Key point: Our new chart identifies and categorizes the numerous triggers for when companies must conduct risk assessment and impact assessment requirements under state privacy and AI laws.

The number of instances in which businesses must conduct risk assessments and impact assessments under state privacy and AI laws has exploded. In recent months, California and Connecticut have added additional — and significant — new triggers through the new California Consumer Privacy Act regulations and amendments to Connecticut’s consumer data privacy laws. These new triggers are in addition to existing requirements from the Colorado AI Act, children’s privacy laws, and consumer data privacy laws. Understanding when assessments are required is even more important given that, starting in 2028, California will require businesses to file attestations with the California Privacy Protection Agency confirming, under penalty of perjury, that they have completed the assessments.

In our new chart, we combed through the laws to identify and categorize as many of these triggers as possible. Click here to access the chart.

This is the second installment of a multipart blog series comparing key provisions in state privacy laws. Our first post provided key dates in privacy and AI laws from 2025 to 2030. Future posts will examine applicability standards, categories of sensitive data, and consumer rights, among other topics.