High urgency

California Consumer Privacy Act: Conducting Risk Assessments - FTI Consulting

Detected July 6, 2026 · in US State Data-Privacy Laws

The California Consumer Privacy Act (CCPA) now requires businesses to conduct risk assessments for data processing activities that present significant privacy risks, such as using sensitive data or automated decision-making technology (ADMT). This update from FTI Consulting outlines the need for compliance, affecting businesses that collect or process consumer data in California.

Aforeworn detected this change in the US State Data-Privacy Laws space on July 6, 2026 and published this briefing so affected operators are forewarned rather than caught off guard. It is rated High urgency. Multistate retailers, adtech/data brokers, SaaS platforms, and privacy consultants operating in California or handling California residents' data. should confirm how it applies to their specific situation before acting. There is a time constraint attached: Risk assessments must be completed and available for review by the California Privacy Protection Agency (CPPA) upon request. No specific deadline, but enforcement is active; immediate action recommended.. Acting after that point can mean penalties, a lapsed licence, or lost eligibility — exactly the kind of surprise Aforeworn exists to prevent. Aforeworn monitors US State Data-Privacy Laws continuously and turns every detected change into a plain-English briefing like this one, so you always know first. Forewarned is forearmed.

What changed

The CCPA now mandates formal risk assessments for processing activities involving sensitive data, ADMT, or large-scale consumer profiling. Previously, risk assessments were recommended but not explicitly required.

Who it affects

Multistate retailers, adtech/data brokers, SaaS platforms, and privacy consultants operating in California or handling California residents' data.

What you must do

Conduct and document risk assessments for all high-risk data processing activities, including those using sensitive personal information or automated decision-making.

Deadline

Risk assessments must be completed and available for review by the California Privacy Protection Agency (CPPA) upon request. No specific deadline, but enforcement is active; immediate action recommended.

Source: https://news.google.com/rss/articles/CBMiqwFBVV95cUxQU2FPMGZobnNHb1RBTlYyZXBVYlQzVWpZRWpDVFU2bWJsQjQ1OGY2WXRyQ2huV0tfSnNJNWNFVXVERDY2cWFvSlFrUXZ4OElaU1FZS243WkgzT0g1TU01bkxIQTRUTV9RNU9nZlVFYkp6V0NTOWdETEYxRG1tc2lUQTFBNzhneU52eF90ejcyOVRJT3NzQTZLZlNJdElZam5CZk1ZeDlNNWthWkE?oc=5

Never miss a change like this again

Aforeworn watches US State Data-Privacy Laws around the clock and alerts you the moment a rule moves — with a plain-English brief on what to do.

Start your free trial

Related changes in US State Data-Privacy Laws