2 the Point Video

2 the Point Video

What do employers need to know about risk assessments under the California Consumer Privacy Act?

Littler 2 the Point Video

 

What do employers need to know about risk assessments under the California Consumer Privacy Act?

Does your company track the GPS location of fleet drivers, use AI to assist with employment decisions, or analyze racial data as part of an equity program?

If so, or if your company conducts a broad range of other forms of data processing in California, your company may need to conduct a detailed, documented risk assessment to comply with the California Consumer Privacy Act, or CCPA.

Since 2023, the CCPA has required most California for profit employers to implement a comprehensive privacy program to protect HR data. Effective January 1, 2026, the CCPA regulations added a new requirement: covered employers must complete risk assessments for many routine data processing practices.

Against that backdrop, covered employers might consider taking these seven steps to prepare. 

First, determine whether any uses of California HR data fall within one of the CCPA’s six processing categories subject to a risk assessment.

Second, evaluate whether risk assessments can be reused or combined to reduce duplicative work. For example, risk assessments conducted to comply with the European Union’s GDPR might be used with a few tweaks to cover the CCPA’s requirement.

Third, identify who will conduct each assessment and who will review and approve it. The regulations contain rules concerning both.

Fourth, create a plan of action and a timeline. For activities that began after January 1, 2026, the risk assessment must be completed before the activity begins. For ongoing processing that started before 2026, risk assessments must be conducted by December 31, 2027.

Fifth, conduct the risk assessment itself, which must address at least six enumerated topics. Those topics include:

  • The business purpose for conducting the activity;
  • The categories of personal information involved;
  • Operational elements, for example, how the information will be collected and to whom it will be disclosed;
  • The benefits of the processing;
  • Potential negative impacts to individuals; and
  • Any safeguards the company plans to implement to address those impacts.

In evaluating these factors, the assessment must determine whether the risks to employee privacy outweigh the benefits of processing that personal information.

Because California’s privacy agency or its Attorney General may request a full report as part of an inquiry, employers are well served by documenting their assessments thoroughly.

Sixth, prepare a summary of the risk assessment to provide to California’s privacy agency beginning April 1, 2028.

Seventh, and finally, plan to update risk assessments and retain documentation in accordance with the CCPA’s requirements.

Because risk assessments are fact specific and can raise complex compliance issues, employers may want to consider working with experienced counsel as they evaluate their obligations under the CCPA.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
© 2026 Littler Mendelson P.C.
Littler Mendelson is part of the international legal practice, Littler Global, which operates worldwide through a number of separate legal entities. Attorney Advertising.

Learn how we can help you confidently address your unique workplace legal challenges.