HOW to Craft a California-Compliant Data Privacy Risk Assessment

In the prior two alerts in this series, we explained that California (along with 16 other states) now requires businesses to conduct privacy risk assessments in certain circumstances where consumer privacy may face heightened risk. Our second alert outlined the key threshold questions—WHERE, WHEN, and WHAT—that trigger this obligation. In this alert, we turn to the central issue: HOW to prepare and structure a privacy risk assessment that meets regulatory expectations while minimizing legal exposure.

As noted in earlier alerts, a business must conduct a privacy risk assessment when it collects especially sensitive personal information or engages in processing activities that pose a heightened risk of harm to consumers. The purpose of these risk assessments is to require businesses to thoughtfully evaluate whether their collection and processing of consumer data is justified in light of the potential risks, and to consider whether alternative, less risky activities may be more appropriate.

In states that require privacy risk assessments, those assessments must do the following:

• Identify and evaluate the benefits of processing personal information for the business, consumers, stakeholders, and the public;
• Balance those benefits against the risks to consumers’ privacy rights;
• Assess safeguards and security measures that could mitigate those risks; and
• Consider key contextual factors, including the use of deidentified data, consumers’ reasonable privacy expectations, the nature and context of the processing, and the relationship between the controller and consumer.

While California’s risk assessment requirements cover the same general categories of information as other states, they are—as is typically the case for California—more detailed and demanding. Accordingly, this alert focuses on California’s regulations (specifically, 11 Cal. Code Regs. § 7152) as the framework for outlining how to prepare a privacy risk assessment.

1. Why is the personal information being collected/processed?

California law requires businesses to identify and document the specific purpose for processing the personal information at issue. Generic statements, such as “to improve our services” or for “security purposes,” are expressly prohibited. Identifying a concrete purpose forces businesses to clearly articulate and commit to the rationale for collecting the personal information. That stated purpose then becomes the foundation for evaluating whether the collection is justified considering the associated privacy risks.

2. What categories of personal information are involved?

One of the most critical components of any risk assessment is identifying exactly what personal information[1] is being collected from consumers. This determination sets the baseline for evaluating the level of privacy risk.

Under California law, a risk assessment must specify the categories of personal information to be processed and indicate whether any of that information qualifies as sensitive personal information.[2] The assessment must also identify the minimum personal information necessary to achieve the stated purpose. This requirement compels businesses to consider whether the same objective could be met with less (or less identifiable) data. For instance, if the purpose of the processing is to improve how sales information is delivered to consumers, is it necessary to collect identifiable personal information at all? Could the same goal be achieved using deidentified or aggregated data that do not tie back to any individual consumer? Evaluating these alternatives is a foundational step in determining whether the contemplated data collection is proportionate to the risks involved.

3. How will the personal information be collected and retained; how will the business interact with consumers; and to whom will the information be disclosed?

California law next requires the assessment to describe in detail how the personal information will be handled throughout its lifecycle.  This includes:

• Sources and methods for collection, use, disclosure, retentions and processing;
• How long the information will be retained and the criteria used to establish the retention period; and
• With whom the information will be shared, for what specific purposes, and under what conditions.

The assessment must also estimate of the number of consumers likely to be affected; describe how the business will interact with those consumers and for what purposes; and specify the disclosures the business has provided or will provide regarding the processing of their personal information.

For activities involving automated decisionmaking technology (ADMT), California imposes additional requirements. The risk assessment must explain:

• The logic, assumptions and limitations underlying the ADMT;
• The outputs the technology will generate; and
• How those outputs will be used when making significant decisions that affect consumers.

4. What are the benefits of this processing?

The privacy risk assessment must identify the specific, non-generic benefits of processing this personal information—for consumers, the business, other stakeholders, and the public. As with the statement of purpose, California law requires a concrete articulation of these benefits; broad and generic statements, such as “improving our service,” are expressly prohibited. The business must clearly explain the distinct value that this processing activity is intended to provide.

5. What are the negative privacy implications of the processing?

The business must identify specific privacy harms associated with processing the personal information, along with the factors that may cause or contribute to those harms. Potential  harms include:

• Data security breaches;
• Unlawful discrimination;
• Loss of consumer control or informed choice;
• Coercive consent practices or dark patterns; and/or
• Economic, physical, reputational, or psychological harms.

As with other elements of the assessment, California requires specificity rather than broad, generic descriptions.

6. What safeguards or mitigation measures will be implemented to address these risks?

At this stage, the assessment must explain the safeguards and mitigation measures the business will use to reduce or prevent the identified harms. These may include:

• Technical security controls;
• Privacy-enhancing technologies;
• External expert guidance or consultation; and/or
• Where ADMT is used, policies, procedures, and training to prevent unlawful discrimination based upon protected characteristics.

This portion of the analysis should demonstrate that once these safeguards and mitigation measures are applied,  the benefits of processing outweigh the associated risks. This balancing of risks and benefits is the focus of the next section of the assessment.

7. What was the decision on whether to proceed with the processing?

This item requires the business to explicitly state the outcome of the assessment—that is, whether it will proceed with the processing activity considering the risks, benefits, and mitigation measures analyzed in preceding sections. The assessment should clearly document how these factors were weighed and the final decision reached.

8. Who provided information for the assessment?

In this section, the business must identify all individuals (excluding legal counsel) who supplied information used to evaluate whether the processing activity should proceed. Listing these contributors helps demonstrate the appropriateness, thoroughness, and defensibility of the assessment. For instance, if the Attorney General later reviews the assessment in connection with a complaint or data breach, this portion of the analysis will show whether the business relied on informed, relevant input or whether the assessment was perfunctory or superficial.

9. Who is approving of the assessment within the business?

Lastly, California law requires the business to identify the date on which the assessment was reviewed and approved by an individual with authority to decide whether the processing activity may proceed. All reviewers and approvers must be listed, and it is critical that the final approval come from someone empowered to authorize or deny the processing. Again, this information enables regulators or investigators (i.e., the Attorney General) to evaluate whether the assessment and the ultimate decision to proceed were made thoughtfully and by individuals with the appropriate decision-making authority.

In sum, to be effective, appropriate, and defensible, a privacy risk assessment under California law (and under similar state laws) must be specific, well-documented, risk-based, mitigation-focused, and formally approved by individuals with the authority to authorize the processing before it begins. Although these assessments resemble other legal analyses, they remain subject to review and oversight by state Attorneys General. As enforcement actions develop in states that require these assessments, businesses will gain clearer guidance on what should—and should not—be included. For now, it is safe to assume that failing to take these requirements seriously, or proceeding without adequately assessing and mitigating risks, may result in regulatory fines or penalties and could significantly increase potential liability if the processing results in harm to consumers.

If you have questions or need assistance in putting together a privacy risk assessment for your business, contact Jason M. Schwent, Hannah Donahue, or the privacy professionals at Clark Hill PLC for assistance.

[1] For purposes of this alert, the term “personal information” refers to data that identifies, describes, is associated with, or could reasonably be linked to an individual. Examples include a person’s name, birthdate, postal address, email address, telephone number, driver’s license number, Social Security number or other government-issued identification number, credit card number, or other unique identifiers. Personal information would not include anonymous, deidentified, or aggregated data that cannot be used to identify a specific person, even when combined with other datasets. Personal information also does not include information related to businesses, companies, institutions, or other non-individual entities. Business-related information—such as a person’s job title, employer’s name, work email, work phone number, work address, and other similar professional contact details—is not be considered personal information for the purposes of this alert.

[2] Sensitive personal information is defined by the regulations (11 Cal. Code Regs. § 7001(aaa)) and means personal information that reveals highly private details about an individual (i.e., government‑issued identification numbers, financial account access information, precise location, protected characteristics (like race, citizenship, or religious beliefs), the contents of private communications, genetic or neural data, biometric identifiers, health information, or information about a person’s sex life or sexual orientation. It also includes personal information about individuals under 16 when the business knows (or should know) their age. Sensitive personal information does not include publicly available information.