By Scott Hall, Phillip Wiese, and Katherine Gianelli

Since CalPrivacy (formerly the CPPA) finalized sweeping updates to the California Consumer Privacy Act (CCPA) regulations in July 2025, risk assessments are now a centerpiece of data privacy compliance. The message from regulators is clear: California is moving decisively toward a proactive, risk-based privacy regime, and businesses will be expected to evaluate and document their higher-risk data practices before they occur.

For many organizations, this marks a significant evolution in compliance expectations. Risk assessments are no longer a matter of internal best practice. They are now a formal, enforceable requirement that will demand new processes, closer coordination across teams, and greater executive oversight and accountability.

Risk Assessments as a Core Compliance Obligation

Beginning January 1, 2026, businesses subject to the CCPA must conduct risk assessments for processing activities that present a “significant risk” to consumers’ privacy. These assessments must be completed before the relevant processing takes place, reflecting a shift away from reactive compliance and toward forward-looking risk management.

The scope of what constitutes “significant risk” is broad. In practice, it will capture many common data-driven activities, including the sale or sharing of personal information, the use of sensitive personal data such as precise geolocation or health information, and the deployment of automated decision-making technologies in consequential contexts like hiring, lending, or housing. Profiling in workplace or educational environments, as well as certain AI and analytics tools that infer consumer characteristics, also fall within the scope.

For companies that rely heavily on data analytics, targeted advertising, or use of automated decision-making technology, this means that risk assessments are likely to become a routine and recurring part of operations, rather than an occasional compliance exercise.

A Structured and Substantive Analysis

The CCPA regulations set forth the specific information an assessment must contain. Businesses will need to prepare a written analysis that clearly explains the purpose of the processing, the categories of personal information involved, and how the data will be used, retained, and shared. Business employees whose job duties include participating in the processing of personal information subject to a risk assessment must be included in the business’s risk assessment process.

At the heart of the requirement is a balancing test: organizations must weigh the benefits of the processing, both to the business and to consumers, against the foreseeable risks to individual privacy. In doing so, the analysis must:

• Identify the specific business purpose for processing;
• Identify the categories of personal information involved, including any sensitive personal information, and the minimum information necessary for achieving the stated business purpose;
• Identify any safeguards in place to mitigate risks; and
• Document operational details of the processing, including:
  • How the information is collected, used, and disclosed;
  • The duration of retention (or how such duration will be determined);
  • How the business interacts with customers;
  • How many customers are affected;
  • What disclosures the business makes to customers about the processing; and
  • What third parties (service providers, contractors, or otherwise) will have access to that information and what purpose that access will serve.

This assessment requires thoughtful judgment and attention to detail as those with knowledge of the processing consider questions about the business’s data processing practices.

As noted, risk assessments must be completed prior to initiating any processing activity that presents a significant risk to consumer privacy. Additionally, businesses must update their risk assessments within 45 days when there is a material change relating to the processing activity, or, at minimum, every three years.

Reporting Obligations

CalPrivacy has coupled these substantive requirements with new reporting and certification obligations. Businesses will be required to submit summaries of their risk assessments by April 1 the year after they have been completed, starting April 1, 2028.  The summary must certify under penalty of perjury that the substance of the risk assessment is correct. While full assessments do not need to be routinely filed, they must be maintained and produced upon request.

This framework transforms risk assessments into regulator-facing documents, not just internal analyses. As a result, companies should expect that their reasoning, methodologies, and conclusions could be scrutinized in an enforcement context by CalPrivacy.

Implementation Timelines and Transition

The regulations provide a phased timeline, but the runway is shorter than it may appear. The obligation to conduct risk assessments began in January 2026, and existing data processing activities must be evaluated and a risk assessment prepared by the end of 2027, covering processing during 2026 and 2027. But for any new processing activities started after January 1, 2026 that trigger compliance obligations, a risk assessment must be completed before that new processing can begin. The first round of annual reporting is set to occur on April 1, 2028, with ongoing summary submissions required each year thereafter.

Given the breadth of in-scope activities and the level of detail required, many organizations will need substantial lead time to build and operationalize compliant programs.

Preparing for Risk-Based Privacy Practices

The practical impact of these requirements will extend across the enterprise. Legal and privacy teams will need to develop standardized frameworks and documentation processes, while product, engineering, and data teams will need to integrate risk analysis into development lifecycles. Security functions will play a key role in aligning technical safeguards with identified risks, and senior leadership may be called upon to review and certify compliance.

Organizations that have not yet formalized their data governance practices may face particular challenges, especially in mapping data flows and documenting decision-making. At the same time, companies with more mature privacy programs will need to revisit and enhance their existing processes to meet CalPrivacy’s more prescriptive and transparent requirements.

Looking Ahead

California’s regulations reinforce its position at the forefront of U.S. privacy law and reflect a broader global trend toward risk-based regulation. For businesses, the takeaway is clear: Now is the time to conduct risk assessments on relevant processing activities and to start preparing plans to submit summary assessments to CalPrivacy.

Organizations that act now to build scalable, defensible risk assessment programs will be better positioned not only to meet regulatory expectations, but also to support responsible innovation in an increasingly complex data landscape.

The Coblentz Data Privacy & Cybersecurity team can help you navigate CalPrivacy’s risk assessment requirements. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.

By Scott Hall and Phillip Wiese

CalPrivacy (formerly the California Privacy Protection Agency), announced recently that it intends to begin auditing businesses’ compliance with the California Consumer Privacy Act (CCPA).  

In February 2026, CalPrivacy formed its Audits Division to conduct compliance audits. The agency expects those audits to begin later this year and will focus on obtaining and analyzing privacy and technology records to ensure businesses are adhering to the CCPA’s requirements. CalPrivacy also expects the Audits Division to work closely with the Enforcement Division, which has been settling enforcement proceedings in recent months.

While CalPrivacy has not identified the initial focus areas of its audits, businesses should confirm compliance with all aspects of the CCPA. Recently, the CalPrivacy Enforcement Division has paid particular attention to children’s data, minimizing friction for exercising CCPA rights, and data broker obligations. Under the CCPA, businesses must also have a comprehensive privacy policy, updated on an annual basis.

If you have questions about your obligations under the CCPA, or if you would like for a Coblentz attorney to review your privacy policy, assist with a risk assessment, or facilitate a cybersecurity audit, please reach out to Scott Hall or Phillip Wiese. Our Data Privacy & Cybersecurity team would be happy to assist you.

By Scott Hall and Phillip Wiese

The Seventh Circuit recently confirmed that the 2024 amendment to the Illinois Biometric Information Privacy Act (“BIPA”) would apply retroactively, effectively limiting the available statutory damages under the statute. Going forward, damage awards under sections 15(b) or 15(d) will be limited for each plaintiff to “at most, one recovery” regardless of the number of violations, avoiding what at least one defendant described as “potentially crippling financial liability” for even simple BIPA violations.

BIPA Overview

BIPA prohibits companies from collecting, obtaining, or disclosing an individual’s biometric data, including biometric identifiers (e.g., eye or fingerprint scans, voice prints, face geometry, etc.) or biometric information (i.e., data derived from a biometric identifier) without first providing notice to and obtaining consent from the individual. Subsection 15(b) governs collection of biometric data and subsection 15(d) governs its disclosure. Plaintiffs could recover $1,000 for a negligent violation, or $5,000 for an intentional or reckless violation of the statute. Importantly, however, the law as originally written did not specify how to calculate damages or whether plaintiffs could recover for each time a company collected, obtained, or disclosed the biometric data. For example, BIPA was silent as to whether a plaintiff who clocked in using a fingerprint scanner twice a day for 30 days without providing consent could recover just once, up to $5,000, or for sixty separate violations, as much as $300,000. Plaintiffs have used this ambiguity to extract large settlements from companies.

In 2023, the Illinois Supreme Court confirmed that damages should be awarded on a “per-scan” basis.[1] In other words, each time a company collected, obtained, or disclosed an individual’s biometric data without consent, it could be liable for statutory damages. The Illinois Supreme Court also wrote, in dicta, that to the extent the decision would result in “excessive damage awards,” the Illinois legislature could amend the law.

The Illinois General Assembly took up the Supreme Court’s offer in 2024, amending the damages section of BIPA to clarify that each person could recover for “one recovery” under subsections (b) and (d) so long as the company used “the same method of collection” for each.[2] The legislature also confirmed the discretionary nature of any damages award by noting that an individual is entitled to “at most,” recovery based on a single violation.[3]

Retroactive Application of Amendment

After Cothron, the question remained as to whether the amendment would have retroactive effect. The Seventh Circuit recently held in the affirmative, that the damages cap would have retroactive effect.[4] The Seventh Circuit analyzed whether the amendment was substantive or procedural. Only procedural amendments could be retroactive under Illinois law.

The BIPA amendment was procedural because it involved the “rules that prescribe[d] the steps for having a right or duty judicially enforced.”[5] The text of the amendment and the Illinois Supreme Court’s discussion of Section 20 in Cothron indicated that it addressed the availability of damages, not proscribed conduct. Additionally, the amendment exclusively was contained in the damages section of BIPA, not in the liability section. Each of these points demonstrated that the amendment was remedial and therefore procedural, so it could have retroactive effect.

The appellees argued that the panel’s interpretation would wipe away millions of dollars of liability, and also that whether someone has been injured once or a thousand times is a matter of substance,[6] but the Court was not persuaded and pointed to language in Cothron noting that damages were discretionary, so plaintiffs were not guaranteed any specific recovery in the first place.[7]

Key Takeaways 

• Going forward, there will be upper limits the amount of damages available to plaintiffs. Each plaintiff can seek up to $5,000 for violations of BIPA sections (b) or (d). No longer can a plaintiff seek damages for every BIPA violation over the course of multiple years, which may lower a company’s exposure exponentially.
• Courts still have discretion over the amount of damages, up to the statutory maximum, or even whether to award damages at all.
• Businesses that collect biometric data should continue to maintain a privacy policy that discloses the specific data collected and collect data only from those consumers who expressly consent.
• The Texas biometric privacy law allows the Texas Attorney General to levy fines based on each individual violation, now putting that law at odds with BIPA. The Texas law does not have a private right of action.

The Coblentz Data Privacy & Cybersecurity team is experienced at litigating BIPA matters and can help you navigate the changing legal landscape. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.

 

[1] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 927 (Ill. 2023).

[2] 740 ILCS 14/20(b), (c).

[3] Id.

[4] Clay v. Union Pacific Railroad Co., 2026 WL 891902 (7th Cir. Apr. 1, 2026).

[5] Id. at *3.

[6] Id. at *4

[7] Id. at *6.

Join Coblenz partner Ashley Weinstein-Carnes on Wednesday, May 21, 2026 during the Bisnow Bay Area Senior Housing Summit. Ashley will moderate the panel “Building and Designing to Meet the Needs of the Aging Population,” which will cover how senior housing facilities are being designed and built to support comfort, accessibility, safety, and wellness while maintaining efficiency and constructibility. For more details and to register, please click here.