Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
CCPA + CPRA · Jan 2026 CPPA regs effective

CCPA + CPRA, the way the CPPA wants them.

January 1, 2026: new CPPA regulations effective, cybersecurity audits, risk assessments, ADMT requirements, mandatory “Opt-Out Request Honored” signal. 8,265+ CCPA consumer complaints in 2024–2025. DSAR automation on the 45-day clock, the service-provider cascade you can prove, and the cybersecurity audit deliverables CPPA now mandates.

  • CCPA + CPRA + January 2026 CPPA regulations
  • DSAR automation on the 45-day fulfillment clock
  • Service-provider cascade · §1798.140 + §1798.105(c)
  • ADMT + cybersecurity audit deliverables
Start 30-day free trialWatch 4-min platform tour
No credit card · CCPA + CPRA + 2026 regs ship day 1
CCPA §1798.130 · DSAR 45-day clock
45 days. Both ways. Verification day-0 to delivery day-45.
Day 0·Receipt + verification
Identity verification per CCPA §1798.140; auto-acknowledge within 10 days
0%
Day 1–5·Subject identification
Match across data systems · the bottleneck for most teams
11%
Day 6–25·Data collection
Pull records from CRM, support, billing, marketing, product analytics
55%
Day 26–35·Review + redaction
Privilege check · third-party data redaction · format conversion
78%
Day 36–45·Response + audit log
Deliver to subject · log for CPPA review · close the clock
100%
Active queue · 6 consumer rights
Right to know (§1798.110)47 · avg 18d
Right to delete (§1798.105)23 · avg 22d
Right to correct (§1798.106)12 · avg 14d
Right to opt-out (§1798.120)89 · avg 8d
Limit use SPI (§1798.121)16 · avg 19d
187 fulfilled · 0 missed clocks · 0 complaintsManual = 3 weeks. We ship in 18 days.
What it is

What is CCPA + CPRA compliance software?

8,265+ CCPA consumer complaints in 2024–2025. The 45-day DSAR clock counts both ways. RiskWatch runs identification, collection, redaction, and delivery on a single timeline, fans deletion through every service-provider tier per §1798.105(c), and ships the §1798.140(ag) 6-term contract checks the CPPA wants in your audit. Aligned to the California Consumer Privacy Act and the January 1, 2026 CPPA regulations , cybersecurity audits, ADMT compliance, opt-out signals, all six consumer rights.

Why teams move to RiskWatch

DSARs come in at 5x your team size. The 45-day clock counts both ways.

8,265+ CCPA consumer complaints in 2024–2025, rising scrutiny on data subject rights. Manual DSAR workflows take 3–4 weeks per request. The January 2026 regulations added cybersecurity audits + ADMT + mandatory opt-out confirmations. Here's where the pain compounds.

Pain #1

DSARs come in at 5x your team size. Manual = 3-week turnaround.

Captain Compliance reported 8,265+ CCPA consumer complaints in 2024–2025. The 45-day clock counts both ways, late = violation. Subject identification is the bottleneck (matching the consumer to records across CRM, support, billing, marketing). Auto-discovery from your data systems cuts identification from days to hours; the 45-day clock becomes 18 days, not 31.

Pain #2

You sent the deletion request to your service providers. Then what?

§1798.105(c) requires the deletion to cascade through every service provider. §1798.140(ag) requires 6 specific contract terms. CPPA holds you responsible for the cascade, not your service providers. Service-provider register tracks every contract, every cascade event, and every confirmation back from each tier, visible to CPPA on demand.

Pain #3

January 1, 2026: cybersecurity audits + ADMT + opt-out signals.

New 2026 regs added cybersecurity audits, automated decision-making technology requirements, and the mandatory “Opt-Out Request Honored” signal. Mid-market ongoing cost: $75K–$200K. ADMT inventory, risk-assessment workflows, cybersecurity audit deliverables, and signal implementation, built into the platform, not bolted on.

§1798.140 + §1798.105(c)

You don't pass liability by signing a contract.

§1798.140(ag) requires 6 specific terms in every service-provider contract. §1798.105(c) requires deletion to cascade through every tier, including sub-processors. CPPA holds the business responsible for the cascade. Most teams sign DPAs, file them, and assume they're covered. They're not, until they can prove the cascade ran end-to-end.

  • Service-provider register, every contract tracked for the 6 §1798.140(ag) terms; renewal alerts surface gaps
  • Deletion fan-out, deletion request fans through every tier; confirmations captured at each stop
  • Sub-processor visibility, §1798.140(ag)(5) sub-processor list maintained per service provider
  • CPPA-ready audit log, cascade status, contract terms, confirmations, packaged for an audit on demand
§1798.140 + §1798.105(c) · cascade
Deletion request fan-out · 4 tiers verified
Business
Acme Inc.
Origin
Service Provider
Salesforce · CRM
Cascaded
Service Provider
Stripe · Payments
Cascaded
Service Provider
Zendesk · Support
Pending
Sub-processor
Twilio (via Zendesk)
Pending
§1798.140(ag) · 6 mandatory contract terms
Limit use to specified business purpose
§1798.140(ag)(1)
Prohibit sale or sharing of PI
§1798.140(ag)(2)
Prohibit retention beyond purpose
§1798.140(ag)(3)
Cooperate with consumer rights requests
§1798.140(ag)(4)
Notify business of sub-processors
§1798.140(ag)(5)
Allow business to monitor compliance
§1798.140(ag)(6)
Cascade status visible to CPPA in auditYou don't pass liability by signing.
CCPA §1798.130 · DSAR 45-day clock
45 days. Both ways. Verification day-0 to delivery day-45.
Day 0·Receipt + verification
Identity verification per CCPA §1798.140; auto-acknowledge within 10 days
0%
Day 1–5·Subject identification
Match across data systems · the bottleneck for most teams
11%
Day 6–25·Data collection
Pull records from CRM, support, billing, marketing, product analytics
55%
Day 26–35·Review + redaction
Privilege check · third-party data redaction · format conversion
78%
Day 36–45·Response + audit log
Deliver to subject · log for CPPA review · close the clock
100%
Active queue · 6 consumer rights
Right to know (§1798.110)47 · avg 18d
Right to delete (§1798.105)23 · avg 22d
Right to correct (§1798.106)12 · avg 14d
Right to opt-out (§1798.120)89 · avg 8d
Limit use SPI (§1798.121)16 · avg 19d
187 fulfilled · 0 missed clocks · 0 complaintsManual = 3 weeks. We ship in 18 days.
DSAR · the 45-day clock

Subject identification is where the time goes.

Day 0 is receipt. Day 45 is delivery. In between is the work most teams under-resource: verifying the consumer, identifying every record across your stack, redacting third-party data, formatting the response, and capturing the audit log. Auto-discovery from CRM, support, billing, marketing, and product analytics turns the 31-day request into the 18-day request, without overtime.

Every right (know, delete, correct, opt-out, limit SPI, non-discrimination) has a separate workflow because the evidence trail differs. The audit log is the artifact CPPA wants in a complaint investigation.

See the DSAR queue with real records
DSAR backlog went from 3 weeks behind to 2 weeks ahead. Subject identification was the bottleneck, auto-discovery cut it from days to hours.
AC
Aoife C.
Head of Privacy · E-commerce · 5,200 employees · CA-resident customer base
DSAR turnaround
↓ 60%
31d → 18d avg
Cascade confirmations
100%
all tiers verified
Time-to-deploy
4 weeks
first cycle
CCPA Pack · 32 pages
CCPA + CPRA
2026 Readiness + DSAR + Cascade Pack
PDF · 32 pages · January 2026 ready

CCPA + CPRA 2026 Readiness Pack

Thirty-two pages covering the 2026 CPPA regulations, the DSAR 45-day workflow, the §1798.140 service-provider contract template (all 6 mandatory terms), the §1798.105(c) cascade playbook, ADMT inventory worksheet, and cybersecurity audit checklist.

  • January 2026 CPPA regulations breakdown
  • §1798.140(ag) service-provider contract template
  • DSAR 45-day workflow + 6 consumer rights
  • ADMT inventory + cybersecurity audit checklist
Get the pack

Looking for CCPA ↔ GDPR ↔ LGPD crosswalk or the platform buyer's guide? Find them on the compliance frameworks hub.

FAQ

Common questions, answered up front.

About CCPA, CPRA, the 2026 CPPA regulations, the 45-day DSAR clock, the service-provider cascade, ADMT, and cybersecurity audits.

What is CCPA + CPRA compliance software?
CCPA + CPRA compliance software is a platform that helps businesses operationalize their California privacy program, Data Subject Access Requests, the 6 consumer rights, service-provider oversight, the mandatory 'Opt-Out Request Honored' signal, and (as of January 1, 2026) cybersecurity audits, risk assessments, and ADMT requirements added by the new CPPA regulations. RiskWatch covers the 45-day DSAR clock, the §1798.140(ag) service-provider contract terms, the §1798.105(c) deletion cascade, ADMT inventory, cybersecurity audit deliverables, and cross-mapping to GDPR + UK GDPR + LGPD on the compliance-frameworks hub.
What changed January 1, 2026?
The CPPA's new regulations added four major requirements: (1) annual cybersecurity audits for businesses meeting the threshold, with a written audit deliverable; (2) risk assessments for processing that presents significant risk to consumer privacy; (3) automated decision-making technology (ADMT) requirements, pre-use notice, opt-out rights, and access rights for any consequential automated decision; (4) mandatory 'Opt-Out Request Honored' confirmation signal displayed to consumers after they opt out. Mid-market ongoing cost is estimated at $75K–$200K. RiskWatch ships all four day 1.
How does the 45-day DSAR clock work?
§1798.130 requires response within 45 calendar days of receipt of a verifiable consumer request, with one 45-day extension possible if necessary (and the consumer notified within the first 45 days). The clock starts at receipt, verification happens within that window. Manual workflows typically run 3–4 weeks per request because subject identification (matching the consumer to records across CRM, support, billing, marketing, product analytics) is the bottleneck. RiskWatch's DSAR queue auto-discovers records from your data systems, walks through verification + collection + redaction + delivery, captures the audit log for CPPA, and closes the clock.
How does the service-provider cascade work?
§1798.105(c) requires that when you receive a deletion request, you direct every service provider and contractor to delete the consumer's personal information from their records, and §1798.140(ag) requires 6 specific terms in your service-provider contracts (limit use to specified purpose, prohibit sale, prohibit retention beyond purpose, cooperate with rights requests, notify of sub-processors, allow monitoring). RiskWatch's service-provider register tracks every contract for the 6 terms, fans out deletion requests through every tier, captures confirmations back from each, and surfaces the cascade status to CPPA in an audit.
What is ADMT and how does the platform handle it?
Automated Decision-Making Technology, the 2026 regs require businesses using ADMT for 'consequential' decisions (employment, education, housing, healthcare, financial services, criminal justice, essential goods/services) to provide pre-use notice, opt-out rights, and access rights. RiskWatch maintains an ADMT inventory with the decision type, training data sources, accuracy metrics, opt-out workflow, and access-request workflow per system. Risk assessments per §11 of the new regs are documented and refreshed.
Does the platform support CCPA + GDPR + LGPD simultaneously?
Yes, but cross-framework mapping lives on the /compliance-frameworks/ hub rather than on this page. RiskWatch maps each CCPA right to its counterpart under GDPR, UK GDPR, LGPD, PIPEDA, and Australian Privacy Act. Most multinational privacy programs run 4+ regimes; one platform reduces duplication by 60–70%.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access, DSAR queue, service-provider register, ADMT inventory, cybersecurity audit deliverables, opt-out signal implementation, and the 6 consumer rights workflows. You can run a real CCPA + CPRA + 2026 readiness assessment against your own organization and decide before purchasing.
Ready for the 2026 CPPA regs?

Ship 2026-ready CCPA this week.

Start a 30-day free trial, DSAR queue, service-provider register, ADMT inventory, cybersecurity audit deliverables, the 6 consumer rights workflows. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime

Request a Demo