California’s updated CCPA regulations, effective January 1, 2026, introduce a formal, documented risk assessment obligation for certain processing activities. It’s also the first time a U.S. state introduces a personal executive liability for privacy negligence.
For many privacy teams, this raises practical questions: When exactly do I need to perform a risk assessment? What format should it take? Can I reuse work I’ve already done for GDPR or other laws?
In this article, we’ll answer these and other questions from privacy and legal teams regarding how to operationalize CCPA risk assessments without reinventing the wheel.
What is the new CCPA risk assessment requirement?
California’s updated CCPA regulations include a risk assessment obligation, effective January 1, 2026.
The new standalone article (Article 10) requires businesses to conduct risk assessments for processing activities that present a significant risk to consumers’ privacy. As David Strauss explains in his analysis for Troutman Pepper Locke, this obligation is meant to operationalize the CCPA’s broader principles of purpose limitation, data minimization, and proportionality.
Unlike high-level privacy reviews, CalPrivacy expects these risk assessments to be written, reasoned, and retained.
Assessments conducted in 2026 and 2027 must be submitted to CalPrivacy by April 1, 2028 and are then due annually thereafter. In some cases, assessments must also be made available to the Agency upon request.
At a high level, the goal of a CCPA risk assessment is to demonstrate that the business has:
- Thought critically about the privacy risks created by a specific processing activity, and
- Determined that the benefits of the processing outweigh those risks, taking appropriate safeguards into account.
When am I required to complete a risk assessment?
A CCPA risk assessment is required before a business engages in certain high‑risk processing activities with data protected under the law. These include, in particular, any processing that involves:
- Sensitive personal information at scale or in ways that create heightened risk
- Automated decision making technology (ADMT), especially when used to make or support significant decisions about consumers
- Training data for automated decisionmaking models using personal information
If the processing could reasonably be expected to pose a significant risk to consumers’ privacy, security, or rights, a risk assessment is required.
Importantly, this is not a one‑time exercise. Risk assessments must be revisited when:
- The nature, scope, or purpose of the processing materially changes, or
- New risks emerge that were not previously considered.
Is there a specific assessment I need to use?
No. The regulations do not mandate a single, prescriptive template or form.
Instead, CalPrivacy focuses on substance over format. The assessment must cover specific elements (discussed below), but businesses have flexibility in how they structure the document.
In practice, this means:
- You do not need to create a brand‑new “CCPA‑only” assessment from scratch if you already use structured assessments like PIAs or DPIAs.
- You do need to ensure that whatever format you use fully addresses the CCPA‑specific requirements.
This flexibility is intentional and allows teams to build on existing privacy governance processes.
What information must be covered in the assessment?
Section 7152 of the regulation lays out detailed requirements for what a CCPA risk assessment must cover. Examples include:
- A description of the processing activity
What personal information is involved, who it relates to, for how many consumers, and how it is collected, used, shared, retained, or trained on. - The purpose and benefits of the processing
Why the business is engaging in this activity and what legitimate business or consumer benefits it provides. - An analysis of potential risks to consumers
Including privacy harms, security risks, bias or discrimination concerns, and other reasonably foreseeable negative impacts. - Safeguards and mitigations
Technical, organizational, and contractual measures used to reduce identified risks (for example, access controls, minimization, retention limits, human oversight, or security controls). - A balancing conclusion
A reasoned determination that the benefits of the processing outweigh the risks to consumers, in light of the safeguards in place. - Stakeholder involvement
Identification of internal stakeholders (such as legal, privacy, security, or product teams) involved in reviewing or approving the assessment, and the completion date.
For the full list of requirements, see here.
The emphasis is on reasoned analysis, not box‑checking. CalPrivacy expects businesses to show their work.
Can I use an assessment I already created for another regulatory requirement?
Yes, in many cases.
The regulations explicitly allow businesses to leverage assessments completed for other laws or frameworks, such as GDPR DPIAs, as long as they are reasonably comparable and cover the required elements.
In practice, this usually means:
- Starting with an existing PIA or DPIA
- Mapping its sections to the CCPA risk assessment requirements
- Filling any gaps specific to California law (for example, references to sensitive personal information definitions or ADMT obligations)
This approach avoids duplicative work while still meeting regulatory expectations. Just be sure the assessment is completed before the new processing activity starts.
What do I do with the assessment once it’s completed?
Completed risk assessments must be:
- Retained for the duration of the processing activity or five years after the risk assessment is completed (whichever is longer)
- Updated when processing changes materially
- Made available to CalPrivacy upon request and submitted annually (with additional time to submit assessments for 2026 and 2027).
They should also be operationalized internally. A risk assessment that sits in a folder but does not inform product design, safeguards, or decision‑making undermines its purpose, and may raise questions in an enforcement context.
Many organizations integrate risk assessment outcomes into:
- Product launch checklists
- Engineering and design reviews
- Vendor and procurement processes
- Executive or privacy committee reporting
How does DataGrail help streamline CCPA risk assessments?
Operationalizing CCPA risk assessments at scale can be challenging, especially for teams already managing GDPR, CPRA, and other global obligations.
DataGrail offers powerful privacy assessments tools to helps privacy teams:
- Leverage pre‑built templates for common assessments like PIAs and DPIAs, which can be adapted to meet CCPA risk assessment requirements
- Auto-populate the assessment based on existing system and privacy program data, so you don’t need to start from scratch
- Allow business owners to create self-service assessments as part of the processing approval workstream
- Standardize intake and review workflows so high‑risk processing is flagged early
- Centralize documentation to ensure assessments are easy to update, track, and produce if requested by regulators
- Demonstrate accountability with clear records of stakeholder review and approval
Rather than treating CCPA risk assessments as a one‑off compliance task, DataGrail enables teams to operationalize them and embed them into an ongoing privacy governance program.
Key takeaways for privacy teams
- CCPA risk assessments are about demonstrating thoughtful decision‑making, not just compliance paperwork
- You likely already have much of what you need if you conduct PIAs or DPIAs today
- The critical step is aligning existing processes to California‑specific requirements and documenting your conclusions
- DataGrail makes it easy to operationalize risk assessment compliance at any scale
With the right structure and tooling, CCPA risk assessments can become a natural extension of how privacy teams already evaluate and manage risk, rather than a brand‑new burden.
Further recommended reading
Analyzing the CCPA’s New Risk Assessment Requirement (Troutman Pepper Locke)
