California Consumer Privacy Act: Conducting Risk Assessments - FTI Consulting
The California Consumer Privacy Act (CCPA) now requires businesses to conduct risk assessments for data processing activities that present significant privacy risks, such as using sensitive data or automated decision-making technology (ADMT). This update from FTI Consulting outlines the need for compliance, affecting businesses that collect or process consumer data in California.
Aforeworn detected this change in the US State Data-Privacy Laws space on July 6, 2026 and published this briefing so affected operators are forewarned rather than caught off guard. It is rated High urgency. Multistate retailers, adtech/data brokers, SaaS platforms, and privacy consultants operating in California or handling California residents' data. should confirm how it applies to their specific situation before acting. There is a time constraint attached: Risk assessments must be completed and available for review by the California Privacy Protection Agency (CPPA) upon request. No specific deadline, but enforcement is active; immediate action recommended.. Acting after that point can mean penalties, a lapsed licence, or lost eligibility — exactly the kind of surprise Aforeworn exists to prevent. Aforeworn monitors US State Data-Privacy Laws continuously and turns every detected change into a plain-English briefing like this one, so you always know first. Forewarned is forearmed.
What changed
The CCPA now mandates formal risk assessments for processing activities involving sensitive data, ADMT, or large-scale consumer profiling. Previously, risk assessments were recommended but not explicitly required.
Who it affects
Multistate retailers, adtech/data brokers, SaaS platforms, and privacy consultants operating in California or handling California residents' data.
What you must do
Conduct and document risk assessments for all high-risk data processing activities, including those using sensitive personal information or automated decision-making.
Deadline
Risk assessments must be completed and available for review by the California Privacy Protection Agency (CPPA) upon request. No specific deadline, but enforcement is active; immediate action recommended.
Never miss a change like this again
Aforeworn watches US State Data-Privacy Laws around the clock and alerts you the moment a rule moves — with a plain-English brief on what to do.
Start your free trialRelated changes in US State Data-Privacy Laws
- Social Media Privacy Laws Take Effect Tuesday: Teen Ad Ban and Portability Rights - Tech Times
- Vermont Data Privacy Bill Signed into Law - Inside Privacy
- Vermont becomes 23rd state to enact consumer privacy law - IAPP
- Vermont Becomes 23rd State with Comprehensive Consumer Privacy Law - Hunton Andrews Kurth LLP
- Louisiana Enacts Comprehensive Consumer Privacy Law - Hunton Andrews Kurth LLP