The California Consumer Privacy Act (CCPA) regulations have always included an incentive for businesses that share personal information of California consumers with service providers and third parties to assess these recipients’ compliance with CCPA, including its mandatory contract terms. Recent updates to the regulations have changed those incentives into statutory obligations.

The CCPA’s new risk assessment regulations take effect on January 1, 2026. They include a mandatory obligation to report your risk assessment activities to the California Privacy Protection Agency (CPPA), beginning on April 1, 2028. Businesses should begin building their capabilities to meet the new CCPA risk assessment requirements now and commence assessments in 2026.

CCPA Risk Assessments: The Basics

Why are risk assessments being required?

California wants businesses to evaluate the risks and benefits of using consumers’ personal information before they begin processing the data for a purpose that presents significant consumer risks. Their stated goal is to make businesses consider whether the risks to consumers’ privacy are outweighed by the benefits the processing will deliver to the consumer, the business, other stakeholders, and the public. Businesses that operate in the UK and Europe will recognize this risk/benefit analysis structure from the GDPR.

Do I have to start now if reporting is not required before 2028?

Yes, because the regulations include a section on timing of the assessments. It says that a business must conduct and document a risk assessment before initiating any processing activity that creates a significant risk to consumers (as detailed below). If your first report to the CPPA in 2028 does not show that you conducted your assessments before you started the processing, you will be in violation of this timing requirement. In addition, the CPPA or the California Attorney General may require a business to submit its risk assessment reports at any time, and the business must comply within 30 days.

When are risk assessments required?

They are required when your processing of consumers’ personal information poses a significant risk to their privacy. Significant risk is defined to mean these activities:

  • Selling or sharing personal information. Note that “sharing” means sharing for cross-context behavioral advertising purposes (i.e., targeted advertising).
  • Processing sensitive personal information, such as information about a consumer’s health, finances, or precise location.
  • Using Automated Decision Making Technologies (ADMT – think “AI”) to make a significant decision concerning a consumer. Note that “significant decision” is a defined term in the CCPA regulations and relates to financial, housing, educational, employment, and healthcare decisions affecting a consumer.
  • Using automated processing (again, think AI) to infer or extrapolate a consumer’s capabilities or qualifications, location or movements:
    • When the consumer is acting as an educational or job applicant, student, employee, or independent contractor for you, or
    • Based on the consumer’s presence in a sensitive location, such as a healthcare facility.
  • Using personal information to train ADMT (AI) or biometric identification technologies for the business’s use in making significant decisions about consumers.
What information must be included in risk assessments?

The required contents of CCPA risk assessments are specific and comprehensive. They are too extensive to cover in detail here, but some key highlights are below.

  • Risk assessments must be documented in a report.
  • For each type of risk activity where an assessment is required, the report must include:
  • The purpose of the processing, with specificity.
  • The categories of personal information to be processed for that purpose, including any sensitive personal information.
  • A description of the operational elements of the processing, such as collection methods, data sources, retention periods, how the business interacts with consumers to collect the information and the purpose of that interaction, the disclosures made to the consumers, the approximate number of consumers involved, and the names or categories of service providers, contractors or third parties that receive the personal information and the reasons for the disclosures to each. If ADMT is an intended use, additional information is required.
  • Both the benefits and negative impacts of the processing.
  • Any safeguards the business employs to protect consumers’ data.
  • The go/no-go decision that the business made based on the assessment.
  • The business’s personnel that provided the information for the assessment.
  • The date the assessment was reviewed and approved along with the names and positions of the approvers. Approvers must include a person who has authority to make the go/no-go decision.
What must be reported in our risk assessment reports to the CPPA?

Risk assessment reports to the CPPA must include:

  • An attestation by a knowledgeable member of the business’s executive management team that required risk assessments were completed and are true and correct, and
  • A summary of the risk assessment information. Additional details are specified in the regulations.

Next Steps

The new CCPA risk assessment regulations are substantial and detailed. For businesses not already accustomed to conducting privacy risk assessments, complying with them will require planning and cross-enterprise processes and procedures. Businesses are encouraged to start their planning now and begin conducting risk assessments in 2026.