California’s New CCPA Rules Bring Corporate Accountability to the Individual Level

The new rules require businesses to designate specific individuals to take personal responsibility for risk assessments, cybersecurity audits, and filings with the California Privacy Protection Agency (CalPrivacy). The designees must be members of a company’s executive management team, possess detailed knowledge of compliance activities, and must personally attest to the truthfulness of their submissions under penalty of perjury.

The intent, according to an analysis of the rules by experts writing in IAPP News, is to ensure that companies treat privacy, cybersecurity, and automated decision-making oversight as top-tier governance issues rather than operational checkboxes. But the practical consequence is that executives, such as chief privacy officers, general counsels, and potentially chief data or AI officers, now face individual legal exposure for inaccuracies or omissions in filings.

The new obligations will roll out in phases. Companies must begin conducting risk assessments for new or significantly changed data processing that presents a high privacy risk starting January 1, 2026. Starting one year later, businesses must comply with ADMT obligations, including requirements for pre-use notices, opt-out options, and consumer access to information on automated systems. Initial filings with CalPrivacy for risk assessments and cybersecurity audits are due April 1, 2028.

The staggered deadlines are designed to give companies time to develop internal compliance infrastructures, but the personal accountability features are likely to accelerate internal timelines and resource allocation.

Related: States Team on Privacy Enforcement as Federal Action Stalls

The ADMT provisions are among the most consequential for technology and data-driven businesses. By 2027, companies deploying automated systems that make or materially influence consumer decisions must provide clear disclosures, offer opt-out rights, and ensure access to meaningful explanations about how such systems work.

Because executives must now personally attest to the adequacy of these risk assessments, businesses will need to document not only the function and data inputs of their AI systems, but also their fairness, bias testing, and human oversight mechanisms. The threat of personal liability is expected to drive greater caution in deploying AI tools and encourage more formalized AI governance frameworks that could ripple beyond California’s borders.

The regulations also limit who can sign compliance reports. Only members of the executive management team can submit filings, drastically narrowing the eligible pool. For internal cybersecurity audits, the submitting officer must be independent from the company’s cybersecurity function, preventing CIOs from certifying their own work.

This structure poses complex procedural and organizational challenges. Companies will need to clarify reporting lines and consider creating sub-certification processes, similar to those used in financial reporting, so that business unit leaders can confirm the accuracy of their data before it reaches the executive signatory.

Firms may also want to review directors and officers (D&O) liability insurance to ensure coverage for executives personally signing these attestations, per IAPP, particularly given the risk of perjury penalties.

Like the CCPA itself, the new regulations under the statute are likely to become a template for other states, and for future U.S. privacy regulation, inaugurating a new era in which data governance responsibilities rest squarely on identifiable human shoulders.