United States of America: California Privacy Protection Agency published second updated draft amendments to CCPA regulations including proposed risk assessment regulations

On 9 May 2025, the California Privacy Protection Agency (CPPA) published the Modified Text of Proposed Regulations under the California Consumer Privacy Act (CCPA), requiring businesses to conduct and document risk assessments before initiating specified processing activities, including processing sensitive personal information, profiling, systematic observation of publicly accessible places, and processing for the training of automated decision-making technology (ADMT). The regulations require that employees whose job duties involve the processing activity be included in the risk assessment process, with the possibility of involving external parties such as service providers, experts, consumer groups, or affected individuals. Businesses must evaluate whether risks to consumers’ privacy outweigh the benefits to consumers, businesses, stakeholders, and the public, documenting the purpose, necessity, potential negative impacts, safeguards, mitigation measures, and the decision-making authority. Additional obligations apply where personal information is used to train ADMT, including requirements to document datasets, training methods, testing procedures, and measures to mitigate bias. Risk assessments must be completed before processing begins, reviewed at least every three years, and updated within 45 days of material changes, with retention during the processing or five years thereafter. Businesses must also submit their assessments to the CPPA, with the first submission due by 1 April 2028 and subsequent annual submissions by 1 April each year.