Navigated to blog › ccpa-2026-csv-data-processing
Back to Blog
csv-guides

CCPA 2026: What the New Regulations Mean for How You Process Customer CSV Files

March 18, 2026
14
By SplitForge Team

Quick Answer

CCPA risk assessment requirements took effect January 1, 2026. If your organization processes California consumer data and your CSV workflows involve selling or sharing personal information, processing sensitive categories, or using automated decision-making, you are likely required to complete a privacy risk assessment before continuing those activities. First annual attestation is due to the CPPA by April 1, 2028, covering assessments conducted in 2026 and 2027. Fines reach $7,988 per intentional violation.

Fast Fix (2 Minutes)

If you process California customer CSVs and aren't sure whether the 2026 rules apply to you:

  1. Check whether your organization meets the CCPA threshold — annual gross revenues exceeding $26,625,000, OR processes 100,000+ consumers' personal information per year, OR derives 50%+ of revenue from selling personal information.
  2. Identify your CSV workflows — export lists, CRM imports, marketing segments, payroll files. Do any involve California residents?
  3. Check for significant risk triggers — selling or sharing personal information, processing sensitive personal information (location, biometric, health, financial), or using automated decision-making.
  4. If triggers apply — document a risk assessment for those activities before continuing. For activities begun before January 1, 2026, you have until December 31, 2027.
  5. Run your CSV through SplitForge Data Cleaner — strip unnecessary PII before processing to reduce the scope of what falls under risk assessment requirements.

TL;DR: CCPA 2026 made privacy risk assessments mandatory for significant-risk processing of California consumer data, effective January 1, 2026. Most organizations processing marketing CSVs, CRM exports, or customer lists need to assess whether their workflows qualify. The first mandatory reporting deadline to the CPPA is April 1, 2028. Processing only what you need — and doing it locally — reduces both exposure and assessment scope.

Table of Contents

Most organizations running marketing campaigns, CRM imports, or customer analytics know the CCPA exists. Here's what changed in January 2026 that will actually affect your CSV workflows.

The California Privacy Protection Agency finalized new regulations covering risk assessments, automated decision-making, and cybersecurity audits. The Office of Administrative Law approved them September 23, 2025. They took effect January 1, 2026.

If you export customer lists to ad platforms, run ML scoring on behavioral data, or process precise location or health information for California residents — you are likely required to complete a documented privacy risk assessment before continuing those activities. The requirement isn't theoretical. The CPPA and California Attorney General can request your assessment at any time. You have 30 days to produce it.

If you can't produce it, that's up to $7,988 per intentional violation.

Each CSV workflow was assessed against 11 CCR § 7150 as documented by CPPA guidance and external legal analysis of the final regulations, March 2026.

What Changed in CCPA 2026

The CCPA has been in effect since 2020. The California Privacy Rights Act (CPRA) amendments followed. The 2026 regulations represent a third significant layer — regulations finalized by the CPPA covering three new areas:

1. Privacy risk assessments — mandatory before initiating processing activities that present "significant risk" to consumer privacy. Cite: 11 CCR § 7150(a).

2. Automated decision-making technology (ADMT) — notice and opt-out rights for consumers subject to ADMT that makes "significant decisions" (employment, credit, housing, healthcare). Compliance deadline: January 1, 2027.

3. Cybersecurity audits — annual audits required for businesses processing personal information that presents significant risk. Phased deadlines through 2030 based on revenue.

For CSV processing teams, risk assessments are the most immediately relevant change.

What this means for your CSV workflows:

  • If you export customer segments to ad platforms or data brokers, that workflow almost certainly requires a risk assessment before continuing
  • Cleaning, deduplicating, or merging internal CRM data with no third-party sharing likely does not trigger a risk assessment
  • The threshold question is not "does our CSV have personal data" — it's "does this specific processing activity meet the significant risk triggers"

If you do any of the following with California consumer data, you are likely in scope now: Exporting lists to Meta Ads, Google Ads, or any ad platform → selling or sharing PI → risk assessment required. Uploading CRM lists to email marketing platforms for targeted campaigns → sharing PI → likely in scope. Processing health, financial, or precise location data in any CSV workflow → sensitive PI → risk assessment required. Running ML scoring or propensity models on customer behavior → ADMT rules apply from January 2027.

Operator Rules: CCPA 2026

Short. Non-negotiable. Reference these before any California customer data workflow.

  • If you send a CSV to an ad platform, you're selling or sharing PI — assume a risk assessment is required
  • If your CSV contains health, financial, or location data, assume a risk assessment is required
  • "We've been doing this for years" is not an exemption — ongoing activities need assessments by December 31, 2027
  • Data minimization is your first lever — strip fields before processing, not after
  • If you can't produce a risk assessment within 30 days of a regulator request, you are not compliant

Do I Need a Risk Assessment? (Decision Path)

Run through this before your next significant CSV workflow involving California customer data:

Does your organization meet the CCPA threshold?
($26.6M revenue OR 100K+ consumers' data per year OR 50%+ revenue from selling PI)
│
├── NO → CCPA does not apply. Stop here.
│
└── YES → Does your CSV workflow involve California consumers?
           │
           ├── NO → No CCPA risk assessment needed for this workflow.
           │
           └── YES → Does the workflow trigger a "significant risk" category?
                      │
                      ├── Selling/sharing PI with third parties → YES → Risk assessment required
                      ├── Processing sensitive PI (health, financial, precise location, minors) → YES → Required
                      ├── Automated decision-making for employment/credit/housing → YES → Required (Jan 2027)
                      ├── Internal deduplication, cleaning, formatting only → Likely NO → Not required
                      └── Merging public business contact data → Likely NO → Not required
                      │
                      └── TRIGGERED → Did the activity start before Jan 1, 2026?
                                       ├── YES (ongoing) → Complete assessment by Dec 31, 2027
                                       └── NO (new) → Complete assessment before starting

When in doubt: document first, process second. An assessment that's not needed costs little. Missing a required one costs up to $7,988 per intentional violation.

Which CSV Processing Activities Trigger Risk Assessments

As of January 1, 2026, the CCPA requires businesses to complete a risk assessment before initiating any personal information processing activity involving "significant risk."

"Significant risk" is defined by specific triggers, not a general standard. Under 11 CCR § 7150(b), the activities most likely to affect CSV workflows are:

CSV ActivitySignificant Risk TriggerAssessment Required?
Exporting customer email lists for ad targetingSelling or sharing personal informationYes
Processing customer health or financial dataSensitive personal informationYes
Segmenting customers by precise geolocationSensitive personal informationYes
Importing employee payroll dataProcessing HR data for employment decisionsYes
Cleaning and deduplicating a CRM exportNo selling, no sensitive categoriesLikely no
Merging CSV files with public business contact dataNo sensitive categoriesLikely no
Using ML scoring on customer behavior dataADMT making significant decisionsYes (ADMT rules apply Jan 2027)

The table covers common patterns. Whether a specific workflow triggers assessment depends on data types, purpose, and volume. Legal counsel should make the final call.

What this means for your CSV workflows today:

  • Run the decision path above before any new customer data workflow involving California residents
  • For existing workflows: inventory them against the triggers table and prioritize risk assessments for the highest-risk activities before December 31, 2027
  • Data minimization is your first lever — removing sensitive fields before processing can move a workflow from "assessment required" to "likely not required"

Key Deadlines

January 1, 2026 → Risk assessment requirement in effect for NEW processing activities
December 31, 2027 → Risk assessments due for ONGOING activities that predated Jan 1, 2026
April 1, 2028 → First annual attestation and summary due to CPPA (covering 2026 and 2027)
January 1, 2027 → ADMT notice and opt-out obligations take effect
April 1, 2028–2030 → Cybersecurity audit deadlines (staggered by revenue)

The first annual attestation is due April 1, 2028 and must include risk assessments conducted in 2026 and 2027. The attestation must be signed under penalty of perjury by a member of executive management directly responsible for risk-assessment compliance.

What a Risk Assessment Requires

The CCPA risk assessment is not a checkbox form. Under 11 CCR § 7152, assessments must document:

  • The processing activity and its purpose
  • The categories of personal information involved
  • Benefits of the processing to the business and consumers
  • Risks to consumers, including unauthorized disclosure, discrimination, financial harm
  • Safeguards implemented to reduce those risks
  • Whether the benefits outweigh the risks

Businesses must review and update risk assessments at least once every three years or if there is a material change in the processing activity.

The CPPA and California Attorney General can request any risk assessment at any time. Upon request, the business must provide the assessment within 30 days.

What this means for your CSV workflows:

  • Start documenting now — even informal notes on processing purpose, data categories, and safeguards form the basis of a compliant assessment
  • The 30-day response window is short — assessments need to exist before a request, not be created in response to one
  • Treat each distinct CSV workflow (marketing exports, analytics pipelines, HR files) as a separate processing activity requiring its own assessment

For the full pre-processing privacy checklist, see our privacy review before sharing CSV guide. For how CCPA compares to GDPR obligations on the same workflow, see our GDPR-compliant CSV processing guide.

The Data Minimization Angle

CCPA risk assessments aren't just a paperwork exercise. They're an opportunity to reduce the scope of what you're assessing in the first place.

Many customer CSV exports contain more personal information than the workflow actually requires. A marketing segment export might include full name, email, phone, address, date of birth, purchase history, and account notes — when the campaign only needs email and a segment flag.

The more fields your CSV contains, the broader the scope of any risk assessment. Stripping unnecessary fields before processing reduces that scope. It also aligns with the CCPA's general data minimization principles and GDPR Article 5(1)(c) if you're handling EU data alongside California data.

❌ OVER-COLLECTED (typical CRM export before cleanup):
first_name,last_name,email,phone,dob,address,city,state,zip,
purchase_history,account_notes,credit_score,health_flag,
last_login,device_id,ip_address,campaign_source

Most of these fields aren't needed for a reactivation email campaign.
Processing all of them expands your CCPA significant-risk footprint.

MINIMIZED (what the campaign actually needs):
email,segment_flag,last_purchase_date,unsubscribed

Many CSV tools upload your file to a remote server to process it. For files containing California customer personal information, that upload occurs before any minimization — creating unnecessary exposure. Under CCPA, processing sensitive personal information triggers risk assessment requirements. Uploading to a cloud tool creates an additional processing event. SplitForge processes files locally in your browser via Web Worker threads. The file is not transmitted to any server. Minimize your CSV fields locally, then use or share only what the workflow requires.

The Sensitive Personal Information Category

CCPA 2026 expanded the definition of sensitive personal information relevant to CSV workflows. Processing sensitive PI that involves "significant risk" triggers risk assessment requirements.

Sensitive personal information categories relevant to CSV processing:

  • Social Security numbers, driver's license numbers, state ID numbers
  • Financial account numbers, credit/debit card numbers
  • Precise geolocation (within 1,850 feet radius)
  • Racial or ethnic origin, religious beliefs, union membership
  • Contents of consumer's mail, email, or text messages
  • Genetic data, biometric data for unique identification
  • Health data, medical information
  • Data of consumers under 16 — added significance under CCPA 2026

If your CSV contains any of these categories and you're processing it in ways that affect California residents, assess whether a risk assessment is required before the next processing cycle.

Fines and Enforcement

The CCPA penalty structure applies to the 2026 regulations:

  • Up to $2,500 per unintentional violation
  • Up to $7,988 per intentional violation (amount adjusted for CPI — verify current figure at cppa.ca.gov/regulations/cpi_adjustment.html)
  • Violations involving the personal information of minors: up to 3x the applicable fine

The CPPA and California Attorney General share enforcement authority. The Agency and the California Attorney General will still have the authority to request any risk assessment report, which must be submitted to the Agency or AG within 30 calendar days of the request.

CCPA 2026 vs GDPR: Quick Comparison

Many organizations handling California customer data also handle EU customer data. The frameworks share DNA but differ in important ways for CSV workflows:

DimensionCCPA 2026GDPR
Risk assessment trigger"Significant risk" processingHigh-risk processing (DPIA required)
Who it coversCalifornia consumersEU/EEA data subjects
EnforcementCPPA + California AGNational DPAs
Key deadlineApril 1, 2028 (first attestation)Ongoing — DPIA required before high-risk processing begins
Data minimizationImplied by risk reduction principlesExplicit — Art. 5(1)(c)
FinesUp to $7,988/intentional violationUp to €20M or 4% of global turnover

If your CSV workflows serve both California and EU customers, you likely need both a CCPA risk assessment and a GDPR DPIA for overlapping high-risk processing activities. They can be conducted together but must address each framework's specific requirements.

For a complete overview of privacy regulations and how client-side processing addresses each one, see our privacy-first data processing guide.

Additional Resources

Official CCPA Regulations:

Legal Analysis:

GDPR Cross-Reference:

Disclaimer: This post is for informational purposes only and does not constitute legal advice. CCPA compliance depends on your specific architecture, data types, processing activities, and jurisdiction. Consult qualified legal counsel before drawing compliance conclusions.

FAQ

The CCPA applies based on the consumers whose data you process, not your company's location. If you process personal information of California residents and meet the revenue or volume thresholds ($26,625,000 annual revenue, OR 100,000+ consumers' data per year, OR 50%+ of revenue from selling personal information), the CCPA applies — regardless of where your business is incorporated or headquartered.

Under CCPA, "selling" includes sharing personal information with third parties for cross-context behavioral advertising — even without a direct financial transaction. Exporting a customer list CSV to an ad platform or data broker for targeting purposes may constitute a "sale or share" that triggers risk assessment requirements. Internal sharing between business units generally does not.

No. Risk assessments are required per processing activity, not per file. If you regularly export customer segments for email campaigns, that's one activity requiring one assessment — not a separate assessment for each export. The assessment covers the activity type, data categories, and safeguards across all instances of that activity.

Both are pre-processing assessments for high-risk activities, but they differ in scope and structure. GDPR DPIAs (Data Protection Impact Assessments) are required under Article 35 before beginning high-risk processing and must include a consultation with supervisory authorities if risks cannot be mitigated. CCPA risk assessments under 11 CCR § 7150 are required before "significant risk" processing, with reporting due to the CPPA annually. If you handle both EU and California data, the assessments can be conducted together but must address each framework separately.

For processing activities that predate the regulations but continue after their effective date, businesses need to complete risk assessments no later than December 31, 2027. This two-year window exists specifically for ongoing activities. However, regulators have noted businesses should not wait until the deadline — early completion reduces enforcement exposure and supports readiness for the April 1, 2028 attestation.

Yes — data minimization directly reduces the scope of what requires risk assessment. If a CSV export originally containing health data and financial information is trimmed to include only email and a campaign flag, the remaining data may no longer trigger sensitive personal information requirements. This is why minimizing before processing — not after — matters. Stripping unnecessary fields locally before any upload eliminates fields from your processing footprint entirely.

Process California Customer Data Without Adding to Your Compliance Footprint

Strip unnecessary PII fields before any processing — reduce what falls under risk assessment scope
Process locally in your browser — no server upload means no additional processing event to document
Files never leave your machine — CCPA, GDPR, and HIPAA exposure reduced at the architecture level
Handle files with millions of rows without uploading sensitive customer data to a cloud tool

Continue Reading

More guides to help you work smarter with your data

ai-data-prep

AI-Ready Data Checklist: 10 Things to Verify Before Upload (2026)

Before uploading to ChatGPT, Claude, or a fine-tuning API, run through this 10-point checklist. UTF-8 encoding, clean headers, PII removed, size within limits.

Read More
ai-data-prep

Convert Excel to JSON for AI APIs and LLM Pipelines (2026)

AI APIs and LLM pipelines expect JSON, not spreadsheets. Fine-tuning needs JSONL; direct prompts take arrays. Convert locally — no upload, no conversion server.

Read More
ai-data-prep

Prepare Data for AI: The Complete Guide (Privacy-First, 2026)

How to prepare a CSV or Excel file for ChatGPT, Claude, or an AI API — encoding, PII, format, size, and privacy. The complete local-first prep workflow.

Read More