The California Privacy Protection Agency (“CPPA”) has published revised draft regulations detailing what it proposes to be required of businesses under the California Consumer Privacy Act (“CCPA”) to assess, mitigate and document risk before engaging in specified types processing of California residents’ personal information, and on March 8th is set to vote on advancing them to the public comment stage of rulemaking.

While California has technically required such assessments since January 1, 2023 (as have other states), the CCPA left the details to the CPPA to develop and specify in regulations. The regulatory proposal includes requirements for presentation of assessment findings to the Board of Directors, certification by the CEO and filing of abridged assessments with the CPPA. Colorado has already issued regulations on its assessment requirements, which are robust but somewhat less burdensome that what California is considering. In an article in Financier Worldwide, PrivacyWorld’s Alan Friel outlines the highwater mark that would satisfy the requirements of U.S. states that currently, or will soon, require data practice risk assessments, including the California proposals. 

PrivacyWorld will keep you informed on the California rulemaking and a webinar on how to operationalize data practice risk assessments on popular privacy management software platforms is coming in mid-March.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.