Starting January 1, 2026, (once reviewed and approved by OAL), the California Privacy Protection Agency (CPPA) will begin enforcing new audit and risk assessment requirements under the California Privacy Rights Act (CPRA).
These rules target companies that handle large amounts of personal information or use technologies like automated decision-making or profiling, especially when those tools affect real-life decisions about employment, credit, housing, or healthcare.
So, what exactly do the new rules say?
According to the CPPA’s draft regulations:
- Annual cybersecurity audits will be required for companies meeting certain risk thresholds. These audits must be documented, thorough, and show how well the company’s security practices are working.
- Risk assessments must be conducted before using automated systems that can impact people’s lives. These assessments should explain the purpose of the technology, its benefits, and the potential risks to consumers, especially around discrimination or unfair outcomes.
- The CPPA may request access to these audits or assessments at any time.
This isn’t just a privacy issue. It’s a shift in how companies need to think about risk management.
Why This Matters for ERM
Traditionally, privacy and cybersecurity risks have lived in legal, compliance, or IT departments. But these new requirements push them into the core of enterprise risk- right where strategy, operations, and trust meet.
Here’s how it ties directly into Enterprise Risk Management (ERM):
1. Regulatory Risk is Now Operational- These aren’t one-time reviews. The rules call for ongoing audits and structured assessments that track how technology is used and how it impacts people. ERM teams will need to ensure that the right people are responsible and that processes are repeatable, not ad hoc.
2. AI and Automation Need a Risk Lens- Many organizations are exploring automation, profiling, and AI, but not all are checking how these tools fit with their risk appetite or strategic goals. ERM can provide the structure to ask the right questions before risks turn into issues.
3. Ownership Matters- One of the most overlooked challenges in ERM is clear risk ownership. These rules make it harder to push tech-related risks to “the legal team” or “the data team.” They force a broader view, one where privacy, ethics, and operations are part of the same conversation.
What to Do Next
If your company is subject to these rules (or just wants to be ahead of them), here are a few steps to start with:
- Map these requirements into your existing ERM framework
- Identify owners for risk assessments and audits
- Track how AI and profiling are used and whether assessments already exist
- Bring legal, compliance, tech, and risk together to build a shared approach
Final Thoughts
California’s new privacy rules aren’t just about compliance; they’re about raising the bar on how companies manage the impact of their technology.
For ERM leaders, this is an opportunity to take the lead:
Not by adding more checklists, but by helping the business understand the risks, own them, and make better decisions.
