High-risk processing
What is high-risk processing?
High-risk processing refers to data activities that carry meaningful privacy or security risks. Under CPRA draft rules, this may include processing sensitive data, using automated decision-making for important outcomes, conducting large-scale profiling, or performing activities that may significantly affect a consumer’s rights, opportunities, or access to services. High-risk processing often requires additional documentation, safeguards, and risk assessments.
Why does high-risk processing matter?
By identifying high-risk activities, businesses can evaluate how their data practices affect consumers and implement stronger internal controls. High-risk evaluations encourage careful design, improved safeguards, and clarity around how data is used. CPRA draft regulations require organizations to determine whether a practice qualifies as high risk and to document the measures taken to reduce potential impact.
FAQs about high-risk processing
Activities that may significantly affect consumer rights or involve sensitive data, automated decisions, or large-scale profiling typically fall into high-risk categories.
Businesses evaluate the type of data involved, the scale of processing, potential impacts on individuals, safeguards in place, and the purpose of the processing.
Yes. If processing meets high-risk criteria, a business may need to complete and maintain a risk assessment under CPPA rules.
Yes. Any organization may perform high-risk processing, regardless of sector.
Access controls, minimized data collection, clear purpose limitation, internal review procedures, and regular testing of automated systems.
It increases the likelihood, but context matters. Some uses of sensitive data may have lower impact depending on purpose and safeguards.
Automated decisions with significant effects on individuals almost always fall into the high-risk category.
Yes. Notices, opt-out options, and explanations may be required.