United States of America: Published Revised Draft Risk Assessment Regulations

On 23 February 2024, the California Privacy Protection Agency (CPPA) published a Revised Draft of the Risk Assessment Regulations. According to the Revised Draft, every business that processes personal information of consumers must conduct a risk assessment before processing said data. Businesses are obligated to conduct a risk assessment when they sell, share, or use automated decisionmaking technology for a significant decision or use personal information for training of their automated decisionmaking technology. The Revised Draft expands on a previous draft version, providing, among other things, more detailed examples. The Revised Draft is intended to inform public and board discussion and is therefore subject to further revision.