Publications + Presentations

Smart Summary:

• On July 24, 2025, the CPPA Board unanimously approved regulations addressing risk assessments, which include specific content requirements for risk assessment reports. 
• Businesses under the CCPA must conduct risk assessments before processing personal information if the  processing presents significant risk to consumers’ privacy. Examples of these risks include selling or sharing personal information, processing sensitive personal information, or using ADMT for a significant decision concerning a consumer.
• Risk assessment reports must document the purpose for processing, the categories of personal information to be processed, specific itemized operational elements of the processing, safeguards, and the individuals who provided information for the risk assessment, and the names and positions of the individuals reviewed or approved the assessment.
• Risk assessments must be updated whenever there is a material change relating to the processing activity, no later than 45 days from the date of the change, and reviewed at least every three years.
• Employees involved in processing the personal information must be included in the risk assessment process. Also, the individual submitting the risk assessment information must be a member of the business’s executive management team and the business must submit an attestation that the risk assessment information submitted is true and correct.

---

On July 24th, the CPPA Board voted unanimously to adopt revised regulations related to risk assessments. Among other topics, these regulations address requirements with respect to when and how a business must conduct risk assessments, the required form, and required attestations and submissions to the California Privacy Protection Agency (“CPPA”). 

When is a Risk Assessment Required?

A risk assessment must be conducted by a business subject to the California Consumer Privacy Act of 2018 (“CCPA”) prior to the processing of personal information, if the processing presents significant risk to consumers’ privacy.

Among others, the following processing activities present significant risk to consumers’ privacy (meaning a risk assessment is required prior to such activities):

• Selling or sharing personal information, including cross-context behavioral advertising,
• Processing sensitive personal information, including information that reveals a consumer’s precise geolocation, or the contents of certain communications, driver’s license, or genetic data, among other information,
• Using ADMT (including profiling) for a significant decision concerning a consumer, including a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services,
• Using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, location, or movements, based upon:
  • systematic observation of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business, or
  • that consumer’s presence in a sensitive location.
    • Note: “Infer or extrapolate” does not include a business using a consumer’s personal information solely to deliver goods to, or provide transportation for, that consumer at a sensitive location.
    • “Sensitive location” is defined in the regulations.
• Processing the personal information of consumers which the business intends to use to train ADMT or certain other technology,
  • Note: “Intends to use” means the business is using, plans to use, permits others to use, plans to permit others to use, is advertising or marketing the use of, or plans to advertise or market the use of.

When is a Risk Assessment Required to be Updated?

At least once every three years, a business must review the risk assessment, and update as necessary, to ensure the risk assessments remain accurate in accordance with the requirements.

However, in some circumstances, earlier updates may be required. A risk assessment must be updated as soon as feasibly possible, but no later than 45 calendar days from the date of a material change relating to the processing activity. A change relating to the processing activity is material if it creates new negative impacts, increases the magnitude or likelihood of previously identified negative impacts, or diminishes the effectiveness of the safeguards. By way of example, material changes may include changes to the purpose of the processing, the minimum personal information necessary to achieve the purpose of the processing, or the risks to consumers’ privacy raised by consumers (e.g., numerous consumers complain to a business about the risks that the business’s processing poses to their privacy).

What Stakeholders are Required to be Included in the Risk Assessment Process?

A business’s employees whose job duties include participating in the processing of personal information that would be subject to a risk assessment must be included in the business’s risk assessment process for that processing activity.

In conducting the risk assessment, a business may include external parties in the process. For example, a business may utilize or gather information from service providers, contractors, experts in detecting and mitigating bias in ADMT, a subset of the consumers whose personal information the business plans to process, or stakeholders that represent consumers’ or others’ interests.

Are Risk Assessment Requirements a New Concept?

Some requirements related to training ADMT and certain other technology are relatively novel, but many core requirements are well established in several existing U.S. comprehensive privacy laws, the GDPR, and other laws.

Do We Need a Separate Risk Assessment for Each Law?

No. The regulations expressly permit businesses to utilize risk assessments conducted for the purpose of complying with another law or regulation that meets all the requirements of the regulations. In other words, duplicate assessments are not required, provided the existing assessments include the required information, or are paired with the outstanding information necessary for compliance.

What is the Goal of a Risk Assessment?

The goal of a risk assessment is to restrict or prohibit the processing of personal information if the risks to the privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public.

The risk assessment must identify the benefits to the business, the consumer, other stakeholders, and the public from the processing of the personal information, as applicable, and the negative impacts to consumers’ privacy associated with the processing, including the sources and causes of these impacts. Example negative impacts are listed in the regulations, including certain discrimination, unauthorized access to personal information, economic, and reputational harms, among others.

What is a Risk Assessment Report?

The risk assessment report is the document that every business that is required to conduct a risk assessment must create as part of its risk assessment.

What Information Must be Included in the Risk Assessment Report?

The business must identify and document in a risk assessment report:

1. The business’s purpose for processing consumers’ personal information:
   • The purpose must not be identified or described in generic terms, such as “to improve our services,” or “for security purposes,”
   • By contrast, if a business is “improving the service” by decreasing consumers’ wait times when processing their privacy rights requests, the business may identify this decrease of wait times to process privacy rights requests as the relevant purpose,
2. The categories of personal information to be processed, including any categories of sensitive personal information,
3. The operational elements of the processing, including detailed prescribed requirements,
4. Any safeguards the business plans to implement for the processing, such as safeguards to address the negative impacts identified. Example safeguards are provided, including encryption and the use of privacy-enhancing technologies, among others,
5. Whether it will initiate the processing that is subject to the risk assessment,
6. The individuals who provided the information for the risk assessment, except for legal counsel who provided legal advice,
7. The date the assessment was reviewed and approved, and
8. The names and positions of the individuals who reviewed or approved the assessment, except for legal counsel who provided legal advice.

An individual who has the authority to participate in deciding whether the business will initiate the processing that is the subject of the risk assessment must review and approve the assessment.

Additional requirements may apply for businesses that process personal information to train ADMT. The requirements may vary based on the role of the business.

Show Your Work, Executive Management Team Submission, and Related Confidentiality Considerations

The CPPA’s regulations require the individual submitting the risk assessment information must be a member of the business’s executive management team who: (1) is directly responsible [sic] for the business’s risk assessment compliance, (2) has sufficient knowledge of the business’s risk assessment to provide accurate information, and (3) has the authority to submit the risk assessment information to the CPPA.

• For risk assessments conducted in 2026 and 2027, the business must submit to the agency the information required no later than April 1, 2028.
• For risk assessments conducted after 2027, the business must submit to the agency the information required no later than April 1 following any year during which the business conducted the risk assessment.

A business must retain its risk assessments, including original and updated versions, for as long as the processing continues, or for five years after the completion of the risk assessment, whichever is later.

Specific, narrow risk assessment information and an attestation must be submitted to the CPPA via the agency’s website within the required time periods. However, it is important to note that the CPPA or the California Attorney General may require a business to submit its risk assessment reports at any time, and that business must submit risk assessment reports within 30 calendar days of the request. This requirement should be carefully considered when developing policies and processes to complete, review, and document risk assessments, and in related training and controls.

For further clarification on how these regulations impact your business or to discuss the risk assessment process, contact David Wilson at dwilson@keglerbrown.com.