(a) A business must conduct a risk assessment to determine whether the risks to consumers' privacy from the processing of personal information outweigh the benefits to the consumer, the business, other stakeholders, and the public from that same processing. The risk assessment must:
- (1) Identify and document in a risk assessment report the business's purpose for processing consumers' personal information. The purpose must not be identified or described in generic terms, such as “to improve our services” or for “security purposes.” By contrast, if a business is “improving the service” by decreasing consumers' wait times when processing their privacy rights requests, the business may identify this decrease of wait times to process privacy rights requests as the relevant purpose.
- (2) Identify and document in a risk assessment report the categories of personal information to be processed, including any categories of sensitive personal information. This must include the minimum personal information that is necessary to achieve the purpose of processing consumers' personal information.
(3) Identify and document in a risk assessment report the following operational elements of the processing:
- (A) The business's planned method for collecting, using, disclosing, retaining, or otherwise processing personal information, and the sources of the personal information.
- (B) How long the business plans to retain each category of personal information, or if unknown, the criteria the business plans to use to determine that retention period.
- (C) The business's method of interacting with the consumers whose personal information the business plans to process (e.g., via websites, applications, or offline) and the purpose of the interaction (e.g., to provide a good or service).
- (D) The approximate number of consumers whose personal information the business plans to process.
- (E) What disclosures the business has made or plans to make to the consumer about the processing of their personal information and how these disclosures were or will be made (e.g., via a just-in-time notice).
- (F) The names or categories of the service providers, contractors, or third parties to whom the business discloses or makes available the consumers' personal information for the processing; and the purpose for which the business discloses or makes the consumers' personal information available to them.
(G) For the uses of ADMT set forth in section 7150, subsections (b)(3), the business must identify:
- (i) The logic of the ADMT, including any assumptions or limitations of the logic; and
- (ii) The output of the ADMT, and how the business will use the output to make a significant decision.
- (4) Identify the benefits to the business, the consumer, other stakeholders, and the public from the processing of the personal information, as applicable. The benefits must not be identified in generic terms, such as “improving our service.” By contrast, if a benefit of a processing activity is to reduce the response time to a consumer's right to know request, a business may identify the relevant benefit as enabling consumers to receive the personal information they requested on a quicker timeline.
(5) Identify the negative impacts to consumers' privacy associated with the processing. The business must identify the sources and causes of these negative impacts.
- (A) Unauthorized access, destruction, use, modification, or disclosure of personal information; and unauthorized activity resulting in the loss of availability of personal information.
- (B) Discrimination upon the basis of protected characteristics that would violate federal or state law.
- (C) Impairing consumers' control over their personal information, such as by providing insufficient information for consumers to make an informed decision regarding the processing of their personal information, or by interfering with consumers' ability to make choices consistent with their reasonable expectations.
- (D) Coercing or compelling consumers into allowing the processing of their personal information, such as by conditioning consumers' acquisition or use of an online service upon their disclosure of personal information that is unnecessary to the expected functionality of the service, or requiring consumers to consent to processing when such consent cannot be freely given (e.g., because it was obtained through the use of a dark pattern).
- (E) Economic harms, including limiting or depriving consumers of economic opportunities, charging consumers higher prices, or compensating consumers at lower rates based upon profiling; or imposing additional costs upon consumers, including costs associated with the unauthorized access to consumers' personal information.
- (F) Physical harms to consumers or to property, including processing that creates the opportunity for physical or sexual violence.
- (G) Reputational harms, including stigmatization, that could negatively impact an average consumer, such as stigmatization of a consumer as a result of a mobile dating application's disclosure of the consumer's sexual or other preferences in a partner outside of the dating application.
- (H) Psychological harms, including emotional distress, stress, anxiety, embarrassment, fear, frustration, shame, and feelings of violation, that could negatively impact an average consumer. Examples of such harms include emotional distress resulting from disclosure of nonconsensual intimate imagery or disclosure of a consumer's purchase of pregnancy tests or emergency contraception for non-medical purposes.
For example, negative impacts to consumers' privacy that a business may consider include the following:
(6) Identify and document in a risk assessment report any safeguards that the business plans to implement for the processing, such as safeguards to address the negative impacts identified in subsection (a)(5).
(A) For example, safeguards that a business may consider include the following:
- (i) Encryption, segmentation of information systems, physical and logical access controls, change management, network monitoring and defenses, and data and integrity monitoring;
- (ii) Use of privacy-enhancing technologies, such as trusted execution environments, federated learning, homomorphic encryption, and differential privacy;
- (iii) Consulting external parties, such as those described in section 7151, subsection (b), to ensure that the business maintains current knowledge of emergent privacy risks and countermeasures; and using that knowledge to identify, assess, and mitigate risks to consumers' privacy; and
- (iv) Implementing policies, procedures, and training to ensure that the business's ADMT works for the business's purpose and does not unlawfully discriminate based upon protected characteristics.
- (7) Identify and document in a risk assessment report whether it will initiate the processing subject to the risk assessment.
- (8) Identify and document in a risk assessment report the individuals who provided the information for the risk assessment, except for legal counsel who provided legal advice.
- (9) Identify and document in a risk assessment report the date the assessment was reviewed and approved, and the names and positions of the individuals who reviewed or approved the assessment, except for legal counsel who provided legal advice. An individual who has the authority to participate in deciding whether the business will initiate the processing that is the subject of the risk assessment must review and approve the assessment.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.185, Civil Code.
History
1. New section filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).