On May 1, 2025, the California Privacy Protection Agency (CPPA) issued revised California Consumer Privacy Act (CCPA) Regulations, focusing on privacy impact assessments (risk assessments), cybersecurity audits, and automated decision-making (May 2025 Proposed Regulations).
In our previous articles, we emphasized the necessity of initiating planning and budgeting by Q3 2025 to address the substantial, long-term compliance requirements of the May 2025 Proposed Regulations. Additionally, we provided an in-depth exploration of Article 9, “Cybersecurity Audits,” contained within these regulations.
This article aims to thoroughly explore the compliance requirements of Article 10 of the May 2025 Proposed Regulations titled “Risk Assessments.”
Article 10: Risk Assessments
Under this Article, organizations must conduct risk assessments for processing activities that include:
- Selling or sharing personal information
- Processing sensitive personal information
- Using automated decision-making technology for significant decisions
- Profiling
- Using personal information to train automated decision-making technology
Section 7152 in Article 10 outlines the requirements for the risk assessments, which are generally consistent with the requirements in privacy impact assessments prepared under the European Union’s General Data Protection Regulation (GDPR) and other similar privacy regulations. Below, we have outlined aspects of the risk assessments that will likely be new to organizations and may present compliance challenges, necessitating a long lead time to address.
- Retention period by category of personal information – Risk assessments will require documentation related to the retention period by category of personal information and specifically, “How long the business plans to retain each category of personal information, or if unknown, the criteria the business plans to use to determine that retention period.”[1]
- Stakeholders involved – “Identify and document in a risk assessment report the date the assessment was reviewed and approved, and the names and positions of the individuals who reviewed or approved the assessment, except for legal counsel who provided legal advice.” [2]
- Updates to risk assessments – “At least once every three years, a business must review, and update as necessary, its risk assessments to ensure that they remain accurate in accordance with the requirements of this Article.”[3] When material changes are introduced for a processing activity, then the risk assessment must be updated no later than 45 days from the date of the material change. Several material changes were provided as examples, but of note, changes to the purpose of processing or the minimum personal information necessary to achieve the purpose of processing would be considered a material change.[4]
- Written certifications – In these latest modifications, the requirement to proactively submit the risk assessment was removed from both the full and abridged form. The proposed regulations cite the requirement that the CPPA or the attorney general can request the risk assessments at any time. That being said, the following information will still need to be submitted to the CPPA through its website:
- The number of risk assessments conducted or updated by the business during the covered time period.
- The categories of personal information included in the risk assessments.
- A written certification stating “I attest that the business has conducted a risk assessment for the processing activities set forth in section 7150, subsection (b), during the time period covered by this submission, and that I meet the requirements of section 7157, subsection (c). Under penalty of perjury under the laws of the state of California, I hereby declare that the risk assessment information submitted is true and correct.” [5]
- Timing – Various privacy laws have active risk assessment and/or privacy impact assessment requirements. Specifically, the May 2025 Proposed Regulations require the information above to be submitted by April 1, 2028, for risk assessments conducted in 2026 and 2027, and each year thereafter.
In our next article in this series, we will focus on the requirements in Article 11 of the May 2025 Proposed Regulations titled “Automated Decisionmaking Technology.”
Ankura’s data privacy team has extensive experience assisting organizations with GDPR, CCPA, CPRA, and other privacy regulations, and we see the May 2025 Proposed Regulations as a significant update requiring robust privacy program enhancements. For additional information and customized planning support, please contact Ankura’s data privacy team.
Notes:
[1] CA Privacy Protection Agency – Proposed 15 Day Changes to Text of Regulations (CCPA Updates, Cyber, Risk ADMT, and Insurance Regulations) 5.1.2025. Page 88.
[2] CA Privacy Protection Agency – Proposed 15 Day Changes to Text of Regulations (CCPA Updates, Cyber, Risk ADMT, and Insurance Regulations) 5.1.2025. Page 92.
[3] CA Privacy Protection Agency – Proposed 15 Day Changes to Text of Regulations (CCPA Updates, Cyber, Risk ADMT, and Insurance Regulations) 5.1.2025. Page 92.
[4] CA Privacy Protection Agency – Proposed 15 Day Changes to Text of Regulations (CCPA Updates, Cyber, Risk ADMT, and Insurance Regulations) 5.1.2025. Page 94.
[5] CA Privacy Protection Agency – Proposed 15 Day Changes to Text of Regulations (CCPA Updates, Cyber, Risk ADMT, and Insurance Regulations) 5.1.2025. Page 96.
Sign up to receive all the latest insights from Ankura. Subscribe now
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
