Assessing the Assessments: Maximizing the Effectiveness of CCPA Risk Assessments 

The unchecked spread of commercial surveillance over the past few decades has led to a data privacy crisis for consumers in the U.S. and has allowed abusive data practices to flourish. The ability to monitor, profile, and target consumers on a mass scale has created a persistent power imbalance that robs individuals of their autonomy and privacy, stifles competition, and undermines democratic systems. And now more than ever, emerging generative and non-generative AI systems are also causing harm.  

With the support of the Rose Foundation for Communities and the Environment, EPIC is launching our latest project in this field: Assessing the Assessments: Maximizing the Effectiveness of Algorithmic & Privacy Risk Assessments. Through this project, EPIC will develop model privacy and algorithmic risk assessments and other materials to educate consumers and promote best practices for entities processing personal data. 

California’s Consumer Privacy Act (CCPA) creates legal rights and obligations that can address many of these harms, including a requirement to perform assessments when personal information is being sold, when automated decision-making systems are being used in sensitive contexts, or when personal information is being used to train AI systems. EPIC’s work to disrupt these data abuses and ensure that entities can no longer extract value from personal data in ways that undermine the public good is more important than ever. It is crucial that the regulations implementing the CCPA provide for risk assessments that enable transparency and accountability of AI and other automated systems. Risk assessments are going to be required in California, and although regulations are not written in stone, they should provide instruments for accountability. 

As a leading organization for consumer privacy rights, EPIC has spent nearly three decades creating educational resources to inform Americans about their privacy rights and advocating for strong privacy protections. Some recent highlights of this work include: 

• In 2020, we published a resource to help California residents understand how to exercise their rights under the California Consumer Privacy Act (CCPA). 
• EPIC also supported the California Privacy Protection Agency’s (CPPA) efforts to establish robust data privacy protections for Californians and, with a coalition of partner organizations, submitted comments to the agency on the development of further CCPA regulations. 
• We also submitted comments to the Colorado Department of Law in support of the efforts of the Department to establish robust, pathbreaking privacy protections for Coloradans in reference to the Colorado Privacy Act. 
• EPIC also recently presented testimony in Massachusetts in support of House Bill 64 and Senate Bill 33, (An Act establishing a commission on automated decision-making by government in the Commonwealth). 

So, what is a risk assessment? A risk assessment is an analysis of how personal data will be collected, processed, stored, and transferred by an entity. The term “risk assessment” is context-dependent, and in the particular context of California’s privacy bill, they are made effective by being robust, publicly accessible requirements. When implemented properly, risk assessments force businesses to carefully evaluate and disclose the risks to consumers of planned data processing—including risks associated with automated decision-making—and can deter businesses from adopting harmful data practices in the first place. The transparency the risk assessments provide is critical, while not sufficient. EPIC has long worked to promote the use of risk assessments and hopes to protect consumers by disseminating model assessments and related resources. 

The focus of this project is the California Consumer Privacy Act (CCPA). The CCPA is currently the strongest comprehensive state privacy law in the country, and effective analysis of CCPA-required risk assessments is key to both informing consumers about how their data is being processed and deterring data abuses on the part of businesses. In the coming months, we will publish on our website living, evolving resources that consumers, researchers, journalists, and lawmakers can all use to continuously track compliance with impact assessment requirements under the CCPA and other privacy laws, even as the regulations implementing the laws themselves continue to be modified.  

The resources we develop will be tools for both education and advocacy. This project will educate consumers about the assessments that businesses must conduct to comply with CCPA and other relevant privacy laws. We will provide consumers and businesses with sample assessments they can use as a reference and ensure that consumers have the greatest possible access to clear, comprehensive information about how businesses are processing their personal data. With respect to the advocacy component, the project aims to achieve more widespread use of risk assessments, the adoption of robust risk assessment requirements, and strict adherence by businesses to those requirements.