Key point: Businesses subject to the CCPA now must conduct risk assessments for certain types of processing activities and, starting in 2028, must certify to California regulators that they completed the assessments.
The California Consumer Privacy Act’s (CCPA) new regulations went into effect on January 1, 2026. Although the new regulations bring many changes for businesses subject to the CCPA, one of the biggest changes is a new requirement to conduct risk assessments for processing activities that present “significant risk to consumers’ privacy.” This can encompass many types of common data processing activities such as the use of third-party cookies and tracking technologies, processing of sensitive personal information (e.g., biometric data), and the use of AI for certain employment-related activities. Like the CCPA, the risk assessment requirement applies to consumer, employee, and commercial personal information.
Importantly, on April 1, 2028, businesses subject to the CCPA must file a certification with the California Privacy Protection Agency (CalPrivacy) attesting — under penalty of perjury — that they conducted the required risk assessments. The certification must be signed by a member of the business’s executive management team.
In the below article, we provide an overview of this new risk assessment requirement.
What types of processing activities require risk assessments?
Businesses are required to conduct risk assessments if their processing of consumers’ personal information presents a “significant risk to consumers’ privacy.” The regulations identify six processing activities that trigger the risk assessment requirement:
- Selling or sharing personal information.
- Processing sensitive personal information (with certain exceptions for the processing of employee sensitive personal information).
- Using automated decision-making technology (ADMT) for a significant decision concerning a consumer.
- Using automated processing to infer or extrapolate certain information regarding a consumer such as intelligence, aptitude, health, or personal preferences, based on systematic observation of the consumer in a work or education setting.
- Using automated processing to infer or extrapolate certain information regarding a consumer such as intelligence, aptitude, health, or personal preferences, based on the consumer’s presence in a sensitive location.
- Processing the personal information of consumers that the business intends to use to train an ADMT for a significant decision concerning a consumer; or train a facial-recognition, emotion-recognition, or other technology that verifies a consumer’s identity, or conducts physical or biological identification or profiling of a consumer.
To provide some context, the use of third-party cookies and tracking technologies can qualify as selling or sharing personal information. For example, in a recent enforcement action, CalPrivacy faulted a company for using “cookies, pixels, and other technologies that automatically send data about consumers’ online behavior to third-party companies for a variety of purposes” without providing consumers with a right to opt out of selling or sharing. Therefore, businesses using these technologies will need to consider whether they must complete risk assessments.
Further, the CCPA defines sensitive personal information broadly to include information such as biometric data, children’s data (under 16), account log-in credentials, Social Security and driver’s license numbers, consumer health data, and precise geolocation. Businesses processing any of those types of personal information will need to conduct risk assessments.
The use of automated processing for employment-related activities also may trigger risk assessment requirements. For example, businesses will need to consider whether activities like automated resume screening and the use of artificial intelligence for hiring, firing, promotion, compensation, and employee monitoring triggers the need to conduct a risk assessment.
When must businesses start completing risk assessments?
Starting January 1, 2026, businesses need to complete risk assessments for new processing activities. For example, if a business wants to start processing the biometric data of consumers, it will need to perform a risk assessment before initiating that activity.
For processing activities that predate the regulations but continue after their effective date, businesses need to complete risk assessments no later than December 31, 2027. This two-year implementation period is intended to give businesses time to conduct assessments for pre-existing activities; however, given that many routine processing activities may require risk assessments, businesses should not wait until the last minute to conduct these assessments. Finally, businesses must review and update risk assessments at least once every three years or if there is a material change in the processing activity.
How do businesses complete risk assessments?
The regulations state that the goal of a risk assessment is to restrict or prohibit “the processing of personal information if the risks to the privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public.” The regulations set forth nine factors that must be considered.
The first three factors revolve around understanding the scope of the processing activity. Through those factors, businesses must consider things such as the purpose for the processing; the types of personal information that will be processed; the methods of collecting, using, disclosing, retaining, or otherwise processing the personal information; how the business interacts with consumers; the purpose of the interaction; the approximate number of consumers whose information will be processed; the disclosures made to consumers; and the names or categories of other entities that may process the personal information.
The next three factors require businesses to consider any benefits or negative impacts to consumers as well as any safeguards that the business will implement to mitigate the negative impacts. The remaining factors require the business to indicate whether it will undertake the processing activity and information such as who performed the risk assessment and when.
It should be noted that other laws and regulations may require businesses to consider additional factors. For example, the Colorado attorney general promulgated rules on the Colorado Privacy Act’s data protection impact assessment requirement. Businesses subject to that law should incorporate those additional factors.
Finally, while not specifically called out in the CCPA regulations, businesses should consider adding a legal analysis to the risk assessment to identify legal obligations triggered by the processing activity. For example, the processing of biometric data can trigger notice and consent obligations in other jurisdictions such as Illinois, Washington, Texas, and Colorado. In that regard, risk assessments can be used by businesses to analyze all legal obligations triggered by the activity and not just the specific factors identified in the regulations.
When do businesses need to file a certification with CalPrivacy?
Perhaps one of the most notable aspects of the new risk assessment requirement is that businesses will need to certify to CalPrivacy that they have completed the required risk assessments. While existing consumer data privacy laws include similar requirements to complete risk assessments (i.e., data protection impact assessments), they do not require entities to certify that the assessments were completed.
The new regulations phase in this requirement starting in 2028. Specifically, no later than April 1, 2028, businesses need to submit information to the agency regarding the risk assessments they conducted in 2026 and 2027. For risk assessments after 2027, businesses will need to submit the information to the agency by April 1 of the following year.
The information required to be submitted to CalPrivacy includes the business’s contact information, the time period covered by the submission, the number of risk assessments covered or updated during the time period, whether the processing activity involved the processing of certain types of personal information, and an attestation. The attestation requires the individual submitting the certification to attest, under penalty of perjury, that the information submitted is true. The individual submitting the information must be a member of the business’s executive management team who is directly responsible for risk-assessment compliance, has sufficient knowledge to provide accurate information, and has the authority to submit the information.
Finally, while businesses are not required to submit full risk assessments to California regulators, CalPrivacy or the attorney general can request those risk assessments and businesses must provide them within 30 calendar days.
What is the penalty for noncompliance?
Violations of the CCPA are enforceable in the amount of $2,663 for each violation and $7,988 for each intentional violation and violations involving the personal information of consumers whom the business had actual knowledge are under 16 years of age. In enforcement actions for violations of other sections of the CCPA, California regulators have multiplied these amounts by a factor such as the number of consumers at issue.