Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to sell personal data or use it for targeted advertising. The following chart provides a breakdown of the situations in which a DPIA is mandated under state privacy laws:
|
Processing Activities That Require a DPIA |
California 2022 CCPA1 |
California 2023 CPRA2 |
Colorado 2023 CPA |
Conn. 2023 CTDPA |
Utah 2023 UCPA |
Virginia 2023 VCDPA |
|
Targeted advertising. A DPIA is required if an organization engages in targeted advertising. |
X |
X |
✔3 |
✔4 |
X |
✔5 |
|
Sale of data. A DPIA is required if an organization sells personal data. |
X |
X |
✔6 |
✔7 |
X |
✔8 |
|
Sensitive data. A DPIA is required if an organization processes sensitive data. |
X |
X |
✔9 |
✔10 |
X |
✔11 |
|
Profiling with risk of unfair treatment/ discrimination. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact. |
X |
X |
✔12 |
✔13 |
X |
✔14 |
|
Profiling with risk of physical injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of physical injury. |
X |
X |
✔15 |
✔16 |
X |
✔17 |
|
Profiling with risk of financial injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of financial injury. |
X |
X |
✔18 |
✔19 |
X |
✔20 |
|
Profiling with risk of reputational injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of reputational injury. |
X |
X |
X |
✔21 |
X |
✔22 |
|
Profiling with a risk of privacy intrusion. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of a physical or other intrusion upon solitude or seclusion that would be offensive to a reasonable person. |
X |
X |
✔23 |
✔24 |
X |
✔25 |
|
Other processing that has a heightened risk of harm. A DPIA is required if an organization processes data that presents a “heightened risk of harm.” |
X26 |
X27 |
✔28 |
✔29 |
X |
✔30 |
FOOTNOTES
1 While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
2 While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
3 C.R.S. § 6-1-1309(1), (2)(a) (2022).
4 Conn. Sub. Bill No. 6, § 8(a)(1) (2022).
5 Va. Code Ann. 59.1-576(A)(1) (2022).
6 C.R.S. § 6-1-1309(1), (2)(b) (2022).
7 Conn. Sub. Bill No. 6, § 8(a)(2) (2022).
8 Va. Code Ann. 59.1-576(A)(2) (2022).
9 C.R.S. § 6-1-1309(1), (2)(c) (2022).
10 Conn. Sub. Bill No. 6, § 8(a)(4) (2022).
11 Va. Code Ann. 59.1-576(A)(4) (2022).
12 C.R.S. § 6-1-1309(1), (2)(a)(I) (2022).
13 Conn. Sub. Bill No. 6, § 8(a)(3)(A) (2022).
14 Va. Code Ann. 59.1-576(A)(3)(i) (2022).
15 C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).
16 Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).
17 Va. Code Ann. 59.1-576(A)(3)(ii) (2022).
18 C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).
19 Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).
20 Va. Code Ann. 59.1-576(A)(3)(ii) (2022).
21 Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).
22 Va. Code Ann. 59.1-576(A)(3)(ii) (2022).
23 C.R.S. § 6-1-1309(1), (2)(a)(III) (2022).
24 Conn. Sub. Bill No. 6, § 8(a)(3)(C) (2022).
25 Va. Code Ann. 59.1-576(A)(3)(iii) (2022).
26 While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
27 While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
28 C.R.S. § 6-1-1309(1), (2)(a)(IV) (2022).
29 Conn. Sub. Bill No. 6, § 8(a) (2022).
30 Va. Code Ann. 59.1-576(A)(5) (2022).