About the Course
Introduction
This CLE webinar will discuss data risk assessment requirements and risks under U.S. data privacy laws. The panel will walk through the completion of various aspects of a privacy risk assessment and provide helpful tips and resources for making assessments more efficient and effective.
Description
Many state privacy laws require, or will soon require, companies to carry out assessments—referred to as data protection assessments, risk assessments, or DPIAs. These requirements extend to "high risk" activities or those that involve a "heightened risk of harm," including, in most cases, targeted advertising, sale of personal information (PI), and processing sensitive data, among many other things.
Risk assessments generally should include: a summary of the processing activity, a description of the personal data involved, the context and purpose of processing the data, a risk-benefit analysis, measures taken to mitigate risks, and identification of external and internal actors involved in processing the data. Some states have very specific additional requirements enumerated by law that must also be included in a risk assessment. Thus, it is imperative that each state's specific laws are reviewed before conducting and completing a risk assessment.
The assessment documentation must be available for review by regulators, and some states, including California, currently require or will soon require risk assessments (or summaries thereof) to be filed with the state and updated within prescribed timeframes. This means that companies subject to the applicable state privacy laws need to develop or refine their data inventory and assessment practices as a top priority in 2026 to be prepared for state enforcement of these requirements.
Listen as our authoritative panel of privacy experts reviews the current state laws governing privacy assessment requirements and risks and provides guidance to assist clients in developing risk assessment protocols and policies that address the nuanced requirements of the various state laws.
Presented By
Mr. Friel is a thought leader in digital media, IP, data privacy and protection, and consumer protection law, with over three decades of relevant experience to address the intersection of law and technology. Having served as a GC for several years in the late 1990s before returning to private practice, Mr. Friel has the necessary expertise to advise clients on making practical and informed business decisions, and help companies and entrepreneurs navigate the complex opportunities created by disruptive technology. With his in-house and private practice experience, he assists clients with creating data inventories, and information governance and data privacy and security programs; developing and implementing policies and procedures for providing consumer data privacy transparency, choice and access; drafting and negotiating privacy and data security provisions for commercial contracts; evaluating privacy impact assessments; addressing data privacy and security issues in merger and acquisitions transactions; structuring personal data transfer arrangements (including cross-border, intracompany, sales and licenses, and disclosures that are exempt from, and/or comply with, certain legal restrictions); drafting and revising external and internal privacy and data security policies and procedures; and addressing complex intellectual property and consumer protection issues related to digital media, advertising and commerce, such as in connection with the development and deployment of artificial intelligence, tailored and targeted advertising practices, and digital transformation and data commercialization strategies. Mr. Friel is a sought-after speaker and is affiliated with UCLA as an assistant professor in a multidisciplinary project at the Graduate School of TV, Film and Digital Media, and is an adjunct professor at Loyola Marymount School of Law.
Mr. Manek's global practice focuses on data analytics, cyber, data privacy, e-discovery, and digital forensics. He specializes in providing expert consulting services to organizations involved in large, complex, data-intensive regulatory change management projects.
Ms. Yushchak is a Senior Managing Director based in Washington, DC. She has over 25 years of experience in technology and litigation consulting, including privacy compliance consulting relating data protection laws (GDPR, CCPA, etc.), eDiscovery and litigation support, cyber breach management, change management, and information governance.
-
This 90-minute webinar is eligible in most states for 1.5 CLE credits.
-
Date + Time
- event
Wednesday, February 25, 2026
- schedule
1:00 PM E.T.
I. Overview: What is a data risk assessment, and what is its purpose
II. Determining when a data risk assessment is required or advisable under state consumer privacy laws
III. Key elements of a data risk assessment
IV. Timeframe for conducting and documenting a risk assessment
V. Updating and maintaining risk assessments
VI. Requirements for filing or disclosing assessments with state regulators
VII. Tools and resources available to operationalize risk assessments for greater efficiency and effectiveness
VIII. Practitioner pointers and key takeaways
The panel will discuss these and other key considerations:
- When is a risk assessment required or advisable in most states?
- What information is required to be included in a risk assessment?
- When must risk assessments be conducted and updated, and how long should they be maintained?
- What are the requirements for filing or disclosing risk assessments to state regulators?
- What resources and tools are available to operationalize risk assessments for greater efficiency and effectiveness?
Related Courses
Data Risk Assessments Under U.S. Privacy Laws: Purpose, Requirements, Elements, Operationalizing the Process
Wednesday, February 25, 2026
1:00 PM E.T.
Impact of New EU Data Act on U.S. Businesses: Extraterritorial Reach, Compliance Risks, Operational Challenges
Wednesday, March 11, 2026
1:00 PM E.T.
