Think of the first CCPA post in this series as building the plumbing: identifying personal information, standing up consumer rights processes, reviewing disclosures, and assigning governance ownership. Crossing the CCPA-to-CPRA bridge means inspecting what flows through those pipes and deciding how privacy risk will be managed over time.
CPRA did not replace CCPA. It amended it, added new rights and obligations, and sharpened the expectation that businesses can demonstrate how they evaluate, govern, and secure personal information. The result is a practical shift from a rights-based compliance posture to a risk-based accountability posture.
That shift matters now. The California Privacy Protection Agency's final regulations covering cybersecurity audits, privacy risk assessments, automated decisionmaking technology (ADMT), insurance, and CCPA updates became effective January 1, 2026. Some compliance obligations are phased, including ADMT requirements beginning January 1, 2027 and certain cybersecurity audit and risk assessment submissions beginning April 1, 2028.
The following six phases pick up where the earlier CCPA readiness work left off. They are practical, sequenced steps for moving from initial preparation into a program that can keep pace with CPRA-era accountability.
Phase 7: Expand the Personal Information Inventory Into a Data Flow and Risk Map
The personal information inventory you built for CCPA cataloged what you collect. CPRA-era readiness asks a broader set of questions: why you process it, where it moves, who receives it, what risks it creates, and whether the business still needs that dataset in the first place.
Revisit every data category in the inventory and attach it to business purpose, collection point, system of record, retention period, access model, vendor recipient, and consumer-facing disclosure. Then flag the data flows that may create heightened privacy risk, such as selling or sharing personal information, processing sensitive personal information, using ADMT for significant decisions, profiling, or relying on large-scale analytics and data matching.
- Map the path of each data category from collection through processing, sharing, storage, retention, and disposal.
- Identify personal information that is copied into exports, spreadsheets, support tickets, analytics tools, self-service SaaS products, or third-party scripts.
- Mark any use of sensitive personal information, sale or sharing, profiling, ADMT, or other high-risk processing activity for further review.
- Ask business stakeholders whether each dataset is still necessary, and remove or minimize data that no longer supports a current business purpose.
- Version the map so future product, vendor, marketing, and engineering changes can be reviewed against a known baseline.
Phase 8: Build a Privacy Risk Assessment Program
Risk assessments should not be treated as a once-a-year legal exercise. They are decision records that show how the business considered privacy risk before launching or changing processing activities that may significantly affect consumers.
A practical risk assessment program documents the processing purpose, categories of personal information involved, foreseeable risks to consumers, business benefits, safeguards, alternatives considered, approval decision, accountable owner, and review cadence. It should be triggered by new product launches, material changes to data practices, vendor onboarding, ADMT deployment, sensitive personal information use, and other high-risk activities.
Keep the program lightweight enough that teams will use it, but structured enough that the record is defensible. A risk assessment that only lives in a policy binder will not help product, marketing, security, or vendor teams make better decisions.
Phase 9: Govern Automated Decisionmaking and Profiling
Automated decisionmaking and profiling deserve their own inventory and control model. Organizations that use scoring, segmentation, recommendation engines, predictive models, or other automated tools should determine which systems influence significant decisions, which data those systems use, and what consumer-facing rights or notices may apply.
This work needs to connect directly back to the consumer rights infrastructure built in the first CCPA phases. An opt-out pathway is not effective if it is only a checkbox disconnected from the systems making or supporting the decision.
- Map automated systems that score, rank, segment, recommend, profile, or make decisions about consumers.
- Identify any use tied to significant decisions, such as employment, credit, housing, education, insurance, health care, or similarly consequential opportunities.
- Document the inputs, outputs, owners, vendors, human oversight, testing, and escalation paths for each system.
- Build access, opt-out, notice, and appeal or review workflows where applicable, and connect them to the existing rights request process.
- Review model and vendor changes before launch, not after a consumer complaint reveals a process gap.
Phase 10: Conduct a Cybersecurity Audit Readiness Assessment
The CPPA's finalized cybersecurity audit regulations require certain businesses whose processing presents significant risk to consumers' security to complete annual cybersecurity audits. Certification submission deadlines phase in by business revenue, but audit readiness should start well before the first filing date.
The readiness path is familiar to mature security teams: assess the program against a recognized framework, identify gaps, prioritize remediation, and document the plan. NIST CSF 2.0, CIS Controls v8, and ISO 27001 are all useful lenses for this work.
Focus areas commonly include:
- Identity and access controls, including privileged access and account lifecycle management.
- Encryption at rest and in transit for personal information and sensitive personal information.
- Logging, monitoring, vulnerability management, and incident detection capabilities.
- Incident response procedures that account for CCPA breach analysis and notification considerations.
- Vendor security management, including evidence collection and contract alignment.
- Remediation tracking that shows identified gaps are either closed or actively managed.
A documented remediation roadmap matters. It shows that leadership understands the gaps, has prioritized the work, and is treating audit readiness as part of a broader security and privacy operating model.
Phase 11: Operationalize Sensitive Personal Information Handling
CPRA created a specific category for sensitive personal information (SPI), along with consumer rights and notice obligations tied to how that information is used and disclosed. SPI includes categories such as Social Security numbers, financial account credentials, precise geolocation, health data, certain biometrics, and other sensitive data types.
Organizations should run a targeted pass through the personal information inventory and data flow map to identify every SPI collection point, system, vendor, retention rule, and downstream use. The goal is not only to label sensitive data, but to control it.
- Confirm where SPI is collected, stored, accessed, shared, retained, and deleted.
- Verify that notices accurately describe SPI categories, purposes, retention, and consumer rights.
- Confirm that a "Limit the Use of My Sensitive Personal Information" or "Your Privacy Choices" link appears where required.
- Restrict SPI use to disclosed, necessary, and permitted purposes unless a valid basis exists for broader use.
- Update vendor contracts so service providers and contractors are appropriately limited in how they process SPI.
- Test the operational path for limit-use requests, including intake, verification, fulfillment, vendor propagation, and recordkeeping.
Phase 12: Upgrade Governance for Ongoing Accountability
CPRA accountability is ongoing, not point-in-time. The governance structures built during the initial CCPA readiness phase need to mature from awareness-focused to accountability-focused.
That means privacy reviews should become part of product development, vendor onboarding, marketing operations, security planning, and executive reporting. It also means the privacy program needs evidence: completed risk assessments, training records, rights request metrics, vendor reviews, audit readiness artifacts, and documented decisions about data use.
- Embed privacy-by-design reviews into product and engineering launch processes.
- Schedule periodic reviews of risk assessments, data flows, SPI handling, and consumer rights workflows.
- Refresh training so teams understand CPRA-specific rights, opt-out handling, ADMT considerations, and SPI controls.
- Assign clear owners for cybersecurity audit coordination, risk assessment operations, ADMT governance, and vendor privacy review.
- Create a quarterly governance rhythm that reviews program metrics, open gaps, vendor status, policy accuracy, and remediation progress.
Where To Go From Here
The next step is not to boil the ocean. Pick one high-risk data flow and walk it end to end. Confirm the business purpose, data categories, systems, vendors, consumer notices, rights workflows, security controls, and decision records. Then repeat that process for the next highest-risk flow.
Over time, those walks become the program. Your inventory becomes a living map. Your risk assessments become decision evidence. Your consumer rights process becomes connected to real systems. Your cybersecurity audit readiness work becomes part of everyday security governance.
That is the bridge from CCPA preparation to CPRA accountability. As always, LHC Advisors is happy to share our wisdom and help organizations strategize the best practical path forward.
This article is for general informational purposes only and is not legal advice. Regulatory information was reviewed on June 30, 2026.