Posts

Showing posts with the label privacy risk assessments

A MoFo Privacy Minute Q&A: Key Steps in 2026 to Comply with State Privacy Assessment Requirements

Question:  Do I need to complete state privacy risk assessments in 2026? I know some CCPA deadlines aren’t until next year, but how can I prepare my team to comply with state privacy assessment requirements? Answer:   The start of the year is an excellent time to review and update your organization’s privacy assessment process, particularly in light of new regulations under the CCPA . It is likely that you will need to conduct privacy assessments in 2026 , though it depends on your organization’s data processing activities and which state consumer privacy laws apply to your organization. The CCPA’s new requirements include: Undertaking a risk assessment if the organization is “selling” or “sharing” personal data, processing sensitive data (with limited exceptions), using automated decision-making technology (ADMT) for a “significant decision,” or engaged in other types of processing that present a “significant risk” to consumers’ privacy. Conducting the risk assessment per the...

Navigating the Where, When, and What of Data Privacy Risk Assessments

As noted in  last week’s post , privacy risk assessments are now required in several states. Of the 19 U.S. states with comprehensive consumer data privacy laws, all but two mandate that businesses conduct privacy risk assessments when processing of consumer personal information in ways that could pose a risk to consumers' privacy. These assessments are not simple checklists—they involve detailed analyses weighing the risks of collecting and processing information against the benefits to the business, considering the safeguards the business plans to implement. Performing these assessments carries significant regulatory implications and potential litigation risks.  These important topics will be discussed in next week’s post. Before we get there, this post discusses the key threshold questions— WHERE ,  WHEN  and  WHAT —to determine whether a privacy risk assessment is required So the question becomes, when do businesses need to conduct one of these risk assessm...