On January 1, 2026, a sweeping package of new California Consumer Privacy Act regulations took effect. Six months later, most small business owners haven't made the changes they need to make. The California Privacy Protection Agency is ramping up enforcement, and penalties run up to $7,988 per violation involving children's data โ with each affected consumer treated as a separate violation.
This isn't a law that only applies to tech giants or data brokers. If your business serves California residents and meets any one of three coverage thresholds, the CCPA applies to you โ and the 2026 updates added obligations that require real operational changes, not just a privacy policy refresh.
This guide explains what changed, who it affects, what the deadlines are, and exactly what you need to do. Childcare centers get a dedicated section because the 2026 rules created a significantly heavier burden for any business that collects data about minors.
Who does CCPA cover?
The CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds:
- Revenue threshold: Annual gross revenue over $25 million.
- Data volume threshold: Annually buying, selling, or sharing personal information of 100,000 or more California consumers or households.
- Revenue-from-data threshold: Deriving 50% or more of annual revenue from selling or sharing personal information.
You do not need to have a physical location in California. Serving California residents online is enough to trigger coverage. And the 100,000 consumer threshold is lower than it sounds: if you use standard email marketing tools, web analytics, or advertising pixels, you may already be "sharing" personal information with third-party platforms under CCPA's broad definition of sharing โ even if you've never thought of yourself as a data company.
What the January 2026 updates actually changed
The California Privacy Protection Agency finalized a major package of new regulations in September 2025, with a January 1, 2026 effective date. Three new areas of obligation were added on top of the existing CCPA framework:
1. Cybersecurity audits
Businesses that process personal information at a scale or in a manner that presents "significant risk" to consumers must now conduct annual cybersecurity audits. The audit must document your security controls, identify gaps, and be submitted to the CPPA on a prescribed schedule. For businesses with annual revenue under $50 million, the deadline for the first audit is January 1, 2030. Larger businesses face a 2028 deadline. These audits are not the same as penetration testing โ they are documentation-heavy reviews of policies, access controls, encryption practices, vendor agreements, and incident response plans.
2. Privacy risk assessments
Before starting any processing of personal information that presents a "significant risk" to consumer privacy, businesses must now complete a privacy risk assessment. This applies to activities like deploying AI tools that analyze customer behavior, running targeted advertising, processing sensitive data at scale, or selling personal information. For processing activities that were already underway before January 1, 2026, the deadline to complete a risk assessment and submit it to CalPrivacy is April 1, 2028.
3. Automated Decision-Making Technology (ADMT) rules
ADMT covers any technology โ most commonly AI systems โ that makes significant decisions about California residents without meaningful human review. This includes tools used for hiring and screening, credit decisions, pricing personalization, and targeted advertising based on behavior profiling. The full ADMT compliance rules take effect January 1, 2027, giving covered businesses another six months to prepare. When they do take effect, businesses using ADMT for significant decisions must provide consumers with a pre-use notice and offer them the right to opt out. If you're using AI-based tools that affect your customers or employees in meaningful ways, start documenting those use cases now.
Sensitive personal information: two new categories
The 2026 rules also expanded the definition of sensitive personal information. Two new categories were added that are particularly relevant to small businesses in California:
- Neural data: Any data generated from a person's brain activity or physical responses to stimuli is now classified as sensitive. This matters for businesses exploring biometric authentication or emotion-detection tools.
- Data from anyone under 16: All personal information collected from a California resident under 16 years old is now automatically classified as sensitive, regardless of what type of information it is. Name, photo, address, enrollment record โ all of it.
Sensitive personal information carries stricter obligations. Businesses cannot use or disclose it for purposes beyond specific permitted uses without first offering consumers the right to limit that use. For data from minors, the requirement is even stricter: businesses need affirmative opt-in consent before selling or sharing a minor's data, and violations carry the higher $7,988 penalty tier.
The penalty math that should get your attention
CCPA penalties after the CPPA's 2024 CPI adjustment run to $2,663 per standard violation and $7,988 per intentional violation or per violation involving the data of a minor. Here is where it gets serious: each affected consumer can be treated as a separate violation, and each day of ongoing non-compliance can be treated as a separate day.
The agency has said explicitly that enforcement is no longer limited to the largest businesses. If a complaint is filed against you โ by a customer, a parent, or a competitor โ the CPPA has the authority to investigate and issue penalties regardless of your size.
Childcare centers: you face a higher bar
Childcare centers collect more sensitive data than almost any other small business category. Enrollment applications include children's full names, birthdates, home addresses, emergency contacts, medical histories, immunization records, and dietary restrictions. Many centers also collect photos and videos of children for parent apps, newsletters, and social media posts. Under the 2026 CCPA rules, all of that data from children under 16 is now sensitive personal information โ even the names and addresses.
Specific obligations that apply to covered childcare centers:
- Opt-in consent before selling or sharing children's data. Unlike adult data (which requires an opt-out mechanism), data from anyone under 16 requires affirmative opt-in consent before it can be sold or shared with third parties. This includes sharing with digital marketing platforms and parent communication apps.
- Review every third-party tool that touches enrollment data. Your childcare management platform, parent communication app, digital sign-in kiosk, and parent newsletter tool all likely receive personal information about the children in your care. Each vendor relationship needs to be reviewed and documented.
- Update your enrollment forms and privacy disclosures. Your privacy notice needs to accurately describe what data you collect, how you use it, who you share it with, and what rights parents have โ including the right to request access, deletion, or correction of their child's records.
- Establish a consumer request process. Under CCPA, parents have the right to request access to, deletion of, and correction of their child's personal information. You need a documented process to receive these requests, verify the identity of the person submitting them, and respond within 45 days.
Your 7-step compliance checklist
CCPA compliance is not a one-time document update. It requires building real workflows into your operations. Here is a practical starting framework:
- Conduct a data inventory. Map out every category of personal information your business collects, where it comes from, where it is stored, who has access to it, and which third parties receive it. This is the foundation of everything else. You cannot comply with rights requests or build risk assessments without knowing what data you hold.
- Update your privacy policy. Your policy must be posted on your website and updated annually. It needs to list the categories of data you collect, the business purposes for each, and the rights consumers have. If you've added new tools or vendors since your last update, your policy is out of date right now.
- Build a consumer rights request process. You need a way for consumers to submit requests to access, delete, or correct their personal information, a way to verify the identity of the person submitting the request, and a documented workflow to fulfill requests within the 45-day deadline. Many businesses use a simple form on their website. What you cannot do is ignore these requests โ that is a clear CCPA violation.
- Audit your third-party data relationships. Every analytics tool, email platform, CRM, advertising network, and childcare management platform that receives personal information from you is either a "service provider," a "contractor," or a "third party" under CCPA, and each category carries different obligations. Review your vendor contracts for CCPA-compliant data processing terms.
- Start your privacy risk assessment. If you're running any of the following, you likely need a risk assessment: targeted advertising, sale of personal information, use of sensitive personal data, or deployment of AI tools that influence decisions about consumers. Get the documentation started now so you're not scrambling toward the April 2028 submission deadline.
- Identify ADMT use cases. Do you use any AI-based tools to screen job applicants, score leads, personalize pricing, or make decisions about customers? Document what those tools do, what data they use, and whether they affect consumers in significant ways. The ADMT opt-out requirement takes effect January 1, 2027, but you need lead time to configure these tools and update your disclosures before the deadline arrives.
- Train your team. CCPA violations often start with employees who don't know the rules โ forwarding customer lists to unauthorized parties, responding incorrectly to rights requests, or using personal data for purposes not covered by your privacy policy. Quarterly staff training on data handling is a basic and effective control.
The cybersecurity audit: what it actually requires
The term "cybersecurity audit" sounds more technical than the requirement actually is, but it is still significant. The CCPA cybersecurity audit is not a penetration test. It is a documented assessment of your security controls as they relate to how you protect personal information. A compliant audit needs to address:
- What personal information you hold and where it lives (encrypted or unencrypted, in-house or with vendors)
- What access controls are in place โ who can see what data, and how those permissions are managed
- How you detect, respond to, and recover from security incidents involving personal information
- What contractual protections you have with vendors who process personal information on your behalf
- Whether your current security practices align with a recognized standard such as NIST, CIS Controls, or SOC 2
The audit must be conducted by a qualified reviewer โ which can be internal for smaller businesses โ but it must be documented in a format that could be submitted to the CPPA if requested. Businesses with revenue under $50 million have until January 1, 2030 to complete their first annual audit, but starting the process now gives you time to find and fix gaps before the clock runs out.
CCPA compliance deadlines at a glance
| Requirement | Effective Date | Small Business Deadline |
|---|---|---|
| Core CCPA rights (access, delete, correct, opt-out) | Already in effect | Now |
| New sensitive data categories (neural, minor data) | January 1, 2026 | Now |
| Privacy risk assessments (new processing activities) | January 1, 2026 | Now (submit to CPPA by April 1, 2028) |
| ADMT opt-out rights and pre-use notices | January 1, 2027 | Prepare now; comply by Jan 1, 2027 |
| Annual cybersecurity audit (under $50M revenue) | January 1, 2030 | Start planning in 2026-2027 |
How EDCON helps Southern California businesses with CCPA compliance
CCPA compliance isn't just a legal exercise โ the core requirements (knowing what data you hold, securing it properly, managing vendor relationships, and responding to incidents) are exactly what good IT management looks like. The compliance framework and the security framework point in the same direction.
EDCON works with small businesses and childcare centers in Los Angeles, Ventura, Oxnard, Azusa, and the surrounding area to build the operational foundations that CCPA compliance rests on. In practice, this means:
- Data inventory and mapping. We help you identify every system that touches personal information โ cloud apps, local servers, email platforms, third-party tools โ and document what data flows where. This is the foundation for both your privacy policy and your risk assessment.
- Security controls documentation. Our managed IT clients already operate with documented endpoint protection, access controls, and incident response procedures. That documentation becomes the basis for your CCPA cybersecurity audit when the time comes.
- Vendor and contract review support. We help you identify which vendors need CCPA-compliant data processing agreements and flag the tools that may be creating unintended data sharing relationships.
- MDM and access control implementation. A significant portion of CCPA cybersecurity audit requirements relate to who can access personal information and how. Mobile Device Management and proper Microsoft 365 access controls directly address these requirements.
- Ongoing managed IT that keeps your posture documented. The cybersecurity audit requirement is annual. Having a managed IT partner that already maintains change logs, access records, and security policy documentation means you're not starting from scratch every year.
We are not a law firm and cannot provide legal advice on CCPA compliance. For legal questions about your specific obligations and how the law applies to your business, consult a California privacy attorney. What we do is handle the technology and operational infrastructure that your compliance program depends on โ so that when your attorney says "you need to document your access controls and data flows," you can actually do it.
Frequently asked questions
Does CCPA apply to my small business if I'm not selling personal data?
Yes, potentially. CCPA covers businesses meeting any one of three thresholds, including collecting or sharing data on 100,000 or more California consumers per year. If your website uses Google Analytics or social media tracking tools alongside significant California traffic, you may already be "sharing" personal information under CCPA's definition โ even without any revenue from data. Sharing with advertising networks and analytics platforms counts.
What counts as sensitive personal information under the 2026 CCPA updates?
The existing categories remain: Social Security numbers, precise geolocation, health information, financial account credentials, racial or ethnic origin, religious beliefs, and content of personal communications. The 2026 updates added neural data and, most significantly for businesses serving families, all personal information from anyone under 16 is now automatically sensitive โ regardless of what type of information it is.
When does my small business need to complete its first CCPA cybersecurity audit?
Businesses with annual gross revenue under $50 million that still meet CCPA thresholds have until January 1, 2030. Larger businesses face a January 1, 2028 deadline. Risk assessments for data processing activities that were already underway before January 1, 2026 must be submitted to the CPPA by April 1, 2028. Use the time between now and those deadlines to document and strengthen your current controls.
How must my business respond when a customer requests to delete their personal information?
You must respond within 45 days. A one-time 45-day extension is allowed, but you must notify the consumer before the first period expires. The deletion must apply across all systems โ your CRM, email platform, backups, and any service providers you've shared the data with. You must also confirm to the consumer that deletion was completed. Each affected consumer where deletion is incomplete is a separate violation.
Do childcare centers in California have to comply with CCPA?
It depends on size and data volume. For-profit childcare centers that collect data from a large number of children and families may meet the 100,000 consumer threshold even without $25M in revenue, particularly if data is shared with third-party management platforms. Under the 2026 rules, all personal information about children under 16 is sensitive data โ meaning any covered childcare center faces significantly stricter obligations around enrollment records, photos, health data, and family contact information.
Ready to get your data house in order?
EDCON helps small businesses and childcare centers in Southern California build the IT infrastructure that CCPA compliance depends on โ documented security controls, managed access, vendor oversight, and data governance. Start with a free consultation to understand where your current setup stands and what gaps need closing before enforcement catches up.
Book a Free Consultation