EffectiveCalifornia

CCPA Risk Assessment Requirements for Automated Decisionmaking Technology

California Risk Assessment Requirements

Data last verified: March 23, 2026

Effective Date
January 1, 2026
Enforcement Date
Not specified in statute

Summary

The risk assessment portion of California's ADMT regulations (Article 10, 11 CCR §§ 7150-7157) requires businesses to conduct risk assessments before processing that presents significant risk to consumers' privacy, including using ADMT for significant decisions, selling/sharing PI, and processing sensitive PI. Risk assessment provisions became effective January 1, 2026. Risk assessment submissions to CPPA due April 1, 2028 for assessments conducted in 2026-2027. Penalties from parent CCPA statute: $2,500/$7,500 per violation (inflation-adjusted to $2,663/$7,988 per CPPA).

Who It Applies To

CCPA business definition: $25M+ revenue OR 100K+ consumers OR 50%+ revenue from PI sales

Min Consumers:
100,000
Min Annual Revenue:
$25,000,000

Any threshold triggers applicability

Penalties

Penalty Range
$2,663$7,988per violation
Cure Period
Not specified in statute
Private Right of Action
No private right of action
Enforcement Body
California Privacy Protection Agency (CPPA) and California Attorney General
Notes
Each affected consumer and each day of non-compliance may constitute a separate violation. Penalties defined in parent CCPA statute, not in the risk assessment regulation itself.

Requirements (1)

  • Impact Assessment11 CCR §§ 7150-7157

    This regulation requires businesses to conduct risk assessments before deploying automated decisionmaking technology for significant decisions.

Claire tracks 31 state and local AI laws across 23 US states. No prescriptive federal AI compliance statutes have been enacted. EU AI Act and sector-specific regulations are not covered.

Check if this law applies to your business