Risk Assessments Under the New CCPA Regulations Commence Jan. 1, 2026

As always, the initial step is to determine if your company must comply with the California Consumer Privacy Act (“CCPA”). If the answer is no, then you can stop reading. If it is yes, then the following sections cover the steps towards compliance with the first step being a determination as to whether the company’s processing of consumers’ information presents a significant risk to the consumers’ privacy such as:

Processing Activities That Present Significant Risk

• Selling or sharing personal information. Note that the definition of sharing is broad; for example, the use of ad tech
• Processing sensitive personal information (exceptions can apply for employees or independent contractor personal information)
• Using automated decision-making technology (“ADMT”) for a significant decision concerning a consumer
• Using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior, location or movements based upon systematic observation of that consumer when they are acting in their capacity as an educational program applicant, job applicant, student, employee or independent contractor for the business
• Using automated processing to infer or extrapolate a consumer’s intelligence, ability, aptitude, performance at work, economic situation, health (including mental health), personal preferences, interests, reliability, predispositions, behavior or movements based upon that consumer’s presence in a sensitive location. “Infer or extrapolate” does not include a business using a consumer’s personal information solely to deliver goods to, or provide transportation for, that consumer at a sensitive location
• Processing the personal information of consumers, which the business intends to use to train an ADMT for a significant decision concerning a consumer; or train a facial-recognition, emotion-recognition or other technology that verifies a consumer’s identity or conducts physical or biological identification or profiling of a consumer. For purposes of this paragraph, “intends to use” means the business is using, plans to use, permits others to use, plans to permit others to use, is advertising or marketing the use of or plans to advertise or market the use of

Who Must Be Involved in the Risk Assessments

• Employees whose duties include processing of personal information that would be subject to a risk assessment
• External parties such as service providers, contractors, ADMT bias experts, consumers and stakeholders that represent consumers’ or others’ interests, including consumer advocacy organizations

Risk Assessment Requirements

The assessment determines whether the risk to consumers’ privacy from the processing of personal information outweighs the benefits to the consumer, the business, other stakeholders and the public from the processing.

Specifically, the risk assessment must:

• Identify and document the business’s purpose for processing consumers’ personal information
• Identify and document the categories of personal information to be processed, including any categories of sensitive personal information
• Identify and document the following operational elements of the processing:
  • Planned method for collecting, using, disclosing, retaining or otherwise processing personal information and the sources of the personal information
  • Retention period for each personal information category
  • The method and purpose of consumer interaction
  • Approximate number of consumers
  • Disclosures made to consumers about processing and method of disclosures
  • Names or categories of the service providers, contractors or third parties that the business discloses the consumers’ personal information for processing along with the processing purpose
  • For ADMT, the logic includes assumptions or limitations of the logic plus the output of the ADMT and how the output will be used to make a significant decision
• Identify the benefits to the business, the consumer, other stakeholders and the public from the processing of the personal information
• Identify the negative impacts to consumers’ privacy associated with the processing, including identifying the sources and causes
• Identify and document any safeguards that the business plans to implement for the processing
• Identify and document whether it will initiate the processing subject to the risk assessment
• Identify and document the individuals who provided the information for the risk assessment (except for privileged information)
• Identify and document the reviewed and approved date plus names and positions of the reviewers

Timing and Retention Requirements for Risk Assessments

The risk assessment must be completed before initiating any processing activities covered by the risk assessment. Then, at least once every three years, the risk assessment must be reviewed and updated as necessary, unless there is a material change to the processing activity that necessitates an update sooner, which must be completed no later than 45 calendar days from the date of the material change. Although not specifically required, this update requirement along with the short deadline almost necessitates the implementation of a privacy by design program. Materially is based on the creation of new negative impacts or the increasing of the magnitude or likelihood of previously identified negative impacts or the diminishing of safeguards. Examples may include changes to:

• The purpose of processing
• Minimum personal information necessary
• Risks to consumers’ privacy raised by consumers such as complaints

Most companies, if not all companies, will already have long-running processing activities in place on Jan. 1, 2026. For those processing activities, a risk assessment must be conducted no later than Dec. 31, 2027.

The risk assessments must be retained for as long as the processing continues or five years after completion of the risk assessment, whichever is later.

Submission of Risk Assessments to the California Privacy Protection Agency (“CPPA”)

For risk assessments conducted in 2026 and 2027, the business must submit to the CPPA the following information no later than April 1, 2028:

• Business’s name and a point of contact including name, phone number and email address
• Time period covered by the submission including month and year
• Number of risk assessments conducted

Much of the above information may already be found in an existing business impact assessment (“BIA”) or other risk assessment framework that has been adopted. For more information about the CCPA and accompanying regulations, one can visit the Frequently Asked Questions page of the California Privacy Protection Agency.

---

This document is intended to provide you with general information regarding risk assessments under the California Consumer Privacy Act. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions. The information in this article is accurate as of the publication date. Because the law in this area is changing rapidly, and insights are not automatically updated, continued accuracy cannot be guaranteed.