California Consumer Privacy Act: Conducting Risk Assessments
-
July 06, 2026
-
The California Privacy Protection Agency (“CPPA”) issued revised California Consumer Privacy Act (“CCPA”) Regulations effective on January 1, 2026. The revision builds upon existing requirements and introduces new obligations for in-scope organizations, including formal risk assessments, annual cybersecurity audits and enhanced consumer rights processes related to the use of automated decision-making technologies.1
As part of a continued series on the CCPA, this article focuses on Article 10 of the updated regulations (“Article 10”), which requires businesses to conduct and document formal risk assessments for processing activities that present a significant risk to consumers’ privacy. In particular, it examines the key requirements and deadlines under Article 10, as well as best practices covered organizations can follow to meet these obligations.
Key Details
Organizations that sell or share personal information, use automated decision-making or process sensitive personal information are very likely subject to these requirements. There are numerous practical steps these organizations should take to operationalize their obligations, including:
- Embrace the mindset that this is a new compliance program, not a one-time project. There are ongoing obligations to operate in California, which will require continuous and evolving compliance activities that must be sustained over time.
- Take inventory of existing risk assessment processes and frameworks for reusability (e.g., current cybersecurity, privacy and other data mapping processes), as these may provide a useful present foundation from which to build upon and develop capabilities for the new requirements.
- Confirm executive ownership of the Article 10 program and stand up a cross-functional steering committee that encompasses stakeholders from privacy, security, legal, human resources, artificial intelligence, data science and procurement departments. This will enable each function to have a clearly designated representative and escalation path.
- Complete the in-scope inventory across all six Section 7152 categories, including automated decision-making technology, profiling and training-data uses that often live outside the privacy team's line of sight and may require outreach to technology, data science or procurement teams to identify.
- Implement a single standardized risk assessment template covering Section 7152 elements (e.g., description, purpose and benefits, risk analysis, safeguards and balancing conclusion) and route it through workflow tooling that captures reviewers, approvers and dates to ensure a consistent and auditable process.
- Document retention periods or determination criteria for every category of personal information; close any gaps before they become assessment findings or regulatory exposure.
- Brief the relevant stakeholders on the joint risk assessment and cybersecurity audit timeline, so the impending 2028 certification deadlines are on the calendar, and accountability is assigned well in advance.
Processing Activities Requiring Risk Assessments
Article 10 requires organizations to conduct risk assessments before initiating processing activities that present significant risk to consumer privacy. Section 7152 outlines assessment requirements aligned with GDPR privacy impact assessments and similar regulations, establishing a comprehensive framework for evaluating privacy risks across six specific categories of processing activities. These include:
- Selling or sharing personal information: Any sale or sharing of personal information is subject to a mandatory risk assessment.
- Processing sensitive personal information: Sensitive personal information processing is subject to a mandatory risk assessment. The exception is processing sensitive data of employees and independent contractors solely for compensation payments, employment authorization, benefits administration, reasonable accommodation or wage reporting.
- Using automated decision-making technology for significant decisions concerning a consumer: A risk assessment is required whenever automated decision-making technology is used to make significant decisions about consumers. A “significant decision” is one that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation or healthcare services. A significant decision does not include advertising to a consumer.
- Profiling in employment and education contexts: Using automated processing to infer or extrapolate characteristics (intelligence, ability, aptitude, performance at work, health, economic situation, preferences, behavior, location, etc.) based on systematic observation of that consumer is subject to assessment when acting in a relevant capacity, including: educational program applicants, job applicants, students, employees, independent contractors.
- Profiling based on sensitive locations: Using automated processing to infer or extrapolate consumer characteristics based on their presence in sensitive locations is subject to a mandatory risk assessment, except when location data is used solely to deliver goods or provide transportation for that consumer at a sensitive location.
- Training automated decision-making technology or biometric systems: A risk assessment is required when processing personal information to train automated decision-making technology for significant decisions concerning consumers, identity verification technology including facial-recognition or emotion-recognition technology, physical or biological identification and profiling technology.
Compliance Requirements
Organizations face several notable compliance challenges under these requirements. The CCPA regulations establish a comprehensive risk assessment framework that requires businesses to evaluate whether privacy risks to consumers outweigh the benefits of processing, and to document that analysis in formal risk assessment reports before initiating covered processing activities. Priority areas include:
- Retention documentation: Organizations must document retention periods for each category of personal information or specify the criteria used to determine retention periods.
- Stakeholder accountability: Risk assessments must identify the date the assessment was reviewed and approved, and the names and positions of the individuals who reviewed or approved the assessment. Critically, an individual with the authority to participate in deciding whether the business will initiate the processing that is subject to the risk assessment must review and approve the assessment. Legal counsel providing legal advice may be excluded.
- Regular updates: Assessments must be reviewed and updated at least every three years. Material changes (such as changes to processing purpose or minimum necessary data) require updates within 45 calendar days of the change. Additional examples of material changes include consumer-raised privacy risks, such as numerous complaints about the business’ data processing practices.
- Retention of assessments: Businesses must retain risk assessments, including original and updated versions, for as long as the processing continues or for five years after the completion of the risk assessment, whichever is later.
- Submission to the Agency: Businesses must submit risk assessment information to the CPPA. For assessments conducted in 2026 and 2027, submissions are due no later than April 1, 2028. For assessments conducted after 2027, submissions are due by April 1 of the following year. Submissions must be made via the Agency's website and must be certified under penalty of perjury by a member of the business's executive management team who is directly responsible for risk assessment compliance.
Certification and Reporting
Organizations must submit specific information to the CPPA including the number of risk assessments conducted or updated during the covered period, the categories of personal information included in those assessments and a written certification under penalty of perjury attesting to completion and accuracy. Notably, the requirement to proactively submit full risk assessments was removed from the regulations; however, the CPPA or attorney general can request them at any time, so organizations must maintain complete documentation. The initial submission is due April 1, 2028, covering risk assessments conducted in 2026 and 2027, with annual submissions required each year thereafter.
Conclusion
The revised CCPA regulations — effective January 1, 2026 — mark a significant shift in California privacy law, moving organizations beyond disclosure-based compliance toward documented, defensible privacy governance. Article 10’s six categories that trigger a risk assessment (selling or sharing personal information, sensitive personal information processing, ADMT for significant decisions, profiling in employment and education contexts, profiling based on sensitive locations and training of ADMT or biometric systems) intentionally pull in the highest-impact uses of consumer data and the fastest-growing areas of automated decision-making.
For organizations operating in California, the practical effect is that risk assessments become a continuous program rather than a project. The combination of a 45-day material-change trigger, a three-year baseline refresh, an annual certification and the parallel cybersecurity audit obligations make the cost of an ad-hoc approach significantly higher than the cost of standing up a sustained program. The companies that treat 2026 and 2027 as a build-out window will reach the April 1, 2028 certification confident; those that wait will almost certainly spend 2028 reconstructing evidence.
Footnotes:
1: 11 Cal. Code Regs. §§ 7000–7304 (2026)
Published
July 06, 2026