Vault Door

CCPA Risk Assessment Requirements: What Businesses Need to Do Now

By Scott Hall, Phillip Wiese, and Katherine Gianelli

Since CalPrivacy (formerly the CPPA) finalized sweeping updates to the California Consumer Privacy Act (CCPA) regulations in July 2025, risk assessments are now a centerpiece of data privacy compliance. The message from regulators is clear: California is moving decisively toward a proactive, risk-based privacy regime, and businesses will be expected to evaluate and document their higher-risk data practices before they occur.

For many organizations, this marks a significant evolution in compliance expectations. Risk assessments are no longer a matter of internal best practice. They are now a formal, enforceable requirement that will demand new processes, closer coordination across teams, and greater executive oversight and accountability.

Risk Assessments as a Core Compliance Obligation

Beginning January 1, 2026, businesses subject to the CCPA must conduct risk assessments for processing activities that present a “significant risk” to consumers’ privacy. These assessments must be completed before the relevant processing takes place, reflecting a shift away from reactive compliance and toward forward-looking risk management.

The scope of what constitutes “significant risk” is broad. In practice, it will capture many common data-driven activities, including the sale or sharing of personal information, the use of sensitive personal data such as precise geolocation or health information, and the deployment of automated decision-making technologies in consequential contexts like hiring, lending, or housing. Profiling in workplace or educational environments, as well as certain AI and analytics tools that infer consumer characteristics, also fall within the scope.

For companies that rely heavily on data analytics, targeted advertising, or use of automated decision-making technology, this means that risk assessments are likely to become a routine and recurring part of operations, rather than an occasional compliance exercise.

A Structured and Substantive Analysis

The CCPA regulations set forth the specific information an assessment must contain. Businesses will need to prepare a written analysis that clearly explains the purpose of the processing, the categories of personal information involved, and how the data will be used, retained, and shared. Business employees whose job duties include participating in the processing of personal information subject to a risk assessment must be included in the business’s risk assessment process.

At the heart of the requirement is a balancing test: organizations must weigh the benefits of the processing, both to the business and to consumers, against the foreseeable risks to individual privacy. In doing so, the analysis must:

  • Identify the specific business purpose for processing;
  • Identify the categories of personal information involved, including any sensitive personal information, and the minimum information necessary for achieving the stated business purpose;
  • Identify any safeguards in place to mitigate risks; and
  • Document operational details of the processing, including:
    • How the information is collected, used, and disclosed;
    • The duration of retention (or how such duration will be determined);
    • How the business interacts with customers;
    • How many customers are affected;
    • What disclosures the business makes to customers about the processing; and
    • What third parties (service providers, contractors, or otherwise) will have access to that information and what purpose that access will serve.

This assessment requires thoughtful judgment and attention to detail as those with knowledge of the processing consider questions about the business’s data processing practices.

As noted, risk assessments must be completed prior to initiating any processing activity that presents a significant risk to consumer privacy. Additionally, businesses must update their risk assessments within 45 days when there is a material change relating to the processing activity, or, at minimum, every three years.

Reporting Obligations

CalPrivacy has coupled these substantive requirements with new reporting and certification obligations. Businesses will be required to submit summaries of their risk assessments by April 1 the year after they have been completed, starting April 1, 2028.  The summary must certify under penalty of perjury that the substance of the risk assessment is correct. While full assessments do not need to be routinely filed, they must be maintained and produced upon request.

This framework transforms risk assessments into regulator-facing documents, not just internal analyses. As a result, companies should expect that their reasoning, methodologies, and conclusions could be scrutinized in an enforcement context by CalPrivacy.

Implementation Timelines and Transition

The regulations provide a phased timeline, but the runway is shorter than it may appear. The obligation to conduct risk assessments began in January 2026, and existing data processing activities must be evaluated and a risk assessment prepared by the end of 2027, covering processing during 2026 and 2027. But for any new processing activities started after January 1, 2026 that trigger compliance obligations, a risk assessment must be completed before that new processing can begin. The first round of annual reporting is set to occur on April 1, 2028, with ongoing summary submissions required each year thereafter.

Given the breadth of in-scope activities and the level of detail required, many organizations will need substantial lead time to build and operationalize compliant programs.

Preparing for Risk-Based Privacy Practices

The practical impact of these requirements will extend across the enterprise. Legal and privacy teams will need to develop standardized frameworks and documentation processes, while product, engineering, and data teams will need to integrate risk analysis into development lifecycles. Security functions will play a key role in aligning technical safeguards with identified risks, and senior leadership may be called upon to review and certify compliance.

Organizations that have not yet formalized their data governance practices may face particular challenges, especially in mapping data flows and documenting decision-making. At the same time, companies with more mature privacy programs will need to revisit and enhance their existing processes to meet CalPrivacy’s more prescriptive and transparent requirements.

Looking Ahead

California’s regulations reinforce its position at the forefront of U.S. privacy law and reflect a broader global trend toward risk-based regulation. For businesses, the takeaway is clear: Now is the time to conduct risk assessments on relevant processing activities and to start preparing plans to submit summary assessments to CalPrivacy.

Organizations that act now to build scalable, defensible risk assessment programs will be better positioned not only to meet regulatory expectations, but also to support responsible innovation in an increasingly complex data landscape.

The Coblentz Data Privacy & Cybersecurity team can help you navigate CalPrivacy’s risk assessment requirements. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.