When Privacy Compliance Becomes Personal: The CCPA’s New Accountability Regime
As a General Counsel, I’ve watched privacy regulations mature from vague principles to prescriptive frameworks. But this time, the shift is fundamental, and personal.
In September 2025, the California Privacy Protection Agency (CPPA) finalized the latest set of CCPA regulations, extending well beyond notice requirements and consumer rights. These new rules introduce something we’ve never seen in U.S. privacy law: personal accountability for executives responsible for privacy, cybersecurity, and AI governance.
What’s New and Why It Matters
Beginning January 1, 2026, companies meeting CCPA applicability thresholds will be required to conduct and submit:
Cybersecurity audits; and
Privacy risk assessments for data-processing activities that present a “significant risk” to consumers, including AI-driven automated decision-making.
And here’s the inflection point: those submissions must be personally certified by a designated executive.
The regulation requires the certifying individual, typically the Chief Privacy Officer, Chief Information Security Officer, or General Counsel, to attest under penalty of perjury that:
The submission is complete and accurate;
The business did not attempt to influence the auditor’s findings; and
The attestation reflects the executive’s personal knowledge of the company’s practices.
That transforms privacy compliance from a documentation exercise into a personal legal risk.
From Sarbanes–Oxley to CCPA: A Shift in the Governance Map
This model borrows heavily from the Sarbanes–Oxley Act (SOX), the corporate-governance reform that forced CEOs and CFOs to personally certify financial statements after the Enron era. But the CCPA’s approach expands that accountability paradigm in three decisive ways:
1. Broader reach
SOX applies only to public companies. The CCPA’s certification requirement reaches any business meeting the CCPA thresholds, meaning private SaaS startups, health-tech companies, government contractors, and digital platforms operating in California are now within scope.
2. Different certifiers
SOX targeted financial reporting executives. The CCPA shifts the burden to those closest to the data — privacy, security, and technology leadership. In practice, that means CISOs, CPOs, or GCs are the ones signing their names to attestations.
3. Perjury risk
SOX certifications are corporate filings; CCPA certifications are filed directly with a state regulator, invoking California’s perjury statute. If an executive knowingly certifies false information, they risk personal criminal liability, not just administrative penalties. It’s the first time a U.S. privacy regime has used criminal exposure as a lever to enforce executive accountability.
Where AI Fits In: Automated Decision-Making in the Crosshairs
The regulations make clear that automated decision-making, including AI systems that profile, score, or predict consumer behavior, triggers the same risk-assessment and certification requirements.
That means:
If your company deploys AI to personalize content, evaluate risk, or automate approvals, you’ll need to conduct a documented risk assessment.
That assessment must explain the purposes, benefits, and potential harms of the processing, and describe how risks are mitigated.
The executive attestation must cover those AI systems just as it does cybersecurity audits.
In effect, California has just made AI governance a certifiable compliance domain, not a best-effort ethical initiative.
For legal and compliance leaders, this merges three previously distinct risk spheres:
privacy law → cybersecurity oversight → AI accountability. And it does so through the one mechanism executives can’t delegate: their signature.
What General Counsels and CISOs Should Do Now
Map roles and responsibilities.
Identify who within the organization has sufficient authority and knowledge to serve as the attesting executive. This will likely require formal delegation and documentation at the board level.Re-evaluate governance workflows.
Risk assessments and audits can no longer be compliance exercises handled in isolation by IT or privacy teams. Legal must be embedded in the design and validation process to ensure defensibility.Create sub-certification layers.
Just as SOX programs rely on internal control attestations from department heads, privacy and cybersecurity teams should develop sub-certification templates that roll up to the executive signer.Update D&O insurance.
Review whether existing Directors & Officers or Errors & Omissions coverage extends to state-level privacy attestations and perjury exposure. Many policies currently do not.Integrate AI governance.
For any system using machine learning or automated decision logic, establish a repeatable risk-assessment framework now, including data provenance, bias evaluation, and model-update tracking, so that filings in 2026 aren’t a scramble.Prepare for regulatory submission.
Unlike internal audits, these filings go directly to the CPPA. The supporting documentation must be organized, version-controlled, and reviewable.
The Bigger Picture
The CCPA’s new rules reflect a global shift in how regulators think about accountability. Europe has already moved in this direction under the EU AI Act and GDPR, which tie specific obligations to “controllers” and “senior management.” California’s framework does the same, but with a distinctly American twist: personal attestation backed by criminal penalties.
It’s a message to boards and executives alike: governance isn’t an abstract concept anymore, it’s a signed statement of fact.
Closing Thought
For GCs, CISOs, and privacy leaders, the CCPA’s accountability regime represents a turning point.
It’s not enough to oversee compliance, you must be able to certify it. And when that certification carries the weight of perjury, governance must be more than policy, it must be provable truth.
🔒Subcribe: Want access to expanded in-depth members-only content including A General Counsel's Implementation Guide for CCPA 2026 Executive Accountability, subscribe below.
