Analyzing the CCPA’s New Risk Assessment Requirement

Key point: Businesses subject to the CCPA now must conduct risk assessments for certain types of processing activities and, starting in 2028, must certify to California regulators that they completed the assessments.

The California Consumer Privacy Act’s (CCPA) new regulations went into effect on January 1, 2026. Although the new regulations bring many changes for businesses subject to the CCPA, one of the biggest changes is a new requirement to conduct risk assessments for processing activities that present “significant risk to consumers’ privacy.” This can encompass many types of common data processing activities such as the use of third-party cookies and tracking technologies, processing of sensitive personal information (e.g., biometric data), and the use of AI for certain employment-related activities. Like the CCPA, the risk assessment requirement applies to consumer, employee, and commercial personal information.

Importantly, on April 1, 2028, businesses subject to the CCPA must file a certification with the California Privacy Protection Agency (CalPrivacy) attesting — under penalty of perjury — that they conducted the required risk assessments. The certification must be signed by a member of the business’s executive management team.

In the below article, we provide an overview of this new risk assessment requirement.

What types of processing activities require risk assessments?

Businesses are required to conduct risk assessments if their processing of consumers’ personal information presents a “significant risk to consumers’ privacy.” The regulations identify six processing activities that trigger the risk assessment requirement:

1. Selling or sharing personal information.
2. Processing sensitive personal information (with certain exceptions for the processing of employee sensitive personal information).
3. Using automated decision-making technology (ADMT) for a significant decision concerning a consumer.

Read the Full Article at Troutman Privacy