- within Consumer Protection topic(s)
- in United States
- within Consumer Protection, Immigration and Cannabis & Hemp topic(s)
As of Jan. 1st, the California Consumer Protection Act ("CCPA") and accompanying regulations now require businesses to complete a risk assessment before engaging in certain "high-risk" personal information processing. California businesses must conduct this risk assessment prior to any of the following activities:
- Selling or sharing personal information.
- Processing "sensitive personal information," which includes precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric information, health information, sexual orientation, citizenship status, and any information about children under the age of 16.
- Using personal information in connection with automated decision-making technology to make significant decisions about consumers, such as decisions resulting in the provision or denial of financial services, lending, housing, education enrollment, employment opportunities, compensation, or healthcare services.
- Profiling a consumer through systemic observation (i.e., methodical and regular or continuous observation) when the consumer is acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business. This would cover, among other things, employee video and electronic surveillance.
The statutory risk assessments are complex and require providing detailed information, including: a description of the purpose of the activities; the types of data to be collected, used, disclosed, and retained; how the activity will occur (i.e., number of consumers affected, notification methods, technologies involved, etc.); the business participants; and the anticipated benefits and potential consumer harms. The risk assessments need to be completed prior to undertaking the contemplated activity and need to be updated if any material changes are made to the processes involved in the activity. If a third party is involved in conducting an activity, the business must obtain the necessary risk assessment information from that third party.
The CCPA regulations establish that by April 1, 2028, businesses must submit certain information to the California Privacy Protection Agency regarding risk assessments conducted in 2026 and 2027. This submission must include: a description of the triggering activity, its necessity, the types of personal information involved (including any sensitive personal information), and the safeguards implemented to minimize consumer harm. It must also include an attestation, made under penalty of perjury, that a full risk assessment was completed.
These requirements were adopted by the California Privacy Protection Agency (the agency tasked with implementing and enforcing the CCPA) in September 2025 and became effective January 1, 2026.
While risk assessments are an important new requirement under the CCPA, similar obligations have been imposed by other states' consumer privacy laws. States including Colorado, Connecticut, Delaware, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, and Virginia require privacy risk assessments under certain circumstances when consumer privacy faces heightened risk.
Businesses operating in these states—and now California— should review any planned activities involving consumer personal information that may pose heightened risk. This includes assessing the purpose of the activity and the data collected (including by marketing vendors) to determine if a risk assessment is required. Businesses operating in these states—or with operations that could collect information from consumers in these states—should also establish a process to evaluate whether a risk assessment is necessary before initiating such activities.
Failing to complete a risk assessment before collecting data from consumers in these states could result in fines, enforcement actions, and potential findings of deceptive trade practices, among other penalties.
In light of these developments, businesses should act now to integrate risk assessment processes into their operations. Proactively evaluating high-risk activities and maintaining compliance with evolving privacy laws will help mitigate legal exposure, protect consumer trust, and position organizations for success in an increasingly regulated data environment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
