New Risk Assessment Requirements Issued Under the California Consumer Privacy Act

New Risk Assessment Requirements Issued Under the California Consumer Privacy Act
October 21, 2025 185 view(s)
New Risk Assessment Requirements Issued Under the California Consumer Privacy Act

Recently, the California Privacy Protection Agency (CPPA) created new updates to the California Consumer Privacy Act (CCPA) regulations. Altogether, the changes to the CCPA regulations were approved by the California Office of Administrative Law on September 23rd, 2025. Generally, the updates include new information on automated decision-making technology, cybersecurity audits, and risk assessments. This blog post, based on information released by Jackson Lewis, focuses on the new California Consumer Privacy Act risk assessment requirements. Previously, in July 2020, the California Attorney General’s Office began bringing enforcement action against businesses that violated CCPA rules.

Overview of the California Consumer Privacy Act (CCPA)

Explicitly, on January 1st, 2020, the CCPA went into effect, protecting consumers’ privacy rights by placing obligations on how businesses collect, use, and share the personal information of California residents. Included within the protections, the CCPA provides affected consumers with the right to:

  • know what personal data is being collected about them;
  • know whether their personal data is sold or disclosed and to whom;
  • say no to the sale of personal data;
  • access their personal data;
  • request a business to delete any personal information about a consumer collected from that consumer; and
  • exercise their privacy rights without fear of discrimination.

Updates to the California Consumer Privacy Act (CCPA)

Markedly, after not even being in effect for 11 months, the CCPA was amended by the passage of the California Privacy Rights Act (CPRA). Passed in November 2020, the CPRA provided additional privacy protections for individuals. Specifically, these protections applied to the personal information of employees, employees’ dependents who receive benefits, applicants, independent contractors, and board members.


Additionally, the CPRA establishes the afore-mentioned California Privacy Protection Agency (CPPA), which implements and enforces the law. Going beyond existing federal law that primarily protects data in employees’ personnel files and even bars employers from asking specific illegal interview questions, the CPRA provides more comprehensive data protection that allows individuals to opt out of, delete, or correct certain records. In this way, the CPRA closely mirrors data protection laws overseas, like the European Union’s General Data Protection Regulation (GDPR). The California Privacy Rights Act went into effect on January 1st, 2023.


Finally, it is important to note that the CPRA amended the CCPA; it did not create a new law. Being that, the general law being discussed in this post is the “CCPA” or “California Consumer Privacy Act.”

Who Does the California Consumer Privacy Act (CCPA) Apply To?

Presently, businesses that fall within the following perimeters must comply with CCPA standards:

  • The company does business in California (even if they are based elsewhere).
  • The business collects personal information (or does it on behalf of another entity).
  • The company alone or jointly with others determines the purposes or means of processing of that data.

Also, if the business meets one of the following criteria, they are required to comply with CCPA standards:

  • The annual revenue requirement is satisfied if, as of January 1 of a calendar year, the business had annual gross revenues in the preceding calendar year in excess of $25 million.
  • The business “alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.”
  • The business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

New Risk Assessment Requirements

Due to the September 23 regulation updates, businesses are now required to conduct certain risk assessments. Specifically, these assessments must occur when processing of personal information presents any risks to consumer privacy. Additionally, according to Jackson Lewis, the California Privacy Protection Agency (CPPA) defined activities that many automatically require risk assessments. Such actions include:

  • Selling or sharing personal information.
  • Processing “sensitive personal information.” Sensitive personal information includes precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric information, health information, sexual orientation, and citizenship status.
  • Using automated decision-making technology (ADMT) to make significant decisions about consumers. Such decisions include those resulting in the provision or denial of financial services, lending, housing, education enrollment, employment opportunities, compensation, or healthcare services.
  • Profiling a consumer through “systematic observation” when they are acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business.
  • Profiling a consumer based upon their presence in a “sensitive location.”
  • Processing personal information to train ADMT for significant decisions, or train facial recognition, biometric, or other technology to verify identity.

The Different Pieces of a Risk Assessment

In the event that a risk assessment is required under the California Consumer Privacy Act (CCPA), the California Privacy Protection Agency (CPPA) released guidance on how to perform those assessments. In summary, those steps include:

  • Determining which stakeholders should be involved in the risk assessment process and the nature of that involvement.
  • Establishing appropriate purposes and objectives for conducting the risk assessment.
  • Satisfying timing and record-keeping obligations.
  • Preparing risk assessment reports that meet specific content requirements.
  • Timely submission of certifications of required risk assessments to the CPPA.

For a more in-depth look at the steps required to take when making risk assessments, employers should examine the agency’s guidance linked above.

 

Employer Takeaways

In conclusion, the September 2025 updated regulations signal a new era in California Consumer Privacy Act (CCPA) compliance. With the introduction of the risk assessments, businesses now need to evaluate and document the implications of their data processing activities before any privacy issues can occur. Unquestionably, any employers who are regulated by the CCPA and have questions about the September release should consult with their legal counsel.

by

NOTE: The details in this blog are provided for informational purposes only. All answers are general in nature and do not constitute legal advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The author specifically disclaims any and all liability arising directly or indirectly from the reliance on or use of this blog.

Options chevron-down
Contact Us
Compliance 101A
Categories chevron-down
Search the blog chevron-down
Recent posts chevron-down
Latest EEOC Enforcement Data Shows Increased Pre-Litigation Activity Latest EEOC Enforcement Data Shows Increased Pre-Litigation Activity
55 view(s)
EEOC Pens Letter to Companies Regarding Title VII Compliance and DEI Initiatives EEOC Pens Letter to Companies Regarding Title VII Compliance and DEI Initiatives
112 view(s)
NLRB Officially Reinstates Previous 2020 Joint Employer Standard NLRB Officially Reinstates Previous 2020 Joint Employer Standard
197 view(s)
OSHA Releases New Job Safety and Health Workplace Poster OSHA Releases New Job Safety and Health Workplace Poster
430 view(s)
Agency Releases Newly Proposed Independent Contractor Status Rule; Seeks Employer Comments Agency Releases Newly Proposed Independent Contractor Status Rule; Seeks Employer Comments
54 view(s)