California Risk Assessments: Seven Steps for Employers

Effective January 1, 2026, the California Consumer Privacy Act (CCPA) requires certain employers to complete detailed, documented risk assessments before engaging in many routine data processing practices. Because the assessments must be finalized before Covered Processing begins—and because they must include the date of approval and the names of reviewers—employers cannot wait to “backfill” assessments later. The California attorney general and California privacy agency (“CalPrivacy”) may also request copies at any time.

Since 2023, for-profit employers with more than $25 million¹ in annual gross revenues that do business in California (“California Employers”) have been required to implement comprehensive privacy programs to protect the personal information of job applicants, employees, or independent contractors who reside in California (collectively, “HR Data”).² The 2026 regulations layer on a new requirement: detailed risk assessments. For organizations familiar with the data protection impact assessments required under other countries’ laws, some aspects may feel familiar. However, for many U.S. employers, the level of detail will be new and demanding. The following seven steps can help employers prepare.

1. Determine Whether the Risk Assessment Requirement Applies

Employers should begin by identifying whether their activities fall within one of the CCPA’s six categories of data processing subject to the risk assessment requirement (“Covered Processing”). Three of these are common in the workplace: use of automated decision-making technology (ADMT) in employment decisions; automated processing that infers aptitude, performance, behavior, or movements; and processing of sensitive personal information outside a narrow set of exemptions. Because the exemptions for sensitive personal information are limited, risk assessments will likely be required for frequent activities such as DEI-related use of demographic data, biometric authentication, GPS tracking of fleet drivers, or reviewing personal account messages during a security investigation.

Other categories may apply less frequently but still require careful attention. For example, “selling” or “sharing” personal information—terms California authorities have interpreted broadly—may be triggered by ordinary website tracking technologies on careers webpages or employee mobile apps. The use of personal information to train automated technologies may also qualify, as can inferring characteristics from an individual’s presence in a sensitive location such as a union office, place of worship, school, or healthcare facility.

Finally, the CCPA excludes some forms of information from its definition of “personal information,” thereby exempting them from the risk assessment requirement. These include most health information and background check information, among others. Employers should assess not only whether the types of data-processing, but also the data itself, fall under the risk assessment requirement.

To assess whether they must conduct risk assessments, Covered Employers should consider inventorying planned and current uses of sensitive personal information, location information, automated technologies that evaluate HR Data, training AI or automated decision-making technologies, and website tracking technologies and then evaluating whether the risk assessment requirement applies to each use. Perhaps as important, employers should consider what steps they might take to modify their practices to avoid the risk assessment requirement. For example, the risk assessment requirement does not apply to the use of automated technologies for employment decisions if the employer includes substantial human review in the process. Employers may wish to weigh the costs of foregoing Covered Processing against the costs of conducting a risk assessment.

2. Assess Whether Work Can Be Reused or Combined

Once the scope of required assessments is clear, Covered Employers should evaluate whether they can reuse or consolidate existing analyses. This could substantially decrease work for the employer. 

The regulations allow companies to combine risk assessments for “comparable” processing activities, for example, implementing biometric authentication at two different offices.³ Also, to the extent that a risk assessment conducted previously for the same Covered Processing contains the information required for the CCPA’s risk assessment, the company may use that risk assessment to satisfy the CCPA’s requirement, at least in part. For example, a data protection impact assessment conducted to comply with the European Union’s General Data Protection Regulation would cover much of the same information as the CCPA’s risk assessment.

3. Assemble the Team

Covered Employers must then determine who will conduct each assessment and who will review and approve it. Because the regulations require participation from employees whose job duties relate to the processing, each assessment may involve different stakeholders. Specifically, the “employees whose job duties include participating in the processing of personal information that would be subject to a risk assessment must be included in the business’s risk assessment process for that processing activity.”⁴  

In addition, the company should determine who will review and approve the risk assessment. The regulations require that the company record the name and position of the individuals who review and approve the risk assessment as part of the documentation of the risk assessment. At least one person who reviews and approves the risk assessment must have “the authority to participate in deciding” whether the business will initiate the Covered Processing.⁵ Employers must also designate the executive who will later attest—under penalty of perjury—to the accuracy of the summary information submitted to CalPrivacy beginning April 1, 2028. 

To ensure that all these individuals can comfortably add their names to the risk assessment, companies should consider including them in the risk assessment process, providing transparent information about that process, and giving them opportunities to ask and receive answers to their questions.

4. Create a Plan of Action and Milestones 

At this stage, Covered Employers should consider timing and sequencing. For Covered Processing that the company has not yet initiated, the risk assessment must be completed before starting that Covered Processing, which may mean adding significant lead time to complete the risk assessment before starting Covered Processing. For ongoing Covered Processing that started before January 1, 2026, the company must conduct the risk assessment by Dec. 31, 2027. If the company must conduct multiple risk assessments, especially multiple risk assessments with the same team, it might help to prepare a sequencing plan, along with project milestones.

5. Conduct the Risk Assessment

Once the team is assembled, the Covered Processing activity and deadlines have been identified, and any prior assessments are gathered, the next step is to conduct the risk assessment itself. Under the regulations, Covered Employers must evaluate whether the risks to employee privacy outweigh the benefits of processing their personal information. 

The CCPA regulations prescribe the topics the risk assessment must address. At a high level, the assessment must include: 

• The business purpose for processing: The assessment must clearly and specifically explain the employer’s purpose for processing employee personal information. Generic descriptions are not permitted. For example, stating that fleet GPS information is used “to improve HR operations” is likely insufficient. Instead, the Covered Employer should describe the specific operational objective advanced by the processing, such as, for example, optimizing delivery routes, improving emergency response times for driver safety, or enhancing asset protection capabilities.
• Categories of personal information and sensitive personal information: The assessment must identify the categories of personal and sensitive personal information to be processed. Reinforcing the CCPA’s data minimization requirements, this must also include the minimum personal information necessary to achieve the purpose of processing.
• Operational elements: The assessment must address specific operational elements including, for example, the anticipated method for collecting, using, disclosing, and retaining the personal information; the approximate number of employees whose personal information will be processed; and the disclosures the employer has made or plans to make regarding the processing of personal information.
• Benefits: The assessment must clearly identify the benefits of processing to the Covered Employer, the employees, other stakeholders, and the public, as applicable. As with the business purpose disclosure, benefits must be described with specificity and not in generic terms.
• Negative impacts: The assessment must explain the negative impacts to individuals’ privacy, including the sources and causes of such impact. For example, GPS tracking may create concerns about inadvertent collection of off-duty information. Documenting these potential impacts is essential to the risk-benefit analysis.
• Safeguards: The risk assessment report must identify any safeguards the Covered Employer plans to implement, such as to address the negative impacts. These may include, for example, encryption and access controls.

After evaluating these factors, the assessment must conclude whether the Covered Employer will proceed with the processing. The report must also identify the individuals who contributed information for the assessment, except that legal counsel providing legal advice may be excluded. 

Although Covered Employers must generally only submit a summary attestation of the risk assessment to CalPrivacy, Covered Employers should thoroughly document their risk assessment in the event the agency or the attorney general conducts an inquiry and requests the full report.

6. Submit Risk Assessment Summaries 

Although not due immediately, Covered Employers should start preparing their summaries of risk assessment for submissions CalPrivacy.  Starting Apr. 1, 2028, Covered Employers must submit specific information regarding their risk assessments, including required attestation language under penalty of perjury. Specifically, the submission must also identify: (i) the business name and point of contact; (ii) time period covered by the submission; (iii) the number of risk assessments conducted or updated during the time period covered by the submission; and (iv) whether the risk assessments conducted or updated involve the processing of each of the categories of personal information and sensitive personal information as identified in the CCPA. As noted above, a company executive must attest to the accuracy of this information.

7. Update the Risk Assessments and Retain Documentation

Risk assessments are not one-time obligations. Covered Employers must review the assessments at least once every three years and conduct an update when there is a material change in the Covered Processing. A “material change” is one that creates new negative impacts, increases the magnitude or likelihood or previously identified impacts, or diminishes the effectiveness of the identified safeguards.⁶ If an update is warranted, the employer must complete it as soon as possible and no later than 45 calendar days after the material change.

Risk assessments, including original and updated versions, must be retained for the duration of the processing or for five years after the completion of the risk assessment, whichever is later.

For resources and more information about the CCPA, please see our webpage www.littler.com/ccpa.