As we settle in to 2025, and five additional state privacy laws have or are about to go into effect, we wanted to put on your radar the obligation to conduct data protection impact assessments (DPIAs). In general, a DPIA should contain:

• a systematic description of potential processing operations and the purpose of the processing, including where applicable, the legitimate interest pursued by the controller;
• an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
• an assessment of the risks to the rights and freedoms of consumers; and
• potential measures to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data.

As a reminder, most of the new state privacy laws require businesses to complete DPIAs if you do any of the following:

1. Cookies and pixels (i.e., browser-based targeted advertising)
2. Custom and lookalike audience (i.e., CRM-based targeted advertising)
3. CAPI (i.e., server-based targeted advertising)
4. App advertising (i.e., SDK-based targeted advertising)
5. Find-a-store (i.e., precise geolocation collection)
6. Other sensitive information collection (e.g., race, ethnicity, health, etc.)
7. Selling of personal data
8. Adaptive pricing (i.e., profiling that may cause financial injury)
9. Collecting credit cards number (New Jersey privacy statute only)