California’s new risk assessment requirement under the CCPA, effective in 2026, mandates that businesses evaluate high-risk data processing before implementation. Covered activities include selling data, processing sensitive information, and using automated decision-making technologies. Assessments must balance risks to consumers against benefits, document purposes, data use, and safeguards, and involve key stakeholders. The requirement emphasizes proactive decision-making and governance, with ongoing updates required for material changes and periodic reviews
