Risk assessment
What is a risk assessment?
A risk assessment is a documented evaluation required by the California Privacy Protection Agency (CPPA) for processing activities that may create higher privacy or security risks. Businesses must complete these assessments when engaging in practices such as automated decision-making, behavioral profiling, sensitive data processing, or large-scale operations involving personal information. The assessment explains the purpose of the activity, the categories of data involved, the potential impact on individuals, the safeguards used to reduce those impacts, and alternative approaches that were considered during planning.
Why does a risk assessment matter?
These assessments help organizations understand the implications of their data practices before launching activities that may meaningfully affect consumers. They support stronger internal governance by documenting how privacy risks are evaluated and managed. Regulatory authorities may request copies of a business’s assessments, making it important to maintain accurate records that demonstrate thoughtful review, responsible data handling, and effective risk mitigation.
FAQs about risk assessments
A risk assessment is required when processing activities fall into high-risk categories, including profiling, automated decisions that influence eligibility or access, large-scale processing of sensitive personal information, or practices that may affect individuals’ opportunities or rights.
A complete assessment outlines the purpose of the activity, expected benefits, potential harms, safeguards, data minimization measures, alternative approaches, retention details, and any internal processes used to evaluate or reduce risk.
Yes. Businesses must provide completed assessments if requested during an inquiry or review.
Assessments should be updated when data practices change, new datasets are added, safeguards evolve, or when processing activities expand in purpose or scale.
Yes. Businesses should consider risks introduced by third-party processors, including how those vendors store, analyze, or share data.
Automated eligibility evaluations, processing of sensitive personal information, predictive behavioral models, automated security decisions, and extensive profiling.
No. If their processing meets high-risk criteria, an assessment may still be required regardless of company size.