California is making executives personally certify privacy compliance
Starting in 2026, California's privacy regulations push risk assessment and cybersecurity audit certifications onto a named executive under penalty of perjury. The exposure is national, not just California.
California’s Privacy Protection Agency finalized regulations in late 2025 that change how privacy enforcement reaches individual people. Starting in 2026, businesses that meet CCPA thresholds and engage in certain high-risk processing have to produce risk assessments and cybersecurity audits, and those filings have to be signed by a named member of executive management under penalty of perjury. The signature certifies, on personal knowledge, that the underlying assessment is true and that no one inside the company improperly influenced the auditor. The first batch of filings is due to the agency on April 1, 2028, with risk-assessment performance obligations starting in 2026 and ADMT and audit-period obligations starting in 2027.
The geographic reach is the part most companies misread. The regulations apply to any business that meets the CCPA thresholds and processes the personal information of California residents, not to businesses headquartered in California. A Florida company with California customers, a New York company with a California-facing app, a Texas SaaS with California end users. They are all in scope. The executive who signs is signing in whatever state they live in, but the perjury statute they are signing under is California’s, and California’s perjury statute is a felony with up to four years of state prison exposure.
There are two operational problems baked into this design. The first is that the executive is being asked to certify the accuracy of technical assessments that the executive is not technically qualified to evaluate. A general counsel or a CISO can read a cybersecurity audit, but the audit itself is built on representations from engineers about systems whose behavior is often poorly documented and sometimes poorly understood even by the people who built them. A risk assessment for an ADMT system is even harder, because the ADMT compliance rules that take effect in 2027 cover automated decision-making technology where the model’s actual decision logic may not be inspectable. The executive is signing for accuracy on an artifact whose accuracy is intrinsically uncertain.
The second is that the executive is certifying that no one inside the company attempted to influence the auditor. In a large organization with hundreds of employees who interact with the auditor over weeks or months, the executive has no plausible way to verify this directly. The only defensible answer is a sub-certification process, where each functional leader certifies, for their domain, that the information provided to the auditor was complete and unbiased and that no improper influence was attempted. The executive then certifies based on those sub-certifications. That structure does not eliminate the executive’s exposure, but it converts a personal-knowledge representation into a representation based on a documented chain of subordinate attestations, which is the difference between a defensible filing and a personal felony exposure.
There are three other operational moves worth making this year. First, look at D&O policies. Most existing D&O coverage is silent or ambiguous on whether it covers defense costs for criminal proceedings tied to good-faith errors in regulatory certifications. The renewal cycle is the right time to ask the broker for clarifying endorsements rather than discovering the gap during an investigation. Second, decide whether the cybersecurity audit is internal or external. Internal audits cost less, but they require the auditor to be insulated from any executive with cybersecurity responsibility, which is structurally awkward in most organizations and harder to certify around. External audits cost more, but they give the certifying executive an independent professional opinion to rely on, which materially reduces personal exposure. Third, get the named executive identified now, not on the eve of filing. The person who signs needs lead time to build the sub-certification framework and to actually understand the artifacts they will be certifying.
The broader signal here matters beyond California. Privacy enforcement has spent a decade aimed at corporate entities, with consent decrees, fines, and reputational consequences flowing to the company rather than to individuals. California’s choice to push the signature onto a named person and to back it with criminal perjury is a deliberate move toward an SEC-style executive-accountability model for data practices. Other states will copy this design within the next two years, with their own perjury statutes, their own filing windows, and their own definitions of who counts as the responsible executive. The work to prepare for the California version is also the work to prepare for the others. The executive who has not started thinking about this yet has about fifteen months before the first signature is due.