A MoFo Privacy Minute Q&A: Key Steps in 2026 to Comply with State Privacy Assessment Requirements

Question: Do I need to complete state privacy risk assessments in 2026? I know some CCPA deadlines aren’t until next year, but how can I prepare my team to comply with state privacy assessment requirements?

Answer: The start of the year is an excellent time to review and update your organization’s privacy assessment process, particularly in light of new regulations under the CCPA. It is likely that you will need to conduct privacy assessments in 2026, though it depends on your organization’s data processing activities and which state consumer privacy laws apply to your organization.

The CCPA’s new requirements include:

• Undertaking a risk assessment if the organization is “selling” or “sharing” personal data, processing sensitive data (with limited exceptions), using automated decision-making technology (ADMT) for a “significant decision,” or engaged in other types of processing that present a “significant risk” to consumers’ privacy.
• Conducting the risk assessment per the CCPA’s specific requirements, including requirements for the content of the assessment, review and approval of the assessment, retention of the assessment, and submission of information related to the assessment to the California Privacy Protection Agency.
• While assessments for data processing activities initiated prior to January 1, 2026 are not required under the CCPA until December 31, 2027, remember: for any data processing activities initiated after January 1, 2026 that require an assessment, the assessment must be completed prior to starting the activity.

Remember that it’s not just the CCPA organizations should keep in mind. There are many other in-effect state consumer privacy laws that currently require undertaking a privacy assessment for certain data processing activities, including laws in Colorado, Connecticut, Delaware, Indiana, Kentucky, Maryland, Minnesota, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, and Virginia.

• For example, many state consumer privacy laws require undertaking a privacy assessment if an organization is processing personal data for purposes of targeted advertising or certain types of profiling, selling personal data, processing sensitive data, or engaging in other “high risk” data processing activities.
• Similar to the CCPA, these state laws require conducting the privacy assessment per the law’s specific requirements, including requirements for the content of the assessment, review of and updates to the assessment, disclosure of the assessment, and retention of the assessment.
• Many state consumer privacy laws, including the CCPA, permit an organization to use an assessment it has prepared for another purpose to meet the law’s requirements, provided that the assessment contains the information that must be included under the law. For example, the CCPA imposes specific assessment requirements for businesses that use or provide ADMT to make a significant decision.

Key steps in 2026:

• Alert key stakeholders about the need to conduct privacy assessments, so that they know to reach out when they plan to engage in a new data processing activity and can meaningfully contribute to and support the assessment process.
• Determine whether privacy assessments are required under applicable law(s) for the organization’s existing data processing activities and by when the assessments must be completed.
• Create a process for conducting and documenting privacy assessments, or review and update your existing process in light of the new CCPA regulations and other state consumer privacy laws.
• Remember that a privacy assessment conducted under a different law, including assessments conducted for GDPR compliance, may suffice (potentially with tweaks). Much of the hard work may already have been completed!