EveryAILaw.comDoes California CCPA ADMT Regulations require Risk Assessment?
California • enacted
Yes — 1 provision
Requirements at a glance
This regulation imposes 6 specific requirements for Risk Assessment across 1 provision:
- Pre-processing assessment — Risk assessment required before initiating high-risk processing including ADMT for significant decisions (§ 7150–7152)
- Human oversight evaluation — Must evaluate adequacy of human oversight in risk assessment (§ 7152)
- Triennial review — Review and update every 3 years, or within 45 days of a material change (§ 7155(a)(2)–(3))
- Retention — Retain assessments for duration of processing or 5 years after completion, whichever is later (§ 7155(c))
- Submission to CPPA — Attestation submitted to CPPA on CPPA request; first general submission April 1, 2028 for 2026–2027 assessments (§ 7157)
- Pre-2026 activities — Businesses with processing initiated before 2026 must complete risk assessment by December 31, 2027 (§ 7155(b))
ADMT Risk Assessment #
Requirements
| Requirement | Details |
|---|---|
| Pre-processing assessment | Risk assessment required before initiating high-risk processing including ADMT for significant decisions (§ 7150–7152) |
| Human oversight evaluation | Must evaluate adequacy of human oversight in risk assessment (§ 7152) |
| Triennial review | Review and update every 3 years, or within 45 days of a material change (§ 7155(a)(2)–(3)) |
| Retention | Retain assessments for duration of processing or 5 years after completion, whichever is later (§ 7155(c)) |
| Submission to CPPA | Attestation submitted to CPPA on CPPA request; first general submission April 1, 2028 for 2026–2027 assessments (§ 7157) |
| Pre-2026 activities | Businesses with processing initiated before 2026 must complete risk assessment by December 31, 2027 (§ 7155(b)) |
Penalties
| Violation | Fine |
|---|---|
| Per violation | $2,500 standard; $7,500 intentional |