HB Ad Slot
HB Mobile Ad Slot
Understanding the differences in the state privacy laws: What factors must be considered by an organization when conducting a DPIA?
Thursday, September 8, 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). DPIAs are intended to make an organization identify and weigh the benefits that may flow from processing personal data against the potential risks that might be caused by the processing (as mitigated by any steps that the organization has taken to minimize those risks). The following identifies the factors required to be considered when conducting a DPIA:

Factors Required in a DPIA

California 2022

CCPA[1]

California 2023

CPRA[2]

Colorado 2023

CPA

Conn. 2023

CTDPA

Utah 2023

UCPA

Virginia 2023

VCDPA

Explain benefits from processing. The DPIA should identify and weigh the benefits that may flow, directly or indirectly, from the proposed processing to either the organization, the data subject, other stakeholders, or the public.

N/A

N/A

[3]

[4]

N/A

[5]

Explain risks from processing. The DPIA should identify and weigh the potential risks to the rights of the consumer associated with the proposed processing.

N/A

N/A

[6]

[7]

N/A

[8]

Describe risk mitigations taken. The DPIA should describe any safeguards that the organization has taken to mitigate potential risks.

N/A

N/A

[9]

[10]

N/A

[11]

Use of de-identification. To the extent that de-identification strategies have been utilized to mitigate risks, those strategies should be indicated.

N/A

N/A

[12]

[13]

N/A

[14]

Reasonable expectations of data subject. The DPIA should consider whether the proposed processing aligns with the reasonable expectations of data subjects.

N/A

N/A

[15]

[16]

N/A

[17]

Compliance with other aspects of state privacy law.  The DPIA should consider whether the processing complies with other requirements imposed upon controllers under the state privacy laws.

N/A

N/A

[18]

[19]

N/A

[20]


FOOTNOTES

[1] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[2] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[3] C.R.S. § 6-1-1309(3) (2022).

[4] Conn. Sub. Bill No. 6, § 8(b) (2022).

[5] Va. Code Ann. 59.1-576(B) (2022).

[6] C.R.S. § 6-1-1309(3) (2022).

[7] Conn. Sub. Bill No. 6, § 8(b) (2022).

[8] Va. Code Ann. 59.1-576(B) (2022).

[9] C.R.S. § 6-1-1309(3) (2022).

[10] Conn. Sub. Bill No. 6, § 8(b) (2022).

[11] Va. Code Ann. 59.1-576(B) (2022).

[12] C.R.S. § 6-1-1309(3) (2022).

[13] Conn. Sub. Bill No. 6, § 8(b) (2022).

[14] Va. Code Ann. 59.1-576(B) (2022).

[15] C.R.S. § 6-1-1309(3) (2022).

[16] Conn. Sub. Bill No. 6, § 8(b) (2022).

[17] Va. Code Ann. 59.1-576(B) (2022).

[18] C.R.S. § 6-1-1309(4) (integrating by reference § 6-1-1308) (2022).

[19] Conn. Sub. Bill No. 6, § 8(b) (2022).

[20] Va. Code Ann. 59.1-576(B) (stating that the Attorney General can evaluate the DPIA for compliance with all requirements within §59.1-574) (2022).

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins