United States of America: Privacy Protection Agency's Risk Assessment Regulations
Progress
Scope
Timeline of events
California Consumer Privacy Act risk assessment regulations's deadline takes effect
On 1 April 2028, businesses subject to the risk assessment provisions of the California Consumer Privacy Act (CCPA) regulations must submit to the California Privacy Protection Agency (CPPA) an attestation confirming that they have completed all req…
SourceCalifornia Consumer Privacy Act risk assessment regulations enter into force
On 1 January 2026, the risk assessment provisions of the California Consumer Privacy Act (CCPA) regulations enter into force. From this date, businesses subject to these obligations must establish and maintain procedures to conduct risk assessments …
SourceOffice of Administrative Law adopted regulations under California Consumer Privacy Act including risk assessment regulations
On 23 September 2025, the California Office of Administrative Law approved the final regulations under the California Consumer Privacy Act (CCPA), including requirements on risk assessments. Businesses subject to the risk assessment obligations must…
SourceCalifornia Privacy Protection Agency published second updated draft amendments to CCPA regulations including proposed risk assessment regulations
On 9 May 2025, the California Privacy Protection Agency (CPPA) published the Modified Text of Proposed Regulations under the California Consumer Privacy Act (CCPA), requiring businesses to conduct and document risk assessments before initiating spec…
SourceCalifornia Privacy Protection Agency published updated draft amendments to CCPA regulations including proposed risk assessment regulations
On 28 March 2025, the California Privacy Protection Agency (CPPA) published updated draft regulations on risk assessments before its Board meeting. These were based on proposals released for public comment by 14 January 2025. While the draft does no…
SourceClosed consultation on CPPA proposed risk assessment regulations
On 14 January 2025, the California Privacy Protection Agency (CPPA) closes the public consultation on proposed regulations on California Consumer Privacy Act (CCPA) updates, cybersecurity audits, risk assessments, automated decision-making technolog…
SourceOpened consultation on CPPA proposed risk assessment regulations
On 22 November 2024, the California Privacy Protection Agency (CPPA) opened the public consultation on proposed regulations on California Consumer Privacy Act (CCPA) updates, cybersecurity audits, risk assessments, automated decision-making technolo…
SourcePublished Revised Draft Risk Assessment Regulations
On 23 February 2024, the California Privacy Protection Agency (CPPA) published a Revised Draft of the Risk Assessment Regulations. According to the Revised Draft, every business that processes personal information of consumers must conduct a risk as…
SourcePublished draft Risk Assessment Regulations
On 28 August 2023, the California Privacy Protection Agency (CPPA) released materials ahead of its 8 September 2023 board meeting, including draft Risk Assessment Regulations. The CPPA clarified that formal rulemaking processes for cybersecurity aud…
Source