- (a) A business's employees whose job duties include participating in the processing of personal information that would be subject to a risk assessment must be included in the business's risk assessment process for that processing activity. For example, an individual who determines the method by which the business plans to collect consumers' personal information for one of the processing activities in section 7150, subsection (b), must provide that information to the individuals conducting the risk assessment.
- (b) In conducting the risk assessment, a business may include external parties in the process. For example, a business may utilize or gather information from service providers, contractors, experts in detecting and mitigating bias in ADMT, a subset of the consumers whose personal information the business plans to process, or stakeholders that represent consumers' or others' interests, including consumer advocacy organizations.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.185, Civil Code.
History
1. New section filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).