For most of the privacy era, the consequences of a compliance failure landed on the company. Fines were corporate, remediation was corporate, and the executives who set strategy were generally insulated by the entity between them and the regulator. California’s finalized CCPA regulations quietly change that calculus for one of the most important compliance artifacts a business produces. Under the new rules, a company’s risk assessments must be certified by a member of executive management, and the business must identify to the California Privacy Protection Agency (CPPA) the specific executive responsible for the assessment’s compliance. Privacy risk now has a name attached to it.

This is a structural shift, not a paperwork tweak. It moves privacy from a function that executives oversee at a distance to one they must personally vouch for in writing — borrowing a model of individual accountability that financial-services and securities law have used for years to change executive behavior. Compliance obligations began on January 1, 2026, and the first attestations are due to the CPPA by April 1, 2028. Boards and C-suites that have treated privacy as a delegable, operational concern need to reconsider that posture now.

What the Regulations Require

The CCPA regulations on automated decision-making technology (ADMT), risk assessments, and cybersecurity audits were approved by California’s Office of Administrative Law on September 22, 2025, filed with the Secretary of State, and took effect on January 1, 2026. The risk-assessment provisions are the ones that introduce personal accountability.

When a risk assessment is required. Businesses must conduct a risk assessment before engaging in processing that presents a significant risk to consumers’ privacy — a category that expressly includes selling or sharing personal information, processing sensitive personal information, using ADMT for significant decisions, and certain profiling and training uses. The assessment must weigh the benefits of the processing against the risks to consumers and document the safeguards that bring those risks down.

Executive certification. The final risk-assessment document must be certified by a senior executive and retained for at least five years, or for as long as the processing continues. This is the core of the new accountability model: the assessment is not complete until a named executive signs off on it.

Submission and attestation to the CPPA. Businesses subject to the requirement must submit information about their completed risk assessments to the agency. That submission must include a point of contact, the time period the assessment covers, the categories of personal and sensitive personal information involved, and — critically — the identity of the individual submitting the assessment, who must be a member of the business’s executive management team responsible for the risk assessment’s compliance.

The timeline. Compliance with the underlying risk-assessment obligation began January 1, 2026. By April 1, 2028, businesses must submit to the CPPA an attestation that the required risk assessments were completed, along with a summary of their risk-assessment information. The two-plus-year runway is not a reason to wait; it is the window in which the documented, signable assessments must actually be built.

Why “Executive Attestation” Changes the Game

The mechanism here is deliberate, and its logic is borrowed from regimes that have used personal certification to reshape corporate conduct. The most direct analogue is the Sarbanes-Oxley requirement that CEOs and CFOs personally certify the accuracy of financial statements. SOX certifications worked not because executives were suddenly more honest, but because a personal signature changes incentives: when an individual’s name is on the document, that individual asks harder questions, demands better evidence, and refuses to sign off on work they do not trust.

California is importing that dynamic into privacy. By requiring a senior executive to certify the risk assessment and by naming that executive to the regulator as the person responsible for compliance, the CPPA ensures that a real decision-maker has read the assessment, understood the risks, and put their name behind the conclusion that the safeguards are adequate. The effect is to pull privacy risk up the organization — out of the legal or privacy team’s filing cabinet and onto the desk of someone with the authority and the personal exposure to insist it be done right.

It also creates a discoverable, durable record of accountability. A certified, retained risk assessment with a named executive is exactly the kind of document a regulator, a plaintiff’s lawyer, or a board investigation will reach for after something goes wrong. “We had a process” is a weaker position than a signed certification — and a far weaker one than a missing or perfunctory assessment that an executive nonetheless certified.

The ADMT and Cybersecurity-Audit Context

The risk-assessment rules do not stand alone. They were finalized as part of a package that also imposes ADMT obligations — pre-use notices, opt-out rights, and access rights when businesses use automated decision-making technology for significant decisions about consumers — and mandatory cybersecurity audits for businesses whose processing presents significant risk. The three move together: a business deploying ADMT for consequential decisions will frequently trigger both the risk-assessment requirement (with its executive certification) and the cybersecurity-audit requirement. The cumulative effect is a California privacy regime that increasingly resembles an enterprise governance framework, with documentation, independent assessment, and senior-level accountability built in.

This is the same direction of travel we have tracked across other California rulemaking and the broader state privacy landscape, and it raises the floor for what “reasonable” privacy governance looks like nationally.

What This Means for Boards and Executives

The practical message for leadership is direct: privacy is now a personal-accountability item, and it belongs on the governance agenda.

  1. Decide who signs — and make sure they are real. Identify the executive(s) who will certify risk assessments and be named to the CPPA. This should be someone with genuine authority over the processing and the resources to fix what the assessment surfaces, not a figurehead. The choice of certifying officer is itself a governance decision.

  2. Build assessments that an executive can responsibly sign. A certifying executive is only protected by a process they can stand behind. That means rigorous, evidence-based assessments — clear descriptions of the processing, honest risk analysis, documented safeguards, and a defensible benefit-versus-risk conclusion. Box-checking templates expose the signer.

  3. Stand up the documentation and retention discipline now. Assessments must be retained for at least five years or for the life of the processing. Establish version control, a system of record, and a review cadence so that the document supporting a 2026 certification is still complete and locatable in 2031.

  4. Map the April 1, 2028 deadline backward. The attestation and summary are due to the CPPA by that date, but they must reflect assessments completed for processing that began as early as January 1, 2026. Work backward from the deadline to ensure every in-scope processing activity has a certified assessment on file well before the agency comes asking.

  5. Brief the board. Directors should understand that a named executive is now personally responsible to the regulator for privacy risk assessments, that this mirrors the SOX accountability model, and that a gap here is a governance failure, not merely an operational one. Board minutes reflecting that oversight are themselves protective.

  6. Coordinate with the ADMT and cybersecurity-audit obligations. Treat the three requirements as one program. Processing that triggers ADMT rights will often trigger the certified risk assessment and the audit; managing them in silos invites gaps and duplicated effort.

Conclusion

California has done something subtle but significant: it has put a person, not just a company, behind every high-risk privacy decision. By requiring executive certification of risk assessments and naming a responsible executive to the CPPA, the state has converted privacy risk from an abstract corporate exposure into a concrete personal one — the same move that reshaped financial accountability after Sarbanes-Oxley. The compliance clock started on January 1, 2026, and the first attestations are due April 1, 2028. The organizations that come through this well will be the ones whose executives can sign with confidence because the assessments beneath their names are genuinely sound. That confidence is built now, in the quality of the process — not in the final week before the signature is due.

This article is provided for informational purposes only and does not constitute legal advice.