A Comprehensive Guide to CCPA Risk Assessment Requirements

Explore the essential requirements of California's Article 10 on risk assessments under CCPA. Discover how the latest regulations impact covered businesses.

Understanding California's Article 10: Risk Assessment Requirements for Consumer Privacy


I. Background


On September 23, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency's (CPPA) final regulations governing automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits. These rules, which are the result of a nearly five-year regulatory process, require businesses to assess and document data-processing risks, conduct cybersecurity audits, and provide enhanced notices and controls to consumers subject to automated decision-making technologies (ADMT). These new rules are promulgated in California Code of Regulations, Title 11, Division 6, Chapter 1, Article 10 (§§ 7150-7157) ("Article 10) and outline:


  • 6 processing activities that trigger risk assessments (§ 7150),
  • What must be included in the assessment (§ 7152),
  • When assessments must be conducted (§ 7155),
  • How to submit information to the CPPA (§ 7157), and
  • Specific examples of compliance.


Below is a summation of the Article 10 requirements.


II. When Must Businesses Conduct Risk Assessments?


Article 10 takes an activity-based approach rather than defining coverage by business type or size. For instance, § 7150(a) requires any business whose processing presents a significant risk to consumers' privacy to conduct a risk assessment before initiating that processing. In these situations, businesses must conduct risk assessments before initiating processing activities that present significant risk to consumers' privacy. The regulations identify six specific processing activities that trigger this requirement:


1. Selling or Sharing Personal Information: Any business that sells or shares consumer personal information must complete a risk assessment before doing so. This would cover ad tech companies, data brokers, marketing platforms, and any business monetizing consumer data.


California Civil Code § 1798.140(v) defines "Personal information" as "...information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."


§ 1798.140(v)(1)(A)-(K) lists the follwing Categories of Personal Information:



  1. Identifiers: real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
  2. Customer records information: as described in California Civil Code § 1798.80(e). These include Customer accounts with names, addresses, phone numbers, and payment methods.
  3. Protected classification characteristics: Examples include race/ethnicity indicated on employment applications or surveys; national origin or citizenship status on I-9 forms; age or date of birth on identification documents; or Gender markers on personnel records.
  4. Commercial information: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  5. Biometric information: an individual's physiological, biological, or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid (DNA), that is used or intended to be used, singly or in combination with other identifying data, to establish individual identity.
  6. Internet or electronic network activity: browsing history, search history, and information regarding a consumer's interaction with websites, applications, or advertisements
  7. Geolocation data: For example, mobile apps that collect location data and share it with third parties.
  8. Audio, electronic, visual, thermal, olfactory, or similar information
  9. Professional or employment-related information
  10. Education information: as defined under FERPA (non-publicly available personally identifiable information)
  11. Inferences: drawn from any of the above to create a profile about a consumer reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.


What Personal Information Does NOT Include:

  • Publicly available information from government records
  • De-identified or aggregate consumer information


Relationship to Article 10: Under the risk assessment requirements, businesses must identify the categories of personal information to be processed (§ 7152(a)(2)), including any categories of sensitive personal information. The required specificity ensures that the risk assessment accurately captures the privacy implications of the processing activity.


2. Processing Sensitive Personal Information: Businesses processing sensitive personal information must conduct assessments with one important exception: those businesses processing employee or independent contractor sensitive personal information solely for specific employment purposes, like compensation, employment authorizations, benefits administration, reasonable accommodations, or wage reporting, are exempt from the need to conduct an assessment for these specific purposes only.


The Article 10 regulations reference the statutory definition in Civil Code § 1798.140(ae), which defines sensitive personal information. Based on that statute and the examples within Article 10, sensitive personal information includes:


  • Social security, driver's license, state ID, or passport numbers
  • Account log-in credentials combined with passwords or security questions
  • Financial account, debit card, or credit card numbers combined with access codes
  • Precise geolocation
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Contents of mail, email, and text messages (where the business isn't the intended recipient)
  • Genetic data
  • Biometric information processed to uniquely identify a consumer
  • Health information
  • Information concerning sex life or sexual orientation


From Article 10's illustrative examples (§ 7150(c)): The regulations highlight practical scenarios involving sensitive personal information, such as a dating app disclosing users' precise geolocation, ethnicity, and medical information to an analytics provider — all of which trigger the risk assessment requirement. The employment carve-out in § 7150(b)(2)(A) is worth noting: processing employee/contractor sensitive personal information solely for compensation, employment authorization, benefits administration, reasonable accommodation, or legally required wage reporting doesn't require a risk assessment. Any other use of that sensitive data does.


3. Using ADMT for Significant Decisions: When businesses use Automated Decisionmaking Technology (ADMT) to make significant decisions about consumers, a risk assessment is mandatory.


California Code of Regulations, Title 11, § 7001(e) defines "Automated decisionmaking technology" or "ADMT" as any technology that processes personal information and uses computation to replace or substantially replace human decisionmaking.


Key clarifications within the definition:

"Replace" means to make decisions without human involvement.

"Substantially replace" means a business uses the technology's output to make a decision without human involvement. Human involvement requires the human reviewer to:

  • Know how to use and interpret the output
  • Review the output and other relevant information
  • Have the authority to make or change the decision made by the ADMT


What ADMT does NOT include: The regulations clarify that certain technologies are excluded from the ADMT definition, provided they do not replace human decision-making. These include technologies such as spam filters, spell checkers, and similar tools that augment rather than replace human decision-making.


Regulatory context: This definition was significantly narrowed from earlier drafts. The CPPA's Final Statement of Reasons explains that the Agency modified the definition to focus on higher-risk uses of ADMT—specifically, those without any human involvement. This balances consumer privacy protections with business simplification by reducing the scope of technologies. The ADMT definition is relevant to Article 10 (Risk Assessments) at § 7150(b)(3), which triggers a risk assessment when a business uses ADMT for a "significant decision" concerning a consumer.


Special Requirements for ADMT Training: Under § 7153, businesses that provide ADMT to other businesses for making significant consumer decisions must provide all facts necessary for the recipient business to conduct its own risk assessment. This requirement applies only to ADMT trained using personal information.


4. Systematic Observation in Employment/Education Contexts: Using automated processing to infer consumer characteristics from systematic observation of an individual or individuals' behavior, like educational program applicants, job applicants, students, employees, or independent contractors, requires a risk assessment. This includes inferring:


  • Intelligence, ability, or aptitude
  • Performance at work
  • Economic situation
  • Health (including mental health)
  • Personal preferences or interests
  • Reliability or predispositions
  • Behavior, location, or movements


5. Inferring Characteristics Based on Presence in Sensitive Locations: Similar to #4, but based on a consumer's presence in sensitive locations. Note: This does not include simply delivering goods or providing transportation to someone at a sensitive location.


California Code of Regulations, Title 11, § 7001(aaa) states that: "Sensitive location" means any of the following physical places: healthcare facilities including hospitals, doctors' offices, urgent care facilities, and community health clinics; pharmacies; domestic violence shelters; food pantries; housing/emergency shelters; educational institutions; political party offices; legal services offices; union offices; and places of worship.


6. Training ADMT or Biometric Systems: Businesses using personal information to train ADMT systems are required to conduct a risk assessment. Exampes include:


  • ADMT for significant consumer decisions
  • Facial-recognition technology
  • Emotion-recognition technology
  • Technologies that verify identity or conduct physical/biological identification or profiling


Practical Examples from the Regulations

The CPPA provides helpful illustrative examples:

  • Business A videotaping job interviews and using emotion-recognition technology without human involvement to decide whom to hire → Risk assessment required
  • Business B (dating app) disclosing users' precise geolocation, ethnicity, and medical information to an analytics provider → Risk assessment required
  • Business C (budgeting app) displaying payday loan ads based on consumers' financial information → Risk assessment required
  • Business D (tech provider) extracting faceprints from photos to train facial-recognition technology → Risk assessment required


IV. What Must Be Included in a Risk Assessment?


Section 7152 provides comprehensive requirements for risk assessments that must determine whether privacy risks outweigh the benefits to consumers, the business, other stakeholders, and the public.


Core Documentation Requirements:


1. Purpose Identification: A business must identify and document in a risk assessment report the business's purpose for processing consumers' personal information.

  • Must be specific and detailed
  • Generic terms like "to improve our services" are not acceptable
  • Specific purposes like "decreasing consumers' wait times when processing privacy rights requests" are required


2. Categories of Personal Information: All categories of personal information, including sensitive personal information, must be listed.

  • Document all categories to be processed
  • Include sensitive personal information categories
  • Identify the minimum personal information necessary to achieve the purpose


3. Operational Elements: Businesses must document:

  • Collection, use, disclosure, retention methods, and sources
  • Retention periods (or criteria for determining them)
  • Methods of consumer interaction (websites, apps, offline)
  • Approximate number of affected consumers
  • Disclosures made or planned to consumers
  • Service providers, contractors, or third parties involved
  • For ADMT uses: the logic of the technology and how outputs will be used


4. Benefits Analysis: Identify specific benefits (not generic claims) to:

  • The business
  • Consumers
  • Other stakeholders
  • The public


5. Negative Impact Identification: The regulations provide extensive examples of privacy harms to consider:

  • Security risks: Unauthorized access, destruction, use, modification, or disclosure of personal information
  • Discrimination: Based on protected characteristics that would violate federal or state law
  • Loss of control: Insufficient information for informed decisions or interference with consumer choices
  • Coercion: Conditioning services on unnecessary data disclosure or using dark patterns
  • Economic harms: Limiting opportunities, price discrimination, wage discrimination, or imposing unauthorized access costs
  • Physical harms: Including risks of physical or sexual violence
  • Reputational harms: Stigmatization that could negatively impact an average consumer
  • Psychological harms: Emotional distress, stress, anxiety, embarrassment, fear, frustration, shame, or feelings of violation


6. Safeguards: Document planned safeguards to address identified risks, such as:

  • Technical controls (encryption, access controls, network monitoring)
  • Privacy-enhancing technologies (trusted execution environments, federated learning, homomorphic encryption, differential privacy)
  • External consultation with experts
  • Policies, procedures, and training for ADMT to prevent unlawful discrimination


7. Decision Documentation: Document whether the business will proceed with the processing.


8. Contributors and Approvers: Identify individuals who:

  • Provided information for the assessment (except legal counsel)
  • Reviewed and approved the assessment (except legal counsel)
  • Have the authority to decide whether to proceed with the processing


Stakeholder Involvement Requirements: Section 7151 mandates specific stakeholder involvement:


Internal Stakeholders (Required): Employees whose job duties include participating in the relevant processing activity must be included in the risk assessment process.


External Stakeholders (Optional but Encouraged): Businesses may include:

  • Service providers and contractors
  • Bias detection and mitigation experts
  • Consumer representatives
  • Consumer advocacy organizations


Section 7154 makes clear that the goal of risk assessments is restricting or prohibiting processing when privacy risks outweigh benefits to consumers, the business, other stakeholders, and the public. This is not merely a documentation exercise—it requires genuine evaluation and potential changes to business practices.


V. Timing and Update Requirements


Initial Assessment Timing (§ 7155)

  • Must be completed before initiating any covered processing activity
  • For processing activities initiated before the regulations' effective date that continue after: assessments must be completed by December 31, 2027


Ongoing Review Requirements

  • Review and update assessments at least once every three years
  • Update within 45 calendar days whenever there's a "material change" to the processing activity


What Constitutes a Material Change?

A change is material if it:

  • Creates new negative impacts
  • Increases the magnitude or likelihood of previously identified negative impacts
  • Diminishes the effectiveness of safeguards
  • Examples include changes to processing purpose, minimum necessary data, or numerous consumer complaints about privacy risks


VI. Retention Requirements


Businesses must retain risk assessments (including all versions) for:

  • As long as processing continues, OR
  • Five years after completion
  • Whichever is later


VII. Flexibility Provisions


Comparable Sets of Processing Activities (§ 7156): Businesses may conduct a single risk assessment for a comparable set of similar processing activities that present similar privacy risks.


Example: A toy retailer collecting names, addresses, and birthdays from children across all stores using the same service providers and technology for birthday and November mailings may use a single risk assessment for all stores.


VII. Compliance with Other Laws

Businesses may use risk assessments prepared for other purposes (e.g., other state laws) if they contain all required information under § 7152, or are paired with supplemental documentation to meet California's requirements.


IX. Submission Requirements to the CPPA


Section 7157 establishes annual submission requirements:


Submission Deadlines

  • For 2026-2027 assessments: Submit by April 1, 2028
  • For 2028+ assessments: Submit by April 1 of the following year


X. What Must Be Submitted


Businesses must submit:

  1. Business name and point of contact
  2. Time period covered (by month and year)
  3. Number of risk assessments conducted/updated (total and by processing activity type)
  4. Categories of personal and sensitive personal information processed
  5. Attestation statement (under penalty of perjury)
  6. Name, title, and date of certification from the submitting executive


XI. Who Can Submit


The submitting individual must be an executive management team member who:

  • Is directly responsible for risk-assessment compliance
  • Has sufficient knowledge to provide accurate information
  • Has the authority to submit to the Agency


XII. Submission Method


Via the CPPA website at https://cppa.ca.gov/


XII. Additional Agency Authority


The CPPA or Attorney General may request full risk assessment reports at any time. Businesses must provide them within 30 calendar days of the request.


XIII. Key Takeaways for Businesses


  1. Plan Ahead: Risk assessments must be completed before initiating covered processing activities—not after the fact.
  2. Be Specific: Generic language is explicitly rejected. Provide concrete, detailed descriptions of purposes, benefits, and risks.
  3. Think Holistically: Consider the full range of potential harms—security, discrimination, economic, physical, reputational, and psychological.
  4. Document Thoroughly: Maintain comprehensive records including all contributors, approvers, and decision-makers.
  5. Update Regularly: Don't treat this as a one-time exercise. Review every three years at a minimum, and within 45 days of material changes.
  6. Involve the Right People: Include employees who participate in the processing and consider external expertise.
  7. Be Prepared to Say No: The goal is to restrict or prohibit processing when risks outweigh benefits. Risk assessments may require changes in business practices.
  8. Meet Deadlines: Track submission deadlines carefully and ensure executive management is prepared to certify compliance.


IX. Conclusion


California's Article 10 risk assessment requirements represent a significant shift toward proactive privacy protection. Rather than simply documenting processing activities, businesses must critically evaluate whether the privacy risks they create are justified by the benefits. This requires thoughtful analysis, cross-functional collaboration, and genuine commitment to consumer privacy.

For businesses subject to these requirements, now is the time to:

  • Inventory all processing activities that trigger risk assessments,
  • Develop standardized risk assessment templates and procedures,
  • Identify internal and external stakeholders for the process,
  • Establish systems for tracking material changes and updating deadlines, and
  • Prepare for annual submissions to the CPPA.


The regulations are comprehensive but allow businesses to tailor assessments to their specific circumstances. By taking these requirements seriously and implementing robust risk assessment practices, businesses can achieve compliance, build consumer trust, and enhance their privacy programs.


This blog post provides general information about California's risk assessment regulations and should not be construed as legal advice. Businesses should consult with qualified legal counsel to ensure compliance with all applicable requirements.

← All postsRequest an assessment