Eanet, PC Eanet, PC

California Risk Assessments: Actions for Employers

California Risk Assessments: Actions for Employers

The California Consumer Privacy Act (CCPA) provides that California residents may ask businesses to disclose what personal information they have about the individual and what they do with that information, to delete the individual’s personal information, to direct businesses not to sell or share that personal information, to correct inaccurate information that the business has about the individual, and to limit businesses’ use and disclosure of an individual’s sensitive personal information.

In addition, the CCPA instructs the California Privacy Protection Agency (CPPA) to promulgate rules requiring certain businesses to conduct risk assessments. While the CPPA has drafted risk-assessment regulations, the agency hasn’t yet initiated the formal rule making process. However, the agency has provided a fact sheet to explain the draft regulations. The draft rules aren’t in effect and are subject to change.

This requirement was effective January 1, 2026

Which Businesses are Required to Conduct a Risk Assessment?

The Agency states that a business that controls the collection of a consumer's personal information and must comply with the CCPA would have to conduct a risk assessment prior to doing any of the following:

  1. Sell or share the personal information of consumers;
  2. Collect, use, disclose, retain, or otherwise process consumers’ “sensitive personal information”;
  3. Use automated decision-making technology (ADMT) for a “significant decision” or for “extensive profiling”;
  4. Uses personal information to train ADMT or artificial intelligence (AI) that could be used.

“ADMT” is technology that makes decisions, or that a person relies upon to make a decision, such as a resume-screening tool that a business uses to determine which applicants it will hire.

“Significant decisions” are decisions that have important consequences for consumers (e.g., decisions to provide or deny financial services, housing, insurance, educational or employment opportunities, healthcare services, or essential goods or services like groceries, medicine, or fuel).

“Extensive profiling” includes analyzing consumers’ personality, interests, behavior, or location in their workplace, at school, or in public places (e.g., using facial-recognition technology in a store to identify potential shoplifters), or to target ads to them.

Use of Personal Information to Train ADMT or AI

This includes the following:

  • To identify people (e.g., facial-recognition technology);
  • For physical or biological identification or profiling (e.g., analyzing people’s facial expressions or gestures to infer their emotional state);
  • To make significant decisions;
  • To generate deepfakes (e.g., fake images of real people that are presented as truthful or authentic); or
  • To operate generative models.

Note that “sensitive personal information” includes items such as Social Security numbers, financial information, precise geolocation, health information, email address, purchase history, biometrics (e.g., facial recognition), browsing history, and children’s personal information.

What’s Included in a Risk Assessment?

  • The reason the business must do any of activities listed above;
  • The types of personal information the business would collect, use, disclose, and retain to do the activity;
  • The way in which the business would conduct the activity (e.g., how many consumers would be affected, what the business would tell them about its use of their personal information, who else might be involved, which technology it plans to use; and for certain uses of ADMT, how the business would use the ADMT to make decisions).
  • The benefits and consequences to consumers connected to the activity, and protections the business plans to put in place. Benefits include benefits to the business, consumers, other stakeholders, and the public. Consequences to consumers might include unauthorized access to their personal information, discrimination on the basis of protected characteristics (e.g., race or gender), failing to provide sufficient information to consumers so that they understand how their personal information would be used, or creating additional costs for consumers.
  • The individuals at the business who contributed to, reviewed, and approved the risk assessment.
  • Whether the business will initiate the activity.

Note: A business would not be allowed to begin an activity if the risks to consumers’ privacy outweighed the benefits of the activity.

When Would a Business Have to Conduct or Update a Risk Assessment?

A business would have to do a risk assessment before engaging in a number of routine data processing practices, as listed above. Moreover, the business would also have to review (and update if needed) its risk assessments at least once every three years to make certain it was accurate.

If something significant changed as to the way the business performed the activity (e.g., if it needed to collect more sensitive personal information), the business would be required to update its risk assessment immediately.

Also, the business’s service provider or contractor would have to provide the business with the information required to conduct the risk assessment. The Agency states that a business could obtain information from them as part of its risk-assessment process.

What’s the Deadline for Submission?

A business would have 24 months to submit the following to the Agency:

  1. A certification that it completed its risk assessments as set forth in the draft regulations; and
  2. An abridged risk assessments.

An abridged risk assessment is a brief version of the full risk assessment, and would include: (i) the specific activity that triggered the risk assessment; (ii) the reason the business needed to do that activity; (iii) the types of personal information needed for the activity; (iv) whether they included sensitive personal information; and (v) the protections implemented.

After its first submission, a business would submit its certification and any new or updated abridged risk assessments annually. If the Agency or the Attorney General requested a business’s unabridged risk assessment, the business would have 10 business days to deliver this.

Note that a business wouldn’t be required to replicate the same risk assessment. However, if the risk assessment didn’t satisfy all of the requirements in the draft regulations, the business would have to augment to it as needed.

Takeaway

To determine if a business is required to conduct risk assessments, employers should plan to inventory their prospective and current uses of sensitive personal information, location information, automated technologies that evaluate human resources data, training AI or automated decision-making technologies, and website tracking technologies, and determine whether the risk assessment requirement applies to each use.

Employers should consider the possible actions they might take to alter their practices to steer clear of the risk assessment requirement.

For questions regarding this topic, contact us at Eanet, PC.

Related Posts
  • What California Businesses Should Know About DROP and the Delete Act Read More
  • Recent Trends in CIPA Litigation Read More
  • Should You Ignore a Website Privacy Violation Demand Letter? (No!) Read More
/