The Essential CA Privacy Update Series: Part 2--What Makes CA Risk Assessments Different?

by: Joyce Kim

California has joined other states in requiring businesses to conduct risk assessments when handling personal information that could pose significant security risks to consumers. The good news? If you're already doing risk assessments, you can adapt them to meet these new rules. Risk assessments should cover activities starting in 2026, even though submissions aren’t required until later.

When You Need a Risk Assessment

Generally, state privacy laws require a risk assessment for targeted advertising, sale of personal data, profiling activities, and processing sensitive data. California goes further by also requiring assessments for these instances:

• Employee and contractor data beyond HR: Using sensitive information about personnel beyond basic HR functions like payroll, benefits, and accommodations.

• Automated decision-making technology (ADMT): Using automated technology to make significant decisions.

• Workplace/Educational profiling: Using automated tools or algorithms to guess or predict things about a person in educational or employment settings.

• Sensitive Location tracking: Using automated tools or algorithms to guess or predict things about a person based on their location in a sensitive location.

• AI training: Using personal information to train an automated decision-making system for facial-recognition, emotion-recognition, identity verification, or user profiling (including customers and personnel).

To provide some illustrative examples, you’ll likely need a risk a risk assessment if you:

• Share sensitive data like precise location or health information with analytics providers;

• Show targeted ads across different websites based on tracking consumer behavior;

• Use AI or automated tools in your hiring decisions; or

• Collect facial data to train facial recognition technology

Unique CA Content Requirements

We provide an overview of unique content requirements for California, including both new and existing requirements.

California explicitly prohibits vague statements like "to improve our services" or "for security purposes." You need to be specific and explain in more detail the purposes for processing and the benefits that result from the processing.

What else you need to include:

• How you interact with consumers – Describe your methods of engagement (ex. applications or websites).

• Number of people affected – Provide an estimate of number of individuals impacted.

• Your notice approach – Explain how you'll disclose information to consumers.

• AI and automated decision-making details – If you're using these technologies, identify the logic being used and the output of the ADMT.

• Sources of potential harms – Don't just list negative impacts to consumers. Explain the sources and causes of those harms.

• Accountability – Name who contributed to the assessment and who approved it (legal counsel excluded).

Updating Third-Party Contracts

Your service provider and contractor agreements need to cover risk assessments. Specifically, your service providers and contractors must agree to provide complete and accurate information necessary for your risk assessment. The CPPA has already penalized businesses for missing contractual privacy provisions, so make sure yours are updated.

Action Items

• Check if this applies to you - Figure out which of your activities require assessments

• Build your process - Create new templates or adapt existing processes and templates

• Prepare your submission - Get ready to provide assessment information to the CPPA

• Set deadline reminders - Don't miss submission dates

• Update contracts - Revise agreements with service providers and contractors to reflect these requirements

Important Dates for CA Risk Assessments

You don’t need to submit the entire risk assessment. The CPPA only wants summary information of how many assessments you completed for each activity type and confirmation that you finished them. You’ll need to update risk assessments whenever there is a material change or once every 3 years, whichever comes first. Importantly, the submitter needs to be a member of your business’s executive management team who is directly responsible for risk-assessment compliance, has sufficient knowledge, and authority to submit on behalf of the business.

• Risk assessments conducted in 2026 or 2027

  • Deadline: April 1, 2028

• Risk assessments conducted after 2027

  • Deadline: No later than April 1 of the year following year

This is Part 2 in our series on California's new privacy regulations to read Part 1 click here.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.