Under the CPRA amendments to the CCPA, a business whose processing of personal information presents a significant risk to consumers' privacy or security must conduct a risk assessment. California Civil Code 1798.185 directs the California Privacy Protection Agency to issue rules on these assessments, and the Agency's regulations set out when one is required and what it must weigh: the purpose of the processing, the personal information involved, the benefits to the business and others, and the risks to consumers, with a conclusion on whether the benefits outweigh the risks.
The CCPA started as a transparency-and-rights law. The CPRA amendments turned part of it into a risk-assessment regime: certain processing now has to be evaluated for its risk to consumers before it proceeds, and documented. This guide covers when a CCPA risk assessment is required, what it has to weigh, how to conduct it, and where these assessments fall short.
What a CCPA risk assessment is
A CCPA risk assessment is a documented analysis of whether a processing activity's risks to consumers are justified by its benefits. The mandate comes from California Civil Code 1798.185(a)(15), which directs the California Privacy Protection Agency to require risk assessments for processing that presents significant risk, and the Agency's regulations fill in the detail. It is closer to the GDPR's DPIA than to the CCPA's older notice obligations.
When it is required
The trigger is processing that presents a significant risk to consumers' privacy or security. The Agency's regulations identify the categories that meet that bar, which generally include selling or sharing personal information, processing sensitive personal information, using personal information to train automated decision-making technology, and certain profiling. If your processing falls into a covered category, the assessment is required.
What it must weigh
| Element | What it captures |
|---|---|
| Purpose | Why the processing is carried out and what it is meant to achieve. |
| Personal information | The categories of personal information, including sensitive information, and the operational details of the processing. |
| Benefits | The benefits of the processing to the business, the consumer, other stakeholders, and the public. |
| Risks | The negative impacts to consumers' privacy, weighed against the safeguards in place. |
| Conclusion | Whether the benefits of the processing outweigh the risks to consumers. |
How to conduct one
Step 1: Determine whether an assessment is required
Map your processing against the Agency's covered categories. If any apply, an assessment is required before the processing proceeds.
Step 2: Describe the processing and the data
Document the purpose, the categories of personal information, and how the processing operates, including any sensitive information and automated decision-making.
Step 3: Identify benefits and risks
Set out the benefits to the business, consumers, and the public, and the risks to consumers, including the safeguards that reduce them.
Step 4: Reach and document the conclusion
State whether the benefits outweigh the risks, with the reasoning, and record the safeguards relied on.
Step 5: Retain and submit on the Agency's schedule
Keep the assessment and submit it to the Agency as its regulations require. Review and update it as the processing changes.
Where these assessments fall short
- Treated as a notice exercise. The assessment restates the privacy policy rather than weighing benefits against risks.
- No conclusion. Benefits and risks are listed but the required benefits-outweigh-risks judgment is never made.
- Scope gaps. Covered processing, especially profiling or training automated decision-making technology, is missed.
The CCPA risk assessment is California's version of weighing a processing activity's impact on people before it proceeds. For the wider regime, see the CCPA / CPRA compliance guide and the CCPA glossary; for the same benefits-versus-risk logic under EU law, see the GDPR DPIA guide.
Primary sources
- Cal. Civ. Code 1798.185(a)(14)-(15): The CPRA mandate for regulations on risk assessments and cybersecurity audits.
- California Privacy Protection Agency regulations: The CPPA rules governing when a risk assessment is required and what it must contain.