HB Ad Slot
HB Mobile Ad Slot
Understanding the differences in the state privacy laws: When is an organization required to conduct a DPIA?
Thursday, September 8, 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to sell personal data or use it for targeted advertising. The following chart provides a breakdown of the situations in which a DPIA is mandated under state privacy laws:

Processing Activities That Require a DPIA

California 2022

CCPA1

California 2023

CPRA2

Colorado 2023

CPA

Conn. 2023

CTDPA

Utah 2023

UCPA

Virginia 2023

VCDPA

Targeted advertising. A DPIA is required if an organization engages in targeted advertising.

X

X

3

4

X

5

Sale of data. A DPIA is required if an organization sells personal data.

X

X

6

7

X

8

Sensitive data. A DPIA is required if an organization processes sensitive data.

X

X

9

10

X

11

Profiling with risk of unfair treatment/ discrimination. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact.

X

X

12

13

X

14

Profiling with risk of physical injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of physical injury.

X

X

15

16

X

17

Profiling with risk of financial injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of financial injury.

X

X

18

19

X

20

Profiling with risk of reputational injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of reputational injury.

X

X

X

21

X

22

Profiling with a risk of privacy intrusion. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of a physical or other intrusion upon solitude or seclusion that would be offensive to a reasonable person.

X

X

23

24

X

25

Other processing that has a heightened risk of harm. A DPIA is required if an organization processes data that presents a “heightened risk of harm.”

X26

X27

28

29

X

30


FOOTNOTES

While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

C.R.S. § 6-1-1309(1), (2)(a) (2022).

Conn. Sub. Bill No. 6, § 8(a)(1) (2022).

Va. Code Ann. 59.1-576(A)(1) (2022).

C.R.S. § 6-1-1309(1), (2)(b) (2022).

Conn. Sub. Bill No. 6, § 8(a)(2) (2022).

Va. Code Ann. 59.1-576(A)(2) (2022).

C.R.S. § 6-1-1309(1), (2)(c) (2022).

10 Conn. Sub. Bill No. 6, § 8(a)(4) (2022).

11 Va. Code Ann. 59.1-576(A)(4) (2022).

12 C.R.S. § 6-1-1309(1), (2)(a)(I) (2022).

13 Conn. Sub. Bill No. 6, § 8(a)(3)(A) (2022).

14 Va. Code Ann. 59.1-576(A)(3)(i) (2022).

15 C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

16 Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

17 Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

18 C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

19 Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

20 Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

21 Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

22 Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

23 C.R.S. § 6-1-1309(1), (2)(a)(III) (2022).

24 Conn. Sub. Bill No. 6, § 8(a)(3)(C) (2022).

25 Va. Code Ann. 59.1-576(A)(3)(iii) (2022).

26 While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

27 While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

28 C.R.S. § 6-1-1309(1), (2)(a)(IV) (2022).

29 Conn. Sub. Bill No. 6, § 8(a) (2022).

30 Va. Code Ann. 59.1-576(A)(5) (2022).

HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins