Time for HR Professionals and In-House Employment Counsel to Add HR Data Privacy Risk Assessments to Their Repertoire

Effective January 1, 2026, employers subject to the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (CCPA) will be required to conduct a privacy risk assessment before engaging in many activities involving the personal information of job applicants, employees, or independent contractors who reside in California (collectively, “HR Data”). While this new compliance obligation derives from a package of recently approved CCPA regulations focused principally on the use of automated decisionmaking technology (ADMT), the requirement to conduct risk assessments extends far beyond ADMT. Moreover, human resources professionals and in-house employment counsel will need to be involved in these assessments – even at organizations with privacy professionals – because the risk assessment regulations specifically provide that “employees whose job duties include participating in the processing of personal information that would be subject to a risk assessment must be included in the business’s risk assessment process . . . . ”¹

After detailing when the CCPA’s risk assessment regulations require a risk assessment, this ASAP describes the risk assessment process, as well as organizations’ obligation to submit information about each risk to the California Privacy Protection Agency (the “Agency”).

Which activities trigger the risk assessment requirement?

Since January 1, 2023, the CCPA has required for-profit employers with more than $25 million² in annual gross revenues that do business in California (“California Employers”) to implement a comprehensive privacy program for their HR Data. That program must include, for example, describing the organization’s handling of HR Data in privacy policies; incorporating CCPA-mandated provisions in service provider agreements; responding to requests from California applicants, employees, and contractors to exercise their data rights; and purging HR Data when no longer needed.³ 

Now, California Employers must also conduct a risk assessment before processing HR Data in a way that “presents significant risk to [California residents’] privacy.”⁴ The objective of the risk assessment is to “restrict[] or prohibit[] the processing of [HR Data] if the risks to privacy . . . outweigh the benefits resulting from processing to the [California resident], the business, other stakeholders, and the public.”⁵ The regulations specify six types of processing that present significant risks to privacy, three of which commonly arise when California Employers process HR Data:

• Processing sensitive personal information
• Using ADMT for a significant employment decision
• Systematic monitoring to infer characteristics

California Employers also must conduct risk assessments prior to: selling HR Data or disclosing it for targeted advertising; using personal information to train ADMT for certain high-risk uses; and automatically inferring characteristics about a California resident based on their presence in a sensitive location such as a healthcare facility or trade union office. These situations are unlikely to apply in the employment context, however.

Processing Sensitive Personal Information

The regulations require risk assessments in a wide range of situations in which California Employers handle “sensitive personal information.” Employers routinely process sensitive personal information which, under the CCPA’s definition of that term, includes (a) Social Security number, driver’s license number, and passport number; (b) precise geolocation; (c) racial or ethnic origin, religious or philosophical beliefs, or union membership; (d) email and text messages where the California employer is not the intended recipient; (e) health information; (f) biometric information, and (g) sex life and sexual orientation.⁶ Fortunately, the regulations expressly exclude from the risk assessment requirement the processing of sensitive personal information to (a) administer work authorizations and compensation and benefits, (b) manage requests to accommodate a disability, and (c) conduct mandatory wage reporting. However, the regulations mandate that “[a]ny other processing of consumers’ sensitive personal information is subject to the risk-assessment requirements.”⁷

Given the CCPA defines “processing” to include “any operation or set of operations that are performed on personal information”⁸ and that employers frequently process “sensitive personal information” for purposes not within the exclusion’s scope, California Employers arguably will be required to conduct risk assessments in an unexpectedly broad set of circumstances. By way of illustration, a risk assessment may be required before a California Employer engages in the following activities:

• Collecting an employee’s text messages or reviewing an employee’s non-business email directed to a corporate email account for purposes of investigating allegations of sexual harassment;
• Disclosing an employee’s Social Security number or driver’s license number in response to a request from law enforcement investigating a crime;
• Requiring employees to download an application that tracks their precise geolocation;
• Disclosing information to a customer about a field service employee’s health;
• Collecting and storing employees’ race, ethnicity, or sexual orientation in connection with inclusion, equity, and diversity initiatives.

Consequently, HR professionals and in-house employment counsel at California Employers will now need to routinely analyze whether a risk assessment is required before their organization collects, stores, uses, or discloses HR Data that constitutes sensitive personal information.

Using ADMT for a Significant Employment Decision

Similar to the risk assessments for handling sensitive personal information, the requirement to conduct a risk assessment for use of ADMT applies only to a subset of uses of artificial intelligence in the workplace. Only those uses of ADMT that result in a significant employment decision will trigger an obligation for California Employers to conduct a risk assessment.⁹ For example, providing employees with access to ADMT to help them perform basic job functions, such as drafting work correspondence or notetaking, would not trigger the risk assessment requirement. However, a risk assessment would be required before a California Employer uses ADMT to make decisions about (a) hiring, promotion, or demotion; (b) allocation of work assignments; (c) compensation, including incentive bonuses; or (d) suspension or termination.¹⁰ Given the growing use of ADMT in the workplace, the need for California Employers to conduct a risk assessment of ADMT will steadily increase.

Notably, California Employers can limit the scope of this risk assessment requirement by involving humans in significant employment decisions. The CCPA excludes the use of artificial intelligence from the definition of ADMT where humans (a) know how to interpret and use the technology’s output to make the decision; (b) analyze the output and any other relevant information before making the decision; and (c) have the authority to make the decision based on that analysis.¹¹

Systematic Monitoring to Infer Characteristics

The regulations require a risk assessment before California Employers use “systematic observation” of job applicants, employees, or independent contractors to draw inferences automatically about key characteristics, such as ability, reliability, aptitude, work performance, or behavior.”¹² Although likely less common in most workplaces than the other two triggers for a risk assessment, this trigger still could come into play for many California Employers. For example, a risk assessment generally will be required before a California Employer: 

• Routinely analyzes recordings by video surveillance cameras to assess job performance;
• Asks employees to wear sensors while performing physical labor to reduce workplace injuries; or
• Analyzes job applicants’ facial expressions, speech, and movements in video interviews to assess qualification for employment.

When and how frequently are risk assessments required?

California Employers are required to conduct a separate risk assessment for each processing of HR Data that falls within one of the types of trigger activities described above before initiating that activity. There is a critical exception to this general rule. Employers that initiated covered activities before January 1, 2026 (the regulations’ effective date) and continue those activities are not required to complete the risk assessment until December 31, 2027.¹³

Once the requirement to complete a risk assessment goes into effect, the obligation to conduct risk assessments is on-going. California Employers are required to renew and update the risk assessment every three years. In addition, a new risk assessment must be conducted within 45 calendar days of a material change in the activity that triggered the initial obligation to conduct a risk assessment. A change is material “if it creates new negative impacts or increases the magnitude or likelihood of previously identified negative impacts . . . or diminishes the effectiveness of the safeguards” put in place to reduce those impacts.¹⁴

What does the risk assessment process entail?

The risk assessment must determine generally whether the risks to California residents’ privacy from the processing of personal information outweigh the benefits to the California resident, the business, other stakeholders, and the public.¹⁵ In practice, the risk assessment must be documented and cover the following nine areas:

1. The purpose of processing;
2. The categories of personal information involved, including sensitive personal information;
3. Operational elements including: collection; retention; method of interaction with individuals; the number of individuals; disclosures of personal information; categories of service providers; and, if ADMT is involved, the logic, output, and how the business will use the ADMT to make a significant decision;
4. Specific benefits of the processing;
5. Potential negative impacts, e.g., unauthorized access, discrimination, and physical and psychological harms;
6. Safeguards to protect against the potential negative impacts;
7. Whether the business will initiate the processing after balancing all relevant factors;
8. Who was involved in the risk assessment; and
9. The date the risk assessment was reviewed and approved.¹⁶

Business cannot entirely outsource the risk assessment process to a privacy professional, compliance department, or external service provider. Instead, the employees whose job duties include participating in the processing of personal information subject to the risk assessment must be included in the risk assessment process.¹⁷ For risk assessments related to HR Data, this likely means that HR personnel must be involved with the risk assessment process, and in-house employment counsel likely will need to be involved to provide legal advice and to preserve the privilege of communications related to the risk assessment and of early drafts with stakeholders’ comments.

What are the reporting and retention requirements?

While California Employers are not required to submit each risk assessment to the Agency, commencing April 1, 2028, they will be required to provide information that the Agency could use later when investigating a complaint or auditing compliance. This information includes, for example, (a) the total number of risk assessments conducted and updated during the reporting period, (b) a breakdown of the number of assessments for each type of trigger activity, and (c) the types of sensitive personal information, if any, implicated in each assessment.

Notably, the person who submits the assessment “must be a member of the business’s executive management team.” This executive must be “directly responsible for the business’s risk-assessment compliance” and know enough about the assessments to provide accurate information.¹⁸ Moreover, the online submission form to be made available at the Agency’s website will include the following attestation:

I attest that the business has conducted a risk assessment for the processing activities set forth in California Code of Regulations, Title 11, section 7150, subsection (b), during the time period covered by this submission, and that I meet the requirements of section 7157, subsection (c). Under penalty of perjury under the laws of the state of California, I hereby declare that the risk assessment information submitted is true and correct.¹⁹

Consequently, California Employers will need to carefully identify an executive who is willing and able to submit the risk assessment information to the Agency.

The executive responsible for the Agency submissions should also be charged with overseeing the proper management of each completed and updated assessment. The regulations require that California Employers retain each completed and updated assessment for five years.²⁰

 What are the next steps to address compliance?

California Employers should consider taking the following steps to prepare for compliance with CCPA’s risk assessment regulations:

1. Identify the key stakeholders who will be involved in the risk assessment process;
2. Identify the executive who will submit the risk assessment information to the Agency;
3. Provide any training necessary for the key stakeholders and responsible executive to determine when a risk assessment is required and how to conduct the assessment;
4. Inventory all processing activities of HR Data that started before January 1, 2026 and trigger the risk assessment requirement;
5. Develop a schedule for completing risk assessments of current processing activities by December 31, 2027;
6. Implement procedures to ensure that trigger activities to be initiated after January 1, 2026, are subject to a risk assessment before the processing of HR Data commences; and
7. Develop a system for (a) tracking completed risks assessments; (b) ensuring each risk assessment is updated every three years or within 45 days of a material change; whichever occurs first; and (c) purging risk assessments when the five-year retention period expires.