United States of America: California Privacy Protection Agency published updated draft amendments to CCPA regulations including proposed risk assessment regulations

On 28 March 2025, the California Privacy Protection Agency (CPPA) published updated draft regulations on risk assessments before its Board meeting. These were based on proposals released for public comment by 14 January 2025. While the draft does not introduce a new definition of "risk assessment", it adds further interpretive context regarding sensitive personal information. This includes a new clause that explicitly identifies "neural data" as a protected subcategory. The revisions also expand the scope of the definition of profiling based on physical and biological characteristics, clarifying that such processing is exempt from risk assessment obligations only when it cannot reasonably be linked to a specific individual. Furthermore, the revised draft removes a provision that would have required businesses to use automated decision-making or artificial intelligence to assess and document how they ensure the quality of personal information, including its accuracy, relevance, and reliability. Finally, the revised draft sets a deadline of no later than 1 January 2028 for businesses to complete and document a risk assessment for any ongoing processing activities initiated before the effective date of the regulations.