(a) Timing of Risk Assessment Submissions.
- (1) For risk assessments conducted in 2026 and 2027, the business must submit to the Agency the information required by subsection (b) no later than April 1, 2028.
- (2) For risk assessments conducted after 2027, the business must submit to the Agency the information required by subsection (b) no later than April 1 following any year during which the business conducted the risk assessments. For example, for risk assessments conducted in 2028, the business must submit to the Agency the information required by subsection (b) no later than April 1, 2029.
(b) A business must submit to the Agency the following risk assessment information:
- (1) The business's name and a point of contact for the business, including the contact's name, phone number, and email address.
- (2) The time period covered by the submission, by month and year.
- (3) The number of risk assessments conducted or updated by the business during the time period covered by the submission, in total and for each of the processing activities identified in section 7150, subsection (b).
- (4) Whether the risk assessments conducted or updated by the business during the time period covered by the submission involved the processing of each of the categories of personal information and sensitive personal information identified in Civil Code section 1798.140, subdivisions (v)(1)(A)-(L), (ae)(1)(A)-(G), and (ae)(2)(A)-(C).
- (5) Attestation to the following statement: “I attest that the business has conducted a risk assessment for the processing activities set forth in California Code of Regulations, Title 11, section 7150, subsection (b), during the time period covered by this submission, and that I meet the requirements of section 7157, subsection (c). Under penalty of perjury under the laws of the state of California, I hereby declare that the risk assessment information submitted is true and correct.”
- (6) The name and business title of the person submitting the risk assessment information, and the date of the certification.
(c) The individual submitting the information set forth in subsection (b) must be a member of the business's executive management team who:
- (1) Is directly responsible for the business's risk-assessment compliance;
- (2) Has sufficient knowledge of the business's risk assessment to provide accurate information; and
- (3) Has the authority to submit the risk assessment information to the Agency.
- (d) The risk assessment information must be submitted to the Agency via the Agency's website at https://cppa.ca.gov/.
- (e) The Agency or the Attorney General may require a business to submit its risk assessment reports to the Agency or to the Attorney General at any time. A business must submit its risk assessment reports within 30 calendar days of the Agency's or the Attorney General's request.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.185, Civil Code.
History
1. New section filed 9-22-2025; operative 1-1-2026 (Register 2025, No. 39).