On September 22, 2025, California’s Office of Administrative Law approved the CPPA’s risk-assessment, ADMT, and cybersecurity-audit regulations. They took effect on January 1, 2026. For WooCommerce stores selling broadly into California, this is not employment-law news. The CPPA’s own fact sheet names tools that place consumers into audience groups for ad targeting as automated decisionmaking technology — and any store that crosses the 100,000-California-consumer threshold while running Meta Pixel, Google Ads tag, or TikTok pixel now has until December 31, 2027 to produce a documented risk assessment the agency can demand on request.

Seresa is not a law firm. This article is operational architecture commentary. Talk to qualified California privacy counsel before relying on any specific position taken below.

What Took Effect on January 1

The Office of Administrative Law approved the regulation on September 22, 2025 (California Privacy Protection Agency announcement). Three regulatory packages came online together: risk assessments, automated decisionmaking technology rules, and cybersecurity audits. The risk-assessment piece is the one that catches ecommerce.

Risk assessments are required before a business engages in any high-risk personal-information processing. For new high-risk activities started on or after January 1, 2026, the assessment must already be complete. For activities already underway on January 1 — the configuration most existing WooCommerce stores are in — there is a grace period until December 31, 2027 to produce the documentation (Goodwin Procter analysis, July 2025).

ADMT-specific notice and opt-out requirements activate separately on January 1, 2027 (Akin Gump analysis, 2025). The risk-assessment requirement does not wait for that date.

Are You Covered? The Threshold Test

The CCPA applies to for-profit businesses that meet at least one of three thresholds (California Civil Code §1798.140):

• Annual gross revenue over $25 million
• Buying, selling, or sharing the personal information of 100,000 or more California consumers per year
• Deriving 50% or more of annual revenue from selling or sharing personal information

The middle threshold is the one most often missed. A WooCommerce store doing $8M in national revenue with 12% of orders shipping to California is below the revenue floor — but if it serves 100,000 California-resident sessions annually with retargeting cookies set, the second threshold engages. Personal information includes IP address, device identifier, and cookies under the CCPA’s expanded definition. You can clear the threshold without selling a single product to a Californian, simply by serving ads to them.

You may be interested in: California, Colorado, and Connecticut Are Sharing Privacy Enforcement Intelligence

What Triggers a Risk Assessment?

The CPPA’s final regulations name six triggers (Coblentz Law analysis, August 2025). Any one of them activates the requirement:

1. Selling or sharing personal information
2. Processing sensitive personal information
3. Using ADMT for a significant decision
4. Automated processing to infer attributes about a consumer — this is where ad-targeting audiences live
5. Automated processing in sensitive locations (medical facilities, places of worship, etc.)
6. Training ADMT for any of the above uses

For a typical WooCommerce store running retargeting pixels, two of those triggers are in plain reach. Meta Pixel events — ViewContent, AddToCart, Purchase — feed audience-grouping systems that infer attributes (interest categories, lookalike clusters) about California consumers. Whether that processing also constitutes “selling or sharing” under the expanded CCPA definition is the contested question of the moment.

Translation: ADMT

The CPPA defines automated decisionmaking technology as any technology that uses computation to replace or substantially replace human decisionmaking — explicitly including profiling tools that analyze or predict human characteristics. The CPPA fact sheet names “tools that place consumers into audience groups to target ads to them” as an ADMT use case.

In plain English: a Meta retargeting audience is ADMT under the CPPA’s own framing. So is a Google Ads “in-market for athletic shoes” segment. So is any custom audience built from purchase events sent via pixel. The legal question of how all this maps to “significant decisions” is unsettled. The factual question of whether your store uses ADMT for audience grouping is not.

Is a Pixel “Selling or Sharing”?

This is the contested question. Privacy counsel readings range from “yes, by default, every retargeting pixel is” to “only if there is no service-provider agreement in place and no consumer opt-out mechanism.” The expanded CCPA definition of “sharing” — making personal information available to a third party for cross-context behavioral advertising — captures many standard pixel implementations. The conservative operational read is to assume retargeting pixels likely qualify as “sharing” until your counsel tells you otherwise in writing.

The architectural read is independent of the legal one. Whether or not a pixel-driven audience qualifies as “sharing,” it almost certainly qualifies as automated processing to infer attributes (trigger four above). The risk assessment is owed either way.

The Seven Required Elements

A CPPA-compliant risk assessment must address (Coblentz Law analysis paraphrasing the regulations):

1. Purpose of the processing
2. Types of personal information involved
3. Processing operations performed
4. Safeguards in place to mitigate risks
5. Stakeholders who contributed
6. Approver — the business decisionmaker who signed off
7. Risks vs benefits balance

Risk assessments must be reviewed at least every three years, or within 45 days of a material change (Coblentz Law analysis, August 2025).

The element that gives most stores trouble is element four — safeguards. A store firing six client-side pixels has six third-party data flows, six vendor agreements (some of which it has never read), and a “who has access” answer that runs to many pages. The safeguards section then has to either describe controls that don’t really exist or document the gap.

The December 31, 2027 Grace Period

Activities already underway on January 1, 2026 have until December 31, 2027 to produce risk-assessment documentation (Goodwin Procter, 2025). That window sounds long. It is not.

21 months to inventory every pixel, every audience, every vendor agreement, every data flow, every safeguard — across whatever ecommerce surface you operate. For a store that has accumulated four to six pixels over the years through ad-agency rotations, the inventory alone is a non-trivial project. Discovery typically takes longer than the documentation.

You may be interested in: Meta Pixel Is a $5,000-Per-Fire CIPA Lawsuit Risk for WooCommerce Stores

Penalties

The CCPA imposes administrative fines of up to $2,500 per violation and $7,500 per intentional violation, enforced jointly by the California Attorney General and the CPPA (Akin Gump analysis citing the CCPA, 2025). “Per violation” usually maps to per-consumer or per-incident. The math compounds quickly when the underlying activity — a retargeting pixel firing — occurs on every page render.

Here’s How You Actually Do This

Transmute Engine™ is a first-party Node.js server that runs on your subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin captures WooCommerce events and routes them through your tracking server, which formats and forwards them to Meta CAPI, Google Ads, GA4, and BigQuery. Three things change about the safeguards story when this architecture is in place: events flow through infrastructure you control before reaching any platform, the data flow is auditable from a single point, and the “who has access to which fields” answer is short. None of that is legal advice. It is the operational pattern privacy counsel will likely ask for.

What to Do This Quarter

Three concrete actions while the December 31, 2027 deadline still looks distant:

1. Confirm threshold coverage. If California-resident sessions exceed 100,000 per year, you are inside the CCPA. The most reliable count comes from server logs, not GA4.
2. Inventory the pixel stack. List every browser pixel currently firing on checkout, login, and account pages. Many stores discover at this step that an old TikTok pixel from a 2023 campaign is still active.
3. Get qualified California privacy counsel involved early. The “selling or sharing” question is contested enough that a written counsel position protects against later enforcement disputes.

Key Takeaways

• The CPPA’s risk-assessment regulation took effect January 1, 2026, with a December 31, 2027 grace period for activities already underway.
• The CPPA fact sheet explicitly names ad-targeting audience grouping as ADMT — meaning standard retargeting pixels are inside the regulation by the agency’s own framing.
• The 100,000-California-consumer threshold catches mid-market WooCommerce stores selling nationally — including some below the $25M revenue floor.
• A compliant risk assessment must address seven elements with a documented decisionmaker approval and a three-year review cycle.
• Penalties run up to $7,500 per intentional violation, jointly enforced by the California Attorney General and the CPPA.

Frequently Asked Questions

Decide your safeguards story before the December 31, 2027 deadline arrives. Visit seresa.io to see how a first-party tracking server replaces the client-side pixel stack the CCPA documentation now sits behind.