumer-facing disclosure. Then flag the data flows that may create heightened privacy risk, such as selling or sharing personal information, processing sensitive personal information, using ADMT for significant decisions, profiling, or relying on large-scale analytics and data matching.

Phase 8: Build a Privacy Risk Assessment Program

Risk assessments should not be treated as a once-a-year legal exercise. They are decision records that show how the business considered privacy risk before launching or changing processing activities that may significantly affect consumers.

A practical risk assessment program documents the processing purpose, categories of personal information involved, foreseeable risks to consumers, business benefits, safeguards, alternatives considered, approval decision, accountable owner, and review cadence. It should be triggered by new product launches, material changes to data practices, vendor onboarding, ADMT deployment, sensitive personal information use, and other high-risk activities.

Keep the program lightweight enough that teams will use it, but structured enough that the record is defensible. A risk assessment that only lives in a policy binder will not help product, marketing, security, or vendor teams make better decisions.

Phase 9: Govern Automated Decisionmaking and Profiling

Automated decisionmaking and profiling deserve their own inventory and control model. Organizations that use scoring, segmentation, recommendation engines, predictive models, or other automated tools should determine which systems influence significant decisions, which data those systems use, and what consumer-facing rights or notices may apply.

This work needs to connect directly back to the consumer rights infrastructure built in the first CCPA phases. An opt-out pathway is not effective if it is only a checkbox disconnected from the systems making or supporting the decision.

Phase 10: Conduct a Cybersecurity Audit Readiness Assessment

The CPPA's finalized cybersecurity audit regulations require certain businesses whose processing presents significant risk to consumers' security to complete annual cybersecurity audits. Certification submission deadlines phase in by business revenue, but audit readiness should start well before the first filing date.

The readiness path is familiar to mature security teams: assess the program against a recognized framework, identify gaps, prioritize remediation, and document the plan. NIST CSF 2.0, CIS Controls v8, and ISO 27001 are all useful lenses for this work.

Focus areas commonly include:

A documented remediation roadmap matters. It shows that leadership understands the gaps, has prioritized the work, and is treating audit readiness as part of a broader security and privacy operating model.

Phase 11: Operationalize Sensitive Personal Information Handling

CPRA created a specific category for sensitive personal information (SPI), along with consumer rights and notice obligations tied to how that information is used and disclosed. SPI includes categories such as Social Security numbers, financial account credentials, precise geolocation, health data, certain biometrics, and other sensitive data types.

Organizations should run a targeted pass through the personal information inventory and data flow map to identify every SPI collection point, system, vendor, retention rule, and downstream use. The goal is not only to label sensitive data, but to control it.

Phase 12: Upgrade Governance for Ongoing Accountability

CPRA accountability is ongoing, not point-in-time. The governance structures built during the initial CCPA readiness phase need to mature from awareness-focused to accountability-focused.

That means privacy reviews should become part of product development, vendor onboarding, marketing operations, security planning, and executive reporting. It also means the privacy program needs evidence: completed risk assessments, training records, rights request metrics, vendor reviews, audit readiness artifacts, and documented decisions about data use.

Where To Go From Here

The next step is not to boil the ocean. Pick one high-risk data flow and walk it end to end. Confirm the business purpose, data categories, systems, vendors, consumer notices, rights workflows, security controls, and decision records. Then repeat that process for the next highest-risk flow.

Over time, those walks become the program. Your inventory becomes a living map. Your risk assessments become decision evidence. Your consumer rights process becomes connected to real systems. Your cybersecurity audit readiness work becomes part of everyday security governance.

That is the bridge from CCPA preparation to CPRA accountability. As always, LHC Advisors is happy to share our wisdom and help organizations strategize the best practical path forward.

This article is for general informational purposes only and is not legal advice. Regulatory information was reviewed on June 30, 2026.