High urgency

What Do Employers Need To Know About Risk Assessments Under The California Consumer Privacy Act? (Video) - Mondaq

Detected July 6, 2026 · in US State Data-Privacy Laws

California's CPRA now requires employers to conduct risk assessments for automated decision-making technology (ADMT) and sensitive data processing. This video explains the new obligations.

Aforeworn detected this change in the US State Data-Privacy Laws space on July 6, 2026 and published this briefing so affected operators are forewarned rather than caught off guard. It is rated High urgency. Employers with California employees using ADMT (e.g., hiring algorithms, performance monitoring) or processing sensitive data (e.g., health, biometrics). should confirm how it applies to their specific situation before acting. There is a time constraint attached: Risk assessments must be completed before any new ADMT or sensitive data processing begins; existing processing must be assessed by the next CPRA enforcement cycle (likely 2025).. Acting after that point can mean penalties, a lapsed licence, or lost eligibility — exactly the kind of surprise Aforeworn exists to prevent. Aforeworn monitors US State Data-Privacy Laws continuously and turns every detected change into a plain-English briefing like this one, so you always know first. Forewarned is forearmed.

What changed

CPRA risk assessment requirements now explicitly apply to employer-employee data, not just consumer data. Employers must document and assess ADMT and sensitive data processing for disproportionate impacts.

Who it affects

Employers with California employees using ADMT (e.g., hiring algorithms, performance monitoring) or processing sensitive data (e.g., health, biometrics).

What you must do

Conduct a risk assessment for any ADMT or sensitive data processing involving California employees, document the assessment, and implement mitigation measures.

Deadline

Risk assessments must be completed before any new ADMT or sensitive data processing begins; existing processing must be assessed by the next CPRA enforcement cycle (likely 2025).

Source: https://news.google.com/rss/articles/CBMiigJBVV95cUxNM2hBb3owcHRXM3VPUFAtc0dzNjdvbmRTMGZMYm9rODJTaTBqbm91bkp6YXJQa1Jjc1hfLU5nLTJUbXBWdzRpZW5BU1htVHFVRTI1bVBTblIySm9hdEZnX0t1Z0xrMFRzaGpHbjhWUWk0UTY1QmJtVE5YLXd5bVFhdFNNUXp5dW9rVnVEZGFiZ0phTTlYVWFoNmJQTEwwQ3I1bDZWZ3RnbmRoNVkzalZjRjhwMEljMFlfT3JuVEREV3ZwUElXNXVpNGRoNVdyVHVzVmRmOGJpemUxMHFnZklTejFVVkxiX2trU3h6QmR2VllkVG91UHFRQ1BqRDhaTmRZY0NQSVJYa0ZSQQ?oc=5

Never miss a change like this again

Aforeworn watches US State Data-Privacy Laws around the clock and alerts you the moment a rule moves — with a plain-English brief on what to do.

Start your free trial

Related changes in US State Data-Privacy Laws