Ogletree Deakins Ogletree Deakins
Home > Insights & Resources > Blog Posts > California Finalizes Groundbreaking Regulations on AI, Risk Assessments, and Cybersecurity, Part III: Risk Assessments

California Finalizes Groundbreaking Regulations on AI, Risk Assessments, and Cybersecurity, Part III: Risk Assessments

By Benjamin W. Perry, Lauren N. Watson, and Evan J. Yahng
Download PDFPrintShare

On September 23, 2025, the California Office of Administrative Law (OAL) approved regulations under the California Consumer Privacy Act (CCPA) that specifically address the use of artificial intelligence (AI) and automated decisionmaking technologies (ADMTs), requirements for completing risk assessments, and annual cybersecurity audits. This article is the third and final installment of a three-part series exploring the new requirements. Our first article focused on the ADMT provisions, and our second article addressed the requirements surrounding cybersecurity audits.

Quick Hits

  • The recently finalized California Consumer Privacy Act regulations include requirements to perform risk assessments for any processing that presents a significant risk to California residents’ privacy.
  • Every business that must conduct a risk assessment will also need to submit to the California Privacy Protection Agency information regarding their assessments—including a designated contact, the time period covered by the submission, the number of risk assessments conducted or updated by the business during the time period, and more.
  • Risk assessments should not be a mere formality or an isolated exercise by one person or department, but rather an integrated, cross-functional pillar of a company’s data governance structure.
  • For ongoing high-risk activities, risk assessment submissions for 2026 and 2027 will be due by April 1, 2028.

What Is a Risk Assessment?

Risk assessments analyze and document potential privacy harms arising from a business’s processing of personal information. As a reminder, “processing” is an incredibly broad term that means performing any action or “set of actions” on personal information. Risk assessments must be completed before a business initiates covered processing and must be updated at least once every three years, or sooner if there is a material change to the processing that affects risks or safeguards. Every risk assessment acts as a thorough risk-benefit analysis, and must include:

  • a clear and specific explanation of the purpose of the processing that is not described in generic terms;
  • a description of the categories of personal information involved, including how the data is collected and from what sources, and the methods of collection, use, disclosure, and storage to be employed;
  • context about consumer interactions (e.g., web, app, offline), the approximate number of consumers affected, and the disclosures that will be provided (e.g., just-in-time notices);
  • use of ADMTs, if applicable, including the logic of and outputs where ADMT is used to make a significant decision and how those outputs are used;
  • the specific benefits of the processing to the business, consumers, other stakeholders, or the public, which again must not be described in generic terms;
  • all reasonably foreseeable privacy risks and potential negative impacts to consumers that could result from the processing, including unauthorized access, discrimination, threats to physical safety, and more;
  • safeguards the business will implement to mitigate identified risks, including technical, procedural, and organizational measures; and
  • whether the business will initiate the processing after weighing benefits, risks, and safeguards, including the date of review and approval and the names and positions of the individuals who reviewed or approved the assessment, as well as the individuals who provided information for the assessment (excluding legal counsel).

The regulations also require documenting the names or categories of service providers, contractors, or third parties involved in the processing and the purposes for which information is made available to them. Given the breadth of required inputs—ranging from technical architecture and data flows to workforce impact and vendor dependencies—effective assessments necessarily draw on expertise from security, IT, data and analytics, product, HR, procurement/third-party risk, and the relevant business owners, in addition to representatives from legal and privacy. The regulations emphasize the involvement of all relevant internal stakeholders in the risk assessment process, including oversight by a member of senior management. Additionally, businesses are permitted to involve third-party experts in the risk assessment process.

As businesses with experience dealing with the CCPA likely know, risk assessments should not be siloed exercises carried out solely by a lawyer or privacy officer, nor should they be treated as a mere formality. These extensive requirements are designed to ensure a thorough evaluation of a project’s privacy impact.

As a practical matter, businesses may consider developing an internal template covering these points to guide their teams through the assessment. Many companies may want to integrate this process into existing governance structures—by, for example, folding the CCPA risk-assessment questions into a broader privacy impact assessment (PIA) process or an AI ethics review process, especially if the business is also subject to similar requirements under other privacy or AI laws. The regulations explicitly allow companies to rely on an existing risk assessment (such as a PIA conducted pursuant to another law), so long as the assessment covers all the elements required by California’s regulations (or is supplemented to fill any gaps). If the existing assessment lacks certain components, a business can supplement it with additional analysis rather than starting from scratch, which makes conducting an analysis to identify any gaps in coverage essential.

A business must retain risk assessments for as long as the data processing continues or for five years after an assessment is completed, whichever is longer. Companies may want to consider ensuring a system exists to track all required risk assessments and their review dates.

Who Must Complete a Risk Assessment?

The regulations require businesses to complete a risk assessment before initiating any processing of consumers’ personal information that presents “significant risk” to the consumer’s privacy. Significant risk arises for risk assessment purposes if a business:

  • “sells” or “shares” personal information (as those terms are defined, which apply to a surprisingly broad range of activities, such as many commonplace website tracking technologies);
  • uses sensitive data—such as precise geolocation, health, or financial information—for a nonexempt purpose;
  • deploys ADMTs to make a “significant decision” concerning a consumer—such as decisions affecting financial services, housing, employment, education, or access to healthcare;
  • uses automated processing to infer or extrapolate certain sensitive traits about a consumer based on systematic observation while in certain sensitive contexts, such as those involving job applicants, students, and employees;
  • uses automated processing to infer or extrapolate certain sensitive traits about a person based on the person’s presence in a sensitive location; or
  • intends to develop or train ADMTs or AI using individuals’ personal information (including training facial-recognition, emotion-recognition, or other technologies that verify identity or conduct physical or biological identification or profiling).

These categories likely mean a wider scope of organizations that will need to perform risk assessments, potentially including advertising technology companies, data brokers, companies using algorithms or AI models to determine eligibility, and businesses that engage in consumer profiling. Inventorying data processing activities against these criteria will help determine whether a formal risk assessment is required under the regulations.

If an organization is indeed required to conduct risk assessments, these assessments will need to be reviewed at least once every three years. In addition, the organization will be required to submit annual reports (as explained in further detail below), and, if there is a material change in the relevant processing activity, update the risk assessment within forty-five calendar days. For certain HR use cases, there is a narrow carveout: processing sensitive personal information of employees or independent contractors solely for specified employment-related purposes (e.g., administering compensation, verifying work authorization, administering benefits, providing reasonable accommodation, or wage reporting) does not require a risk assessment; any other processing of sensitive personal information remains in scope. However, for processing activities that began before the regulations’ effective date, organizations will enjoy a grace period. For these activities, the regulations require that a risk assessment be conducted no later than December 31, 2027. This ramp-up period is intended to give companies that may be new to risk assessments time to comply before the reporting period begins.

Annual Reporting to the California Privacy Protection Agency

Finally, the regulations require that businesses formally report their risk assessment activity to the Agency annually. Businesses are not required to submit the full text of each risk assessment. Instead, at a higher level, each report and certification must include:

  • the business’s name and the point of contact’s information;
  • the time period covered by the report;
  • the number of risk assessments the business conducted or updated in that period;
  • whether the risk assessments accounted for the processing of certain categories of personal information and sensitive personal information covered by the CCPA;
  • an attestation of compliance; and
  • the name and title of the executive submitting the attestation, who must be a member of executive management directly responsible for risk-assessment compliance and knowledgeable about the assessments.

While the lighter reporting requirement may seem like a boon at first glance, proactive reporting means the Agency could use submissions to target audits or for enforcement. Organizations may thus want to treat reports not just as a bureaucratic exercise but as public-facing documents that must be accurate and supported by legitimate business justifications. Submissions must be made via the Agency’s website, and the Agency or the attorney general may require submission of the underlying risk assessment reports within thirty calendar days of a request.

For ongoing high-risk activities, risk assessment submissions for 2026 and 2027 will be due by April 1, 2028. Each April 1 thereafter, companies must submit reports for the prior calendar year. If a business did not engage in any high-risk processing activities for the calendar year, an annual report is not required.

Practical Steps

With the regulations poised to take effect, businesses may want to start laying the groundwork for compliance now. Depending upon the exact nature of the processing, this may include:

  • conducting internal reviews or data-mapping exercises to identify any current or planned processing that falls into the high-risk categories;
  • engaging IT, data, and business unit leaders to identify projects that might implicate high-risk categories;
  • updating product development and data initiative approval processes to include a privacy risk assessment checkpoint;
  • establishing a privacy and ethics review board for new data uses to centralize and document assessments;
  • creating standard risk assessment templates and tools aligned with the Agency’s requirements to guide assessors through a thorough analysis;
  • clarifying roles and responsibilities within the organization for participating in risk assessments;
  • training relevant staff on how to identify when a risk assessment is needed and how to contribute to one;
  • consolidating existing security audits and AI ethics reviews to leverage existing compliance efforts; and
  • preparing for regulatory scrutiny by ensuring each risk assessment is timely, complete, and accurate.

Conclusion

For general counsel and privacy officers, the message is clear: more businesses will soon be required to conduct formal privacy risk assessments for high-risk data processing activities and to report on those activities annually to the Agency. From a compliance planning perspective, this means maintaining well-organized records and internal controls around risk assessments will be vital.

California’s new risk assessment regulations may signal a significant evolution in U.S. privacy law—moving companies from purely reactive privacy compliance (such as responding to consumer requests and breaches) and toward a proactive, accountability-based model of privacy management. By understanding these requirements and planning ahead, businesses can meet their legal obligations and enhance data governance and consumer trust.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group and Technology Practice Group will continue to monitor developments and will provide updates on the California, Cybersecurity and Privacy, and Technology blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Topics

California , Cybersecurity and Privacy , State Developments , Technology

Browse More Insights

Podcasts Seminars Webinars
Fingerprint Biometric Authentication Button. Digital Security Concept
Practice Group

Technology

Ogletree Deakins is uniquely situated to provide tech employers and users (the “TECHPLACE™”) with labor and employment advice, compliance counseling, and litigation services that embrace innovation and mitigate legal risk. Through our Technology Practice Group, we support clients in the exploration, invention, and/or implementation of new and evolving technologies to navigate the unique and emerging labor and employment issues present in the workplace.

Learn more
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now