Posts

Showing posts with the label risk assessments

A MoFo Privacy Minute Q&A: Key Steps in 2026 to Comply with State Privacy Assessment Requirements

Question:  Do I need to complete state privacy risk assessments in 2026? I know some CCPA deadlines aren’t until next year, but how can I prepare my team to comply with state privacy assessment requirements? Answer:   The start of the year is an excellent time to review and update your organization’s privacy assessment process, particularly in light of new regulations under the CCPA . It is likely that you will need to conduct privacy assessments in 2026 , though it depends on your organization’s data processing activities and which state consumer privacy laws apply to your organization. The CCPA’s new requirements include: Undertaking a risk assessment if the organization is “selling” or “sharing” personal data, processing sensitive data (with limited exceptions), using automated decision-making technology (ADMT) for a “significant decision,” or engaged in other types of processing that present a “significant risk” to consumers’ privacy. Conducting the risk assessment per the...

Where in the Loop? Testing AI Across 120 Compliance Tasks to Find Out Where Humans Are Most Needed

Oversight should sit at decision points where errors carry the highest ethical or legal weight, not on every output As compliance teams experiment with AI for everything from risk assessments to policy interpretation, a practical question emerges: Which tasks can be automated reliably, and which still require human judgment? Steph Holmes, director of compliance and ethics strategy at EQS Group, dives into her organization’s research on six AI models, finding that it excels at rule-driven work but struggles in the gray zone where data meets intent and culture intersects with language. The findings suggest oversight should be strategic, not universal, but there’s no doubt the loop isn’t complete without humans.  When people talk about responsible AI, the concept of “human in the loop” tends to surface quickly, and for good reason. It sounds reassuring, almost self-evident. But as  compliance  teams start experimenting with AI, a practical question emerges: Where in the loo...

California Finalizes Groundbreaking Regulations on AI, Risk Assessments, and Cybersecurity, Part II: What Businesses Need to Know

Image
  In July 2025, the California Privacy Protection Agency (CPPA) Board unanimously approved new regulations pursuant to the California Consumer Privacy Act (CCPA) that specifically address the use of automated decisionmaking technologies (ADMTs), requirements for completing risk assessments, and, for businesses processing large amounts of California resident data or engaging in the large-scale sale or sharing of data, mandatory annual cybersecurity audits. While these regulations have been in the drafting process since 2023, they reflect an ongoing trend in California and across the country in favor of heightened, proactive accountability mandates. Quick Hits The CPPA Board recently approved new cybersecurity audit regulations that, pending final approval by the California Office of Administrative Law (OAL), will apply to large CCPA-covered businesses and data brokers. The regulations include extensive independent audit requirements that will, at a minimum, necessitate businesses e...