Cyber Risk Advisory

California’s Proposed Data Privacy Rules Push the Envelope for Privacy Risk Assessments

Joe Nelson

Joe Nelson

Senior Consultant, Coalfire

March 11, 2025
Adobe Stock 485870574 web Opt 1080p

The California Privacy Protection Agency (CPPA) just closed the public comment on a new set of regulations, touching on privacy risk assessments and cybersecurity audits (read more on these here). 

As of March 2025, these are only draft regulations; they are not law and can change.  The proposed risk-assessments are probably the least likely to change, because they are mostly in-line with existing standards. 

Risk assessments are a core concept of the E.U.’s General Data Protection Regulation (GDPR), as well as most U.S. states which have adopted data privacy statutes.  The vast majority of these states (CO, CT, DE, IN, KY, MN, MT, NE, NH, NJ, OR, RI, TN, TX, and VA) follow the Virginia Model (“VM”, taken from the Virginia Consumer Data Protection Act) with minor variances between them. 

How do California’s Proposed Privacy Risk-Assessment Rules Compare to Existing Legislation?

In a country where most large companies do business across state lines, efficiency and economy demand taking a single approach, shaping privacy programs to the most restrictive statutes (with tweaks for the different inconsistencies between them). 

It’s critical, then, to understand, how do these proposed rules “match up” against existing requirements in the VM?  

This chart offers some perspective: 

CA Proposed Rules
Risk Assessment Requirements
Virginia Model
YesApplies to processing anywhere in the world of state’s resident’s dataYes
YesRisk assessments balance benefits to consumers, the business, other stakeholders, and the public against risks to consumers’ privacy (as mitigated)Yes
N/ARequires consideration of using de-identified dataYes
Sale + SharingRequired for the sale and sharing of Personal Information (PI)Sale only (though some states would consider sharing as selling)
Behavioral advertising (see below)Targeted AdvertisingUse of PI in targeted advertising
YesRegulates use of PI for training of AI / ADMT modelsN/A
YesProcessing includes any processing of Sensitive Personal Information (SPI)Yes
An assessment is required for the use of AI/ADMT for “extensive profiling” such as in employment, education, lending, etc.Required for Profiling?
(ADMT = Automated Decisionmaking Tech)		If there’s a risk of unfair or deceptive impact or other injury, or of an unreasonable intrusion upon consumers’ privacy and solitude
YesSingle Assessment for similar processing / other jurisdictionsYes
Every three years or with a material changeReview/update existing AssessmentsN/A
Must certify compliance every year; Must disclose at least an abridged risk assessment of any new processing (or a public link to unabridged assessment)Compliance & Reporting of Risk AssessmentsRisk assessments must be disclosed to an Attorney General upon request
Companies may omit any trade secrets from risk assessments, but rules are silent on whether submissions would become publicConfidentialityAG-requested assessments do not become public or waive attorney-client privilege

What Will Survive the Rulemaking Process? 

As noted, the regulations are not final; here’s what we expect to see: 

  • The inclusion of AI/ADMT as triggers for a risk assessment faced significant pushback during the comment period (as well as by several members of the California legislature), based upon the inclusion of AI rules in a privacy regulation and the overbroad definition of AI/ADMT; expect this to be pared down or removed. 
  • The CCPA (statute) explicitly states that risk assessment rules do not mandate disclosure of trade secrets, and the proposed rules are silent on whether the submitted abridged risk assessments would be publicly available.  The option to include a public link to the full risk assessments suggests this would be the case.  Expect to see more clarity here. 

Coalfire Data Privacy Assessments: EU & US Compliance Made Simple 

Since 2001, Coalfire has established itself as a market leader by staying ahead of data privacy and protection trends, innovative technologies, impending regulations, and new compliance frameworks. Coalfire has a long-standing track record of delivering privacy and cybersecurity expertise to enable organizations across a broad set of industry verticals achieve their compliance objectives.

Our experienced privacy team can meet your privacy risk-assessment needs with a single, comprehensive assessment that meets U.K., E.U., and U.S. (including VM and California) requirements. Contact Coalfire today to stay ahead of the curve and meet your Data Privacy and Cybersecurity compliance goals. 

Not legal advice: As noted, the different states have different requirements, from the threshold (if any) for a state’s jurisdiction, to different variations from the Virginia Model, to the fact that California’s rules are far from finalized.  Coalfire can help you develop a compliant data-privacy program, but the points in this article should not be taken as legal advice.