(a) A business may conduct a single risk assessment for a comparable set of processing activities. A “comparable set of processing activities” that can be addressed by a single risk assessment is a set of similar processing activities that present similar risks to consumers' privacy.
- (1) For example, Business E sells toys to children and is considering using in-store paper forms to collect names, mailing addresses, and birthdays from children that visit their stores, and to use that information to mail a coupon and list of age-appropriate toys to each child during the child's birth month and every November. Business E uses the same service providers and technology for each category of mailings across all stores. Business E must conduct a risk assessment, including documenting required information in its risk assessment report, because it is processing sensitive personal information. Business E may use a single risk assessment for processing the personal information for the birthday mailing and November mailing across all stores because in each case it is collecting the same personal information in the same way for the purpose of sending coupons and age-appropriate toy lists to children, and this processing presents similar risks to consumers' privacy.
(b) A business may utilize a risk assessment that it has prepared for another purpose to meet the requirements in section 7152, provided that the risk assessment contains the information that must be included in, or is paired with the outstanding information necessary for, compliance with section 7152.
- (1) For example, Business F plans to sell consumers' personal information. Business F conducts a risk assessment for that processing activity using a data protection assessment that is compliant with another state law. That state law requires the information that must be in section 7152, but does not explicitly require some of the information in subsections (a)(2)-(3), (7), or require the name and position of the individual who has the authority to participate in deciding whether the business will initiate the processing that is subject to the risk assessment. Business F must also include this information in its risk assessment to meet the requirements in section 7152.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.185, Civil Code.
History
1. New section filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).