Publications + Presentations

Publications + Presentations

Back to Publications + Presentations
Article

Clarifying CCPA Requirements for When and How a Business Must Conduct Risk Assessments

February 17, 2025

Update:

On July 24, 2025, the CPPA Board voted to approve revised regulations.

For further clarification on how these regulations impact your business or to discuss how to operationalize potential requirements, contact David Wilson at dwilson@keglerbrown.com.

Summary

  • The CPPA Board voted to advance proposed draft regulations on November 8th addressing risk assessments
  • A business must conduct written risk assessments in certain circumstances
  • The proposed regulations include specific content requirements
  • The regulations require a business to designate an executive to attest in a signed certification that they have reviewed, understood, and approved the business’s risk assessments
  • The business is required to submit a written certification along with other risk assessment materials, and complete annual submissions thereafter

On November 8th, the CPPA Board voted to advance proposed draft regulations related to risk assessments. Among other topics, these regulations, subject to additional rulemaking, address requirements with respect to when and how a business must conduct risk assessments, the required form, and required certifications and submissions to the CPPA. New Automated Decisionmaking Technology (ADMT) and Cybersecurity audit requirements are some of the other requirements outlined in the proposed draft regulations.

When is a Risk Assessment Required?

A documented risk assessment must be conducted by a business subject to the CCPA prior to the processing of personal information, if the processing presents a significant risk to the consumers’ privacy.

Among others, the following processing activities present significant risk to consumers’ privacy (meaning a risk assessment is required prior to such activities):

  • Selling or sharing personal information, including cross-context behavioral advertising,
  • Processing sensitive personal information, including information that reveals a consumer’s precise geolocation, or the contents of certain communications, government ID numbers, financial information, health and genetic information, among other information,
  • Using ADMT for a significant decision concerning a consumer or for extensive profiling, including decisions determining compensation, allocation of work, promotions, hiring, admissions to an educational program, and access to or the provision or denial of financial or lending services, or insurance, among other decisions, or
  • Processing the personal information of consumers to train ADMT or certain AI.

Are Risk Assessment Requirements a New Concept?

Some requirements related to training ADMT and certain other AI are relatively novel, but many core requirements are well established in several existing U.S. comprehensive privacy laws, the GDPR, and other laws.

Do We Need a Separate Risk Assessment for Each Law?

No. The regulations expressly permit businesses to utilize risk assessments conducted for the purpose of complying with another law or regulation that meets all the requirements of the regulations. In other words, duplicate assessments are not required, provided the existing assessments include the required information, or are supplemented to include additional required information.

What Must Be Included in a Required Risk Assessment?

The regulations include prescribed timing, content, form, and administrative requirements. The business must identify:

  1. Whether it will initiate the processing that is subject to the risk assessment,
  2. The contributors to the risk assessment,
  3. The date the assessment was reviewed and approved,
  4. The names and positions of the individuals responsible for the review and approval. This must include the individual who decides whether the business will initiate the processing that is subject to the risk assessment,
  5. The specific purpose for processing consumer’s personal information. The purpose must not be identified or described in generic terms, such as “to improve our services,” or “for security purposes,”
  6. The categories of personal information to be processed, and whether they include sensitive personal information,
  7. The operational elements of its processing, including detailed prescribed requirements,
  8. The specific benefits to the business, the consumer, other stakeholders, and the public from the processing of the personal information,
  9. The specific negative impacts to consumers associated with the processing, including the sources and causes of these impacts, and the criteria the business used to make these determinations. Potential factors to consider are listed, including certain discrimination, unauthorized access to personal information, economic, and reputational harms, among others, and
  10. Safeguards the business plans to implement to address the negative impacts identified, and specifically identify how the safeguards address the identified negative impacts. Potential safeguards are provided, including encryption, privacy-enhancing technologies, and evaluating the need for human involvement, among others.

The regulations prohibit processing if risks to consumers’ privacy outweigh benefits.

For uses of ADMT for a significant decision concerning a consumer or extensive profiling, the business must also identify:

  1. Whether it evaluated the ADMT to ensure it works as intended for the business’s proposed use and does not discriminate based upon protected classes,
  2. The policies, procedures, and training the business has implemented or plans to implement to ensure that the automated decisionmaking technology works as intended for the business’s proposed use and does not discriminate based upon protected classes, and
  3. When a business obtains the automated decisionmaking technology from another person, the business must identify whether it reviewed that person’s evaluation of the ADMT, whether that person’s evaluation included any requirements or limitations relevant to the business’s proposed use of the ADMT, and any accuracy and nondiscrimination safeguard that it implemented or plans to implement.

Additional requirements may apply for processing personal information to train ADMT or AI. The requirements may vary based on the role of the business.

Show Your Work, Designate an Executive, and Related Confidentiality Considerations

The regulations require businesses to submit certain risk assessment materials, including written certifications and abridged versions of risk assessments conducted annually. It is important to note that businesses are required to provide unabridged risk assessments to the CPPA within ten days of request. This requirement should be carefully considered when developing policies and processes to complete, review, and document risk assessments, and in related training and controls.

A business must also designate a qualified individual with authority to certify the conduct of the risk assessment on behalf of the business. This individual must be the business’s highest-ranking executive who is responsible for oversight of the business’s risk-assessment compliance. The written certification must include the designated executive’s name, title, signature, and the date of the certification, among other required items.

What is Next for CCPA Requirements?

In light of the California wildfires, the CPPA extended the comment period and rescheduled the hearing date to February 19th. As of today, meaningful public comments have been submitted to the CPPA. If substantial changes are made, an additional fifteen-day comment period will apply. If substantial changes are not made, the regulations could be implemented as soon as April 20251. Continue reading here to learn more about what the ADMT regulations require.

 

1In general, the California Office of Administrative Law has 30 working days to conduct a review after the regulations are passed by the CPPA to publish the regulations.

Firm Highlights