10 min readcompliance

CCPA 2026: Neural Data and ADMT Rules Are Now Live—How to Document Compliance with PDF

CCPA's January 2026 updates added neural data as sensitive info and new ADMT rules. Here's how to save and archive the policy pages your compliance team needs as PDF.

TL;DR

As of January 1, 2026, California's CCPA regulations expanded in three major ways: neural data is now classified as sensitive personal information, businesses must conduct risk assessments for automated decision-making technology (ADMT), and mandatory cybersecurity audits are coming. Compliance teams need to document vendor privacy policies, terms of service pages, and regulatory guidance—and Convert: Web to PDF is the fastest way to create timestamped, clean PDF records from any web page. No uploads. No accounts. Just accurate, offline-accessible compliance documentation.

What Changed in CCPA on January 1, 2026?

The California Office of Administrative Law approved sweeping revisions to CCPA regulations on September 22, 2025, with an effective date of January 1, 2026. If your compliance documentation hasn't been updated since then, you're likely working from outdated records.

Here are the three biggest changes:

1. Neural Data Is Now "Sensitive Personal Information"

CCPA's previous definition of sensitive personal information covered categories like Social Security numbers, financial data, precise geolocation, health information, and biometric data. The 2026 revisions add "neural data" to this list.

Neural data includes information derived from brain-computer interfaces, EEG measurements, neurofeedback devices, and similar technologies that capture electrical activity in the nervous system. This may sound niche, but consumer wellness devices, sleep trackers, some gaming peripherals, and emerging AR/VR hardware all increasingly collect neural signals.

If you're a business that processes consumer neural data—even indirectly through a third-party SDK—you now have heightened obligations under CCPA, including:

  • Disclosing neural data collection in your privacy notice
  • Providing a "Limit the Use of My Sensitive Personal Information" opt-out right
  • Treating neural data with the same protections as health or biometric data

Why this matters for documentation: Your vendors' privacy policies need to be audited to confirm they treat neural data correctly. Saving those policy pages as PDFs—with clear timestamps—gives you evidence of what was disclosed at any given point in time.

2. Automated Decision-Making Technology (ADMT) Rules

California's 2026 CCPA updates bring automated decision-making technology into compliance scope. ADMT is defined broadly to include any system that makes or substantially contributes to a decision that has a "legal or similarly significant effect" on a consumer.

This covers:

  • Credit scoring and loan approval algorithms
  • Job applicant screening tools
  • Insurance rate-setting models
  • Ad personalization systems that profile users
  • Healthcare triage or recommendation systems

New obligations under ADMT rules:

  • Businesses must conduct privacy risk assessments before deploying covered ADMT
  • Privacy notices must disclose ADMT usage and explain the logic in accessible terms
  • Consumers have the right to opt out of ADMT in covered use cases
  • Businesses must provide consumers with human review options for consequential ADMT decisions

Risk assessments for ADMT initiated in 2026 and 2027 are due by April 1, 2028—but the assessment work needs to start now.

3. Mandatory Cybersecurity Audits

Larger businesses meeting specified revenue and data-volume thresholds will be required to complete independent cybersecurity audits. First certifications are phased in from 2028 to 2030, but audit preparation needs to begin in 2026 to meet those deadlines.

The Compliance Documentation Problem

Here's the practical challenge that compliance and legal teams face: privacy regulations require you to document what vendors promised you, not just what you hoped they promised.

When a data processor breach occurs or a regulator asks you to demonstrate due diligence, the question is: "Did you review the vendor's privacy policy? What did it say at the time you onboarded them? Have you reviewed it since?"

Web pages change. Privacy policies get quietly updated. A vendor can materially change their data retention practices overnight and, unless you have a timestamped snapshot of what their policy said when you signed the contract, you're left arguing from memory.

This is where PDF documentation of web-based policy pages becomes a legitimate compliance tool.

How to Use Convert: Web to PDF for Compliance Documentation

Convert: Web to PDF makes it easy to create clean, printable PDF snapshots of any web page. Here's a practical workflow for compliance teams:

Step 1: Build Your Vendor Documentation Queue

Create a list of every vendor that processes personal data on your behalf. Include:

  • CRM and marketing automation platforms
  • HR and payroll systems
  • Customer analytics tools
  • Any SaaS with embedded AI or decision-making features
  • Data brokers or data enrichment services

Step 2: Navigate to Their Privacy Policy and Terms Pages

For each vendor, navigate to their:

  • Privacy Policy
  • Terms of Service
  • Data Processing Agreement (if available as a web page)
  • Sub-processor list (if published)
  • Any ADMT-specific disclosures

Step 3: Convert to PDF with Timestamp

Open Convert: Web to PDF and click the extension icon. Select "Article Mode" if the policy page has heavy navigation chrome, or use the standard full-page capture for dense legal documents where completeness matters more than clean formatting.

The resulting PDF includes the page URL and conversion date in the footer—exactly the kind of metadata that turns a screenshot into a defensible compliance record.

Step 4: File with Date and Vendor Name

Save each PDF as [VendorName]_Privacy_Policy_[YYYY-MM-DD].pdf. Store these in your legal or compliance folder structure with a log of when each review was conducted.

Step 5: Schedule Annual Re-Review

Add a recurring compliance calendar event to re-capture each vendor's policy annually, or immediately upon any notification of policy changes. Most SaaS vendors send "we've updated our privacy policy" emails—treat those as triggers.

Which Pages to Prioritize for PDF Documentation

Not every web page you've ever visited needs to be archived. Here's a prioritized list for CCPA 2026 compliance:

High Priority (Document Now)

  • Vendor privacy policies for any processor touching California consumer data
  • Your own published privacy notice (archive the live version periodically to prove what was disclosed)
  • ADMT disclosure pages from any vendor deploying automated decision-making
  • California-specific rights pages (opt-out mechanisms, data access request forms)
  • CPPA enforcement guidance and FAQs from cppa.ca.gov

Medium Priority (Document Within 30 Days)

  • State AG guidance documents for the 20 U.S. states with comprehensive privacy laws now in effect
  • Sub-processor lists from major cloud vendors (AWS, Google Cloud, Azure, Salesforce, etc.)
  • Cybersecurity certifications from vendors subject to the audit requirements

Lower Priority (Document as Needed)

  • Blog posts or press releases from vendors announcing compliance initiatives
  • Trade association guidance documents
  • Law firm analyses of CCPA requirements

Why Local Processing Matters for Compliance Documentation

When you're archiving privacy policies and compliance documentation, using a tool that itself respects privacy matters.

Many web-to-PDF tools work by sending the page content to their servers for conversion. This means:

  1. The URL and content of every policy page you "archive" is transmitted to a third party
  2. That third party now has a log of what you've been reviewing
  3. Depending on their data practices, that metadata could be retained indefinitely

For routine web pages, this tradeoff is often acceptable. For compliance documentation—especially when you're reviewing competitor-adjacent information, preparing for regulatory inquiries, or handling sensitive vendor relationships—keeping that activity off third-party servers is the right call.

Convert: Web to PDF processes everything locally. The only record of your compliance review activity is on your own machine.

CCPA 2026 vs. Previous CCPA: What Changed in Plain English

AreaBefore 2026After January 2026
Neural dataNot specifically coveredNow "sensitive personal information"
Automated decisionsNo specific ADMT rulesRisk assessments required; opt-out rights added
CybersecurityNo mandatory auditIndependent audits required for large businesses
Risk assessmentsNo formal requirementRequired for high-risk processing
Employee dataPartial CPRA exemptionFull protections in effect
Opt-out scopeSale and sharingNow also covers ADMT profiling

Other State Privacy Laws in Effect for 2026

California isn't alone. As of Q1 2026, 20 U.S. states have comprehensive privacy laws, including Indiana, Kentucky, and Rhode Island, which took effect in 2026. Each state has slightly different definitions, thresholds, and consumer rights.

For businesses operating nationally, documenting your compliance posture across all applicable state laws is increasingly complex. A systematic PDF archiving workflow for regulatory pages across CPPA, Virginia CDPA, Texas TDPSA, Colorado CPA, and the newer state laws is quickly becoming a standard part of compliance operations.

Frequently Asked Questions

What is neural data under the 2026 CCPA updates?

Neural data refers to information collected from a consumer's nervous system—including brain-computer interface signals, EEG data, and neurofeedback measurements. As of January 1, 2026, it is classified as "sensitive personal information" under CCPA, triggering heightened obligations including opt-out rights and explicit privacy notice disclosure.

What is ADMT under CCPA 2026?

ADMT stands for Automated Decision-Making Technology. Under the 2026 CCPA updates, businesses must conduct privacy risk assessments before deploying ADMT that makes consequential decisions affecting consumers. Consumers also gain opt-out rights for covered ADMT uses.

When are CCPA 2026 risk assessments due?

Risk assessments for ADMT and high-risk processing activities initiated in 2026 and 2027 are due by April 1, 2028. Cybersecurity audit certifications are phased in from 2028-2030 based on business size.

Can I use web page screenshots as compliance documentation instead of PDFs?

You can, but PDFs are preferable for compliance purposes. PDFs preserve formatting, include metadata (URL, date), are harder to accidentally alter, and are more widely accepted by regulators and auditors. A screenshot is a starting point; a PDF is documentation.

Does Convert: Web to PDF send page content to any servers?

No. Convert: Web to PDF processes all conversions locally within your browser. No page content is ever transmitted to external servers, making it appropriate for use with sensitive compliance and legal documentation.

How do I document that I reviewed a vendor's privacy policy on a specific date?

Convert: Web to PDF includes the page URL and conversion date in the PDF output. Save the file with a descriptive name including the date (e.g., Vendor_Privacy_Policy_2026-04-22.pdf) and store it in a compliance archive. This creates a timestamped record of what the policy said on that date.

Is CCPA only for California businesses?

No. CCPA applies to any business—regardless of where it is located—that collects personal data from California residents and meets one of the three thresholds: annual gross revenue over $25 million, buying/selling/sharing data of 100,000+ California consumers or households per year, or deriving 50%+ of annual revenue from selling consumer personal information.

Bottom Line

The January 2026 CCPA updates—neural data, ADMT rules, and upcoming cybersecurity audit requirements—represent a meaningful expansion of compliance obligations. The documentation burden grows with the regulatory scope.

Building a systematic process for capturing timestamped PDF snapshots of vendor privacy policies, regulatory guidance pages, and your own published disclosures is a practical first step. Convert: Web to PDF gives you a free, local-processing tool to do exactly that—no account required, no data uploaded, clean PDFs with metadata built in.

Compliance doesn't have to be expensive. It has to be consistent.

Try our free Chrome extensions

Privacy-first tools that actually work. No paywalls, no tracking, no data collection.

Browse ExtensionsMore Articles