Are you a marketer? Perhaps an analytics or data science professional? Maybe an Optimization lead? Then this blog is for you. The below processes are very likely to impact you due to the regulatory requirements.

This past September California finalized risk assessment requirements for the California Consumer Privacy Act (CCPA). These regulations are very prescriptive as to when an assessment is needed, what goes into a risk assessment, and when reporting on these assessments to the State needs to occur.

Note: The following talks about regulations and risk assessments. You are advised to seek out qualified counsel or risk personnel to assist you with your specific situation.

The risk requirements begin on page 83 of the finalized regulations and will require that companies subject to the CCPA attest to the California Privacy Protection Agency (CPPA) by:

By April 1, 2028, a business covered by the CCPA must submit to the CPPA:

1. An attestation that required risk assessments were completed, and
2. A summary of their risk assessment information.

Compliance with the risk requirements begins January 1st, 2026 with the first mandatory reporting occurring in April of 2028. For assessments occurring for 2027 and later, attestation of completion occurs in the following year on April 1st.

While the initial timeline seems generous – given the complexity of the assessments and the scope of impacted systems, affected companies are strongly encouraged to prioritize compliance activities in the short term.

Separate from the attestation – The CPPA or the California Attorney General may request copies of risk assessment reports at any time, and these must be provided with-in 30 calendar days. This adds increased importance to conducting these assessments in the identified manner.

When is an assessment required?

Subsection a of Section 7150 states that a risk assessment is required whenever data processing presents significant risk to the consumer’s privacy. Notability, subsection b goes on to state in the first condition that selling or sharing personal information presents significant risk.

Under the CCPA – the definition of personal information is very broad. Personal data includes any data that identifies, relates to, or could reasonably be linked to a person or their household – either directly or indirectly. This includes (but is not limited to):

• Name
• Email Address
• Purchase History
• Browsing History
• Location Data
• IP Address
• Profiles of the consumer
• Sensitive personal information

This means that – the following activities will likely trigger this type of assessment:

• Targeted Advertising (both targeting and measurement)
• Most kinds of analytics both software and analysis.
• Most kinds of A/B testing both software and analysis
• Most website 3rd party “widgets”. Such widgets very likely get the user’s IP Address.

Relevant Considerations for Agencies / Contractors:

• You’ll need to do assessments for your own website / mobile app and related services
• You may be expected to assist your clients with the completion of their own assessments, in particular for any service or product you recommend.

Given the sheer scope of affected systems and processes, I expect these assessments to take a non-trivial amount of time. This can affect launch timelines, as these assessments are required to be done **prior **to the data collection / processing.

It is reasonable to think, “this will slow me down” and yes it likely will – and that’s by intent. Section 7154 outlines the goals of a risk assessment:

The goal of a risk assessment is restricting or prohibiting the processing of personal information if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public.

Stakeholder Involvement

When faced with new regulations, a lot of teams seek to offload the work to Legal / Compliance groups. The regulations account for this (Section 7151) – and mandate that business employees support the assessment process by making information available for the assessment.

For example – if Marketing wants to collect more personal information for advertising, the specific employees who made that determination will need to be part of the assessment process.

This means that the business and engineering groups will likely need to be part of any assessment conducted on behalf of the business, which is likely to be a change in process.

What’s in an assessment?

An assessment is a complex analysis that looks at risk to the consumer from multiple angles. In addition to the stakeholder involvement, outside sources may be required to complete specific parts of the assessment.

Risk Assessment Requirements – identify and document:

• The business purpose for processing consumer personal information. This can’t be in generic terms such as “improving services”. If a topic like “improving services” is used – it needs to be specific in how those services are improved.
• The categories of personal information to be processed, inclusive of any sensitive personal information.
• The businesses planned methods for collecting, using, disclosing, retaining or otherwise processing personal information, and the sources of that personal information.
• How long the business plans to retain each category of personal information, or the criteria the business plans to use to determine that retention period.
• The business’s method of interacting with the consumers whose personal information the business plans to process, and the purpose of that interaction.
• The approximate number of consumers whose personal information the business plans to process.
• What disclosures the business has made or will plan to make to the consumer about processing their information.
• The names or categories of the service providers, contractors or third parties that personal data will be disclosed to, and the purpose for which it is disclosed.
• The benefits to the business, the consumer, other stakeholders and the public from the processing of personal information. Note, this can’t be in generic terms.
• The negative impacts to the consumer’s privacy associated with the processing. The business must identify the sources and causes of these negative impacts.
• Economic Harms, including limiting or depriving consumers of economic opportunities.
• Physical harms to the consumer or property, including processing that creates opportunity for physical or sexual violence
• Reputational Harms, inclusive of emotional distress, stress, anxiety, embarrassment, fear, frustration, shame and feelings of violation that could negatively impact an average consumer. The regulations give examples of disclosure of nonconsensual intimate imagery or purchase of pregnancy tests may trigger emotional distress from disclosure.
• Any safeguards that the business plans to implement for the processing to address the negative impacts identified above. Examples include security, encryption, use of privacy-enhancing technologies or the consulting of external parties.
• if the business will initiate the processing post risk assessment.
• all individuals who provided information for the assessment, except for legal counsel who provided legal advice
• The date the assessment was reviewed and approved, and the names and positions of the individuals who reviewed and approved the assessment, except for legal counsel who provided legal advice. The regulations specifically call out that a person who has the authority to participate in deciding whether the business will conduct the processing covered by the assessment **must **review and approve the assessment.

If the assessment covers Automated Decision Making Technology (ADMT) – additional information needs to be part of the assessment:

• The logic of the ADMT, including any assumptions or limitations of the logic; and
• The output of the ADMT, and how the business will use the output to make a significant decision.

As you can see, this process touches on multiple areas and may include several team members to conduct. It is unlikely that these reports can be generated quickly if done as intended. It is advised to build in enough time up front – because these assessments must be completed prior to conducting the activity covered in the assessment for any activity begun after January 1st, 2026.

Assessment Timing and Retention

A business must comply with several conditions around when to conduct and update an assessment:

• A business must conduct and document a risk assessment in accordance with the regulations before initiating any processing activity identified in Section 7150 – subsection b. For most cases – this will be the selling or sharing of personal information.
• At least once every three years – the business must review, and update if necessary the risk assessment to ensure they remain accurate.
• A business must update the assessment as soon as possible, but with-in 45 days – of a material change relating to the processing activity.
• The business must retain the risk assessments, including both original and updated versions, for as long as the processing continues, or for five years after the processing completes, whichever is later.

For activities that started prior to January 1st 2026, and continue after January 1st 2026 – the business has until December 31st 2027 to conduct the risk assessment. Any new activity after January 1st 2026 needs an assessment prior to conducting the activity.

Attestison to the Agency

Beginning April 1st 2028 and every year thereafter a business must attest to the State of California that these assessments are being conducted.

A business must submit to the California Privacy Protection Agency:

1. The businesses name, and point of contact for the business, inclusive of name, phone number and email address
2. The time period covered by the submission, by month and year.
3. The number of risk assessments conducted or updated by the business during the time period for the submission, both in total and for each of the processing activities identified.
4. Whether the risk assessments conducted or updated during the time period of the submission involved the processing of personal information and sensitive information .
5. Attestison under penalty of perjury. Perjury in California can include fines of up to $10,000 or up to four years in prison.
6. The name and business title of the person submitting the risk assessment information and the date.

The person submitting must be a member of the businesses executive management team who:

• Is directly responsible for the business’s risk-assessment compliance
• Has sufficient knowledge of the businesses’s risk assessment to provide accurate information; and
• Has the authority to submit the risk assessment information to the Agency.

In closing

As you can see – these assessments are extensive and can cover a wide array of information. They will mandate inclusion of business stakeholders and involve Executive attestation. These processes may be new for businesses unfamiliar with data privacy laws, and discussions may need to happen with the Executive team so they understand this new reality.

The turn of the year will prove interesting and if the above is anything to go by – expect new processing activities to take longer and require more paperwork. With the CCPA Security Requirements also looming, multiple business teams will have to find new ways of working as the calendar changes.

The best advice I can offer is to be proactive about it. These processes may consume a large amount of time. It’s best to begin work on these activities and have the required executive discussions in the short term so you can best prepare for if the California Attorney General comes knocking that you will have something to show them when prompted.