Is a risk assessment on your 2026 roadmap? If your website uses cookies to serve behavioral or cross context advertising, it may need to be. As many who deal with California’s privacy law are aware, in several situations using the vendors needed to serve behavioral advertising cookies can be viewed as “selling” personal information to those entities. And if selling personal information in a manner that presents significant risk to consumers, CCPA regulations require written privacy risk assessments. These assessments are also required if engaging other activities that are viewed as posing a “significant risk” to covered individuals’ privacy. Those include processing sensitive information (and information of children under 16 is sensitive where the business has actual knowledge of the consumer’s age). Also included is if the company uses automated decision making technology or profiling to make high risk decisions about people.
For companies that may be subject to the requirements, there are some key issues to keep in mind for this year. These obligations were outlined in the final regulations, which did not come out until September 2025:
- Existing activities (i.e., that started before January 1, 2026): completing a risk assessment must be completed for each such activity by December 31, 2027. From a practical perspective, this will mean identifying in-scope activities and putting them into a queue to have a risk assessment completed.
- New practices (i.e., that started after January 1, 2026): do an assessment before the processing starts. This will mean, for companies subject to these requirements, putting in place a risk assessment work flow. Many may already have one in place, of course.
- Assessment process: under the regulations, the people at the company who will be involved with the question in practice must be part of the assessment process. External parties may also need to be involved. The regulations point to several examples. Like, experts who can help understand and identify ways to mitigate bias. The assessment will need to evaluate -with specificity- the reason for engaging in the activity. The company then needs to understand as part of the assessment process whether the privacy risks outweigh the benefits to consumers. Assessments will need to be kept for as long as the activity happens, and five years thereafter.
- Assessment contents: the assessment needs to include some specific content. For example, how long information will be kept, what information will be processed, and how the business will interact with individuals. These are just some of many of the content requirements. The list is similar to what many are already doing if they are conducting assessments to address other laws’ obligations (for example GDPR). But there are some nuances.
- Submissions: The assessments being conducted in 2026 and 2027 will need to be submitted to the California Privacy Protection Agency by April 1, 2028. Assessments conducted during each subsequent calendar year must be submitted by April 1 of the following year. A company executive will need to make the submission on behalf of their company.
- Don’t set and forget: Assessments must be updated at least every three years, unless there has been a “material” change to the activity. If so, then the assessment needs to be updated within 45 days of the material change.
Putting it into Practice: While the submission deadline for risk assessments may seem a long way off it will come faster than we realize. And, having a process in place to identify and assess in-scope activities can take time if there isn’t something already in place. Companies have until the end of 2027 to address currently covered practices. They may be broader than you realize. Thus if this is not on your 2026 roadmap, it likely should be.