CCPA / CPRA

CCPA Risk Assessments: A Practitioner's Guide

The short version

Under the CPRA amendments to the CCPA, a business whose processing of personal information presents a significant risk to consumers' privacy or security must conduct a risk assessment. California Civil Code 1798.185 directs the California Privacy Protection Agency to issue rules on these assessments, and the Agency's regulations set out when one is required and what it must weigh: the purpose of the processing, the personal information involved, the benefits to the business and others, and the risks to consumers, with a conclusion on whether the benefits outweigh the risks.

The CCPA started as a transparency-and-rights law. The CPRA amendments turned part of it into a risk-assessment regime: certain processing now has to be evaluated for its risk to consumers before it proceeds, and documented. This guide covers when a CCPA risk assessment is required, what it has to weigh, how to conduct it, and where these assessments fall short.

What a CCPA risk assessment is

A CCPA risk assessment is a documented analysis of whether a processing activity's risks to consumers are justified by its benefits. The mandate comes from California Civil Code 1798.185(a)(15), which directs the California Privacy Protection Agency to require risk assessments for processing that presents significant risk, and the Agency's regulations fill in the detail. It is closer to the GDPR's DPIA than to the CCPA's older notice obligations.

When it is required

The trigger is processing that presents a significant risk to consumers' privacy or security. The Agency's regulations identify the categories that meet that bar, which generally include selling or sharing personal information, processing sensitive personal information, using personal information to train automated decision-making technology, and certain profiling. If your processing falls into a covered category, the assessment is required.

What it must weigh

ElementWhat it captures
PurposeWhy the processing is carried out and what it is meant to achieve.
Personal informationThe categories of personal information, including sensitive information, and the operational details of the processing.
BenefitsThe benefits of the processing to the business, the consumer, other stakeholders, and the public.
RisksThe negative impacts to consumers' privacy, weighed against the safeguards in place.
ConclusionWhether the benefits of the processing outweigh the risks to consumers.

How to conduct one

Step 1: Determine whether an assessment is required

Map your processing against the Agency's covered categories. If any apply, an assessment is required before the processing proceeds.

Step 2: Describe the processing and the data

Document the purpose, the categories of personal information, and how the processing operates, including any sensitive information and automated decision-making.

Step 3: Identify benefits and risks

Set out the benefits to the business, consumers, and the public, and the risks to consumers, including the safeguards that reduce them.

Step 4: Reach and document the conclusion

State whether the benefits outweigh the risks, with the reasoning, and record the safeguards relied on.

Step 5: Retain and submit on the Agency's schedule

Keep the assessment and submit it to the Agency as its regulations require. Review and update it as the processing changes.

Where these assessments fall short

The CCPA risk assessment is California's version of weighing a processing activity's impact on people before it proceeds. For the wider regime, see the CCPA / CPRA compliance guide and the CCPA glossary; for the same benefits-versus-risk logic under EU law, see the GDPR DPIA guide.

Primary sources

Common questions

Does the CCPA require a risk assessment?
The CPRA amendments to the CCPA require a risk assessment for processing that presents a significant risk to consumers' privacy or security. California Civil Code 1798.185 directs the California Privacy Protection Agency to issue the rules, and the Agency's regulations set out when an assessment is required and what it must contain.
When is a CCPA risk assessment required?
When the processing presents a significant risk to consumers, as defined by the Agency's regulations. Covered categories generally include selling or sharing personal information, processing sensitive personal information, profiling, and using personal information to train automated decision-making technology.
What must a CCPA risk assessment include?
It must describe the purpose of the processing and the categories of personal information, identify the benefits to the business, consumers, and the public, identify the risks to consumers and the safeguards, and conclude whether the benefits outweigh the risks.
How is a CCPA risk assessment different from a GDPR DPIA?
Both weigh a processing activity's impact before it proceeds. The CCPA assessment is framed around whether benefits to the business and others outweigh the risks to consumers and is submitted to the California Privacy Protection Agency on its schedule; the GDPR DPIA is framed around risks to individuals' rights and triggers prior consultation when high risk remains.
From the team behind this guide

Privacy risk, assessed and documented

Compliance Command Center applies the same risk discipline across privacy regimes: it structures the assessment, weighs benefits against risks with the reasoning written down, and keeps it current. Practitioners build it, with a human reviewing every deliverable, so it holds up when a regulator asks how you reached the conclusion.

See Compliance Command Center Talk to a Practitioner