PRIVACY PODCAST EPISODE TWO: A Practical Guide To Risk Assessments And Automated Decision-Making Requirements

Key Takeaways

• New CCPA regulations effective January 1, 2026, introduce significant new obligations for businesses, including cybersecurity audits, risk assessments, and automated decision‑making technology (ADMT) requirements.
• Cybersecurity audits apply only to organizations whose processing presents a "significant risk" to consumers and roll out on a phased schedule through 2030.
• The regulations require detailed, evidence‑based audits — meaning businesses must prepare policies, logs, configurations, and documentation, not just attestations.
• New risk assessments are required for certain processing of sensitive personal information, ADMT, biometric data, and data sharing or selling activities.
• California's new framework raises the compliance bar and will require companies to invest early, document thoroughly, and engage experienced auditors to avoid bottlenecks.
• Organizations should begin preparation now by reviewing data processing activities, identifying ADMT use, and assessing whether they will meet the newly defined thresholds.

Introduction

The California Consumer Privacy Act (CCPA) has evolved considerably since its original passage, and the latest wave of regulations — approved by the Office of Administrative Law on September 23, 2025, and effective January 1, 2026 — introduces some of the most sweeping changes to date. These updates reflect several years of engagement between the California Privacy Protection Agency (now rebranded as Cal Privacy) and a broad group of industry stakeholders.

In a recent Foley & Lardner LLP podcast, privacy leaders Steve Millendorf and Gabe Wild, both attorneys in the Technology Transactions, Cybersecurity, and Privacy Practice Group, walked through the regulations and their implications for businesses. Their discussion made one truth clear: these rules represent a significant operational uplift for many organizations, especially those processing large amounts of personal information or using automated decision‑making technologies.

Risk Assessment Requirements

While cybersecurity audits focus on system security, privacy risk assessments examine how businesses use personal information — and the risks associated with that use.

What Triggers a Risk Assessment?

A business must conduct a risk assessment if it engages in processing that presents a significant risk to consumer privacy, including:

• Selling or sharing personal information
• Processing sensitive personal information
• Using ADMT in ways that affect consumers' rights or opportunities
• Processing biometric or identity‑verification data
• Training automated systems on personal information

Importantly, some practices — such as targeted advertising — are generally excluded unless elevated risk factors are involved.

Timelines and Retention

For existing processing activities, the first risk assessment is due by:

• December 31, 2027

After that, risk assessments must be updated:

• Everythree years, or
• Within 45 days of a material change in processing

All assessments must be retained for five years.

What Must the Risk Assessment Include?

The assessment must document in detail:

• The business purpose for processing
• Categories and sources of personal information
• Methods of collection, use, retention, and disclosure
• The logic and limitations of ADMT (if applicable)
• Risks to consumers, including:
  • Bias or discrimination
  • Loss of control
  • Economic impacts
  • Psychological or reputational harm
• The benefits to consumers and stakeholders
• Safeguards to mitigate harms

After completing the analysis, the business must evaluate whether risks outweigh benefits and, if so, discontinue processing.

This requirement echoes elements of the GDPR's Data Protection Impact Assessments but is more explicitly tied to documented harm and mitigation.

Automated Decision‑Making Technology

The regulations introduce new transparency and risk assessment rules for ADMT — defined broadly to include:

• Profiling
• Predictive analytics
• Machine learning models
• AI tools influencing employment, credit, or other significant decisions
• Technologies using biometric or physiological data for identification

Businesses must provide information about:

• The logic used
• The role of human involvement
• How outcomes affect consumers
• Rights to opt out (in certain contexts)

Given the rapid adoption of AI and machine learning, this will likely become a focal area for Cal Privacy in enforcement.

Preparing Now – What Businesses Should Do Immediately

Both attorneys emphasized that early preparation is key. Even if your first audit or risk assessment is years away, the evaluation window may already have begun.

Recommended next steps include:

1. Conduct a Readiness Assessment

Review existing cybersecurity measures, documentation, and data processing activities to identify:

• Documentation gaps
• Missing policies
• Incomplete configurations
• Outdated security tools
• High‑risk processing activities

2. Start Building Documentation

If it isn't documented, it doesn't exist. Begin creating:

• Policies
• Procedures
• Logs
• Reports
• Records of data flows

3. Identify External Partners Early

Auditors, AI explainability experts, and risk assessment consultants will be in high demand.

4. Analyze All ADMT Use Cases

Many organizations use machine learning models without realizing they fall under ADMT definitions.

5. Budget for Compliance

Cybersecurity audits and risk assessments will require:

• Staff time
• External auditor costs
• Technology investments
• Remediation of identified issues

6. Perform an Internal Dry Run

Simulate an audit or risk assessment to identify:

• Unprepared teams
• Missing knowledge
• Gaps in system visibility

As the attorneys emphasized: you don't want the first person to discover a flaw to be your auditor — or a regulator.

What This Means for California Businesses

These regulations significantly expand California's privacy framework and bring it closer to GDPR‑style governance, especially with respect to:

• Accountability
• Documentation
• Transparency
• Risk balancing
• Consumer rights

The common theme across the podcast discussion is that this is not a check‑the‑box exercise. These regulations require thoughtful planning, technical expertise, and cross‑functional collaboration.

Organizations should treat preparation as a multi‑year journey rather than a deadline‑driven scramble. Those who start early will be best positioned to navigate the new landscape.

Conclusion

The newly adopted CCPA regulations represent one of the most consequential expansions of privacy governance in the United States. For many companies, compliance will require substantial operational changes — especially for those using automated technologies or processing data at scale.

But preparation is achievable with early planning, disciplined documentation, and the right partners. By understanding the requirements now and taking proactive steps, businesses can reduce risk, streamline compliance, and prepare confidently for the new regulatory environment.

Interested in staying ahead of the latest privacy developments?

Listen to Foley's Privacy Group podcast series, where our attorneys break down evolving regulations, emerging risks, and what they mean for your business.

Click to listen to the full podcast episode.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.