California's new risk assessment rule lands in an active enforcement environment. That should change how privacy teams think about the work.

Risk assessments are not new to privacy practitioners. GDPR has required DPIAs for years, Colorado and other states already mandate them in narrower forms, and most mature programs have been running some version of the exercise for a decade. What's changing in 2026 isn't the existence of the obligation — it's the combination of two things happening in California at the same time.

The first is regulatory. As of January 1, 2026, the California Consumer Privacy Act requires businesses to conduct and document a risk assessment before initiating any processing activity that presents a “significant risk” to consumers' privacy. The triggers are broad:

• Selling or sharing personal information for cross-context behavioral advertising
  
  

• Processing sensitive personal information
  
  

• Using automated decision-making technology (ADMT) for significant decisions about a consumer (employment, finance, housing, education, health care)
  
  

• Profiling in certain employment and education contexts
  
  

• Profiling based on presence at a sensitive location
  
  

• Processing personal information to train ADMT or biometric/identity-recognition systems

ADMT carries additional obligations—pre-use notice, opt-out rights, access to logic, and an appeal mechanism—that phase in by April 1, 2027, with the risk assessment as the foundation underneath.

The CPPA or the California Attorney General can request a copy of a risk assessment at any time, and the business has 30 days to produce it. The attestation submitted to the agency starting April 1, 2028 must be signed by a member of executive management under penalty of perjury. This is not a “draft it and file it” obligation — it's a document the business may have to defend, on the record, with personal accountability attached.

The second change is the enforcement environment those documents will land in. California regulators are not waiting. In the first half of 2026 alone, the AG and CalPrivacy resolved enforcement actions involving Disney/ABC ($2.75M), Ford ($375K), PlayOn Sports ($1.1M), and most recently General Motors ($12.75M) — the largest CCPA penalty to date and the first action premised on data minimization and purpose limitation. Notably, none of these violations to date relate to risk assessments, but the volume shows California is not shy about enforcement. Risk assessments could help identify issues similar to those enforced on, making them a proactive tool for compliance.

The CalPrivacy Audits Division, formally stood up in February 2026, can examine any covered business at any time based on sector risk, without a consumer complaint. Settlements increasingly include forward-looking obligations to conduct risk assessments — a sign the agency views them as a remedy it can compel, not just a requirement it can wait on.

Put together, these two shifts argue against treating risk assessments as a documentation exercise. The same document that satisfies the regulation is now the document a regulator may ask for under deadline, that an executive may have to attest to, and that an enforcement team may use as a window into how seriously the business actually thought about consumer impact before it processed the data. A check-the-box assessment doesn't just fail to add value — it creates exposure, because it suggests the business went through the motions without engaging the substance.

The more useful framing is the one privacy practitioners have always known but haven't always had the leverage to push: a risk assessment is a decision-making tool. It's the moment where legal, product, engineering, and business stakeholders are forced to articulate what data is being collected, why, what the downstream impacts are, what mitigations exist, and whether the trade-offs are defensible. Done well, it shapes the design of the processing itself. Done poorly, it documents nothing useful and exposes the gap between what the business says it does and what it actually does.

Key takeaways for privacy teams:

• Inventory the triggers carefully — many businesses that don't see themselves as high-risk processors will find activities in scope, particularly around ad-tech, HR analytics, sensitive data, and AI training.
   

• Existing assessments from other regimes can often be leveraged, but only if they cover the elements California requires; in particular, applicant, employee, and B2B data are in scope for CCPA in ways they may not have been for GDPR DPIAs. 
  
  

• And the practical operational question — who owns the assessment process, how it integrates with engineering and product decisions, and how the documentation is maintained over time — is now the part that most determines whether the work creates value or just paperwork.

California's direction is clear enough. The privacy notice is no longer carrying the weight on its own. The risk assessment is becoming the document that demonstrates a business considered consumer impact before it acted — and given how active the enforcement environment has become, it's a document privacy teams want to do well, not just on time.

About Arbr

Arbr is a practitioner-built platform designed to fundamentally improve how privacy and AI compliance work gets done. It combines AI-driven automation with a structured, relational data foundation to move teams away from manual processes and static documents — toward a more scalable, intelligent way of working.

Where traditional tools are built around workflows, Arbr is built on data: AI-enabled assessments and ROPA automation produce regulator-ready outputs from minimal input, while dynamic risk visibility and pattern detection surface exposure across jurisdictions, data types, and use cases in real time. Each assessment becomes reusable intelligence rather than a static document — so the system evolves as regulations change.

If California's enforcement direction has you rethinking how your team approaches privacy and AI risk, we'd like to hear from you.