SHARE

September 08, 2022

Understanding the differences in the state privacy laws: When is an organization required to conduct a DPIA?

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as "data protection assessments" or "data protection impact assessments" (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to sell personal data or use it for targeted advertising. The following chart provides a breakdown of the situations in which a DPIA is mandated under state privacy laws:

Processing Activities That Require a DPIA

California 2022

CCPA[1]

California 2023

CPRA[2]

Colorado 2023

CPA

Conn. 2023

CTDPA

Utah 2023

UCPA

Virginia 2023

VCDPA

Targeted advertising. A DPIA is required if an organization engages in targeted advertising. X X [3] [4] X [5]
Sale of data. A DPIA is required if an organization sells personal data. X X [6] [7] X [8]
Sensitive data. A DPIA is required if an organization processes sensitive data. X X [9] [10] X [11]
Profiling with risk of unfair treatment/ discrimination. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact. X X [12] [13] X [14]
Profiling with risk of physical injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of physical injury. X X [15] [16] X [17]
Profiling with risk of financial injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of financial injury. X X [18] [19] X [20]
Profiling with risk of reputational injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of reputational injury. X X X [21] X [22]
Profiling with a risk of privacy intrusion. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of a physical or other intrusion upon solitude or seclusion that would be offensive to a reasonable person. X X [23] [24] X [25]
Other processing that has a heightened risk of harm. A DPIA is required if an organization processes data that presents a "heightened risk of harm." X[26] X[27] [28] [29] X [30]

[1] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[2] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[3] C.R.S. § 6-1-1309(1), (2)(a) (2022).

[4] Conn. Sub. Bill No. 6, § 8(a)(1) (2022).

[5] Va. Code Ann. 59.1-576(A)(1) (2022).

[6] C.R.S. § 6-1-1309(1), (2)(b) (2022).

[7] Conn. Sub. Bill No. 6, § 8(a)(2) (2022).

[8] Va. Code Ann. 59.1-576(A)(2) (2022).

[9] C.R.S. § 6-1-1309(1), (2)(c) (2022).

[10] Conn. Sub. Bill No. 6, § 8(a)(4) (2022).

[11] Va. Code Ann. 59.1-576(A)(4) (2022).

[12] C.R.S. § 6-1-1309(1), (2)(a)(I) (2022).

[13] Conn. Sub. Bill No. 6, § 8(a)(3)(A) (2022).

[14] Va. Code Ann. 59.1-576(A)(3)(i) (2022).

[15] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

[16] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

[17] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

[18] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

[19] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

[20] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

[21] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

[22] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

[23] C.R.S. § 6-1-1309(1), (2)(a)(III) (2022).

[24] Conn. Sub. Bill No. 6, § 8(a)(3)(C) (2022).

[25] Va. Code Ann. 59.1-576(A)(3)(iii) (2022).

[26] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[27] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[28] C.R.S. § 6-1-1309(1), (2)(a)(IV) (2022).

[29] Conn. Sub. Bill No. 6, § 8(a) (2022).

[30] Va. Code Ann. 59.1-576(A)(5) (2022).

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

CFPB Says 'Show Me The (Consumer Unfriendly) Fine Print'

By Timothy A. Butler Greenberg Traurig January 25 , 2023

On Jan. 11, the Consumer Financial Protection Bureau (CFPB) released a proposed rule that would require certain nonbank financial companies subject to its supervisory jurisdiction to submit annual reports about their use of terms and conditions that attempt to waive or limit consumer rights and protections.

FINRA Files Amendments to Proposed Rule Change That Will Allow Remote Inspections

By William B. Mack Greenberg Traurig January 25 , 2023

Last summer, the Financial Regulatory Authority (FINRA) proposed a rule change to its supervision rule (FINRA Rule 3110) to allow member firms to conduct remote inspections of some or all branch offices and locations.

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

More From Privacy

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

Cookies and Other Tracking Technologies May Violate HIPAA

By Karin E. Ross Greenberg Traurig January 18 , 2023

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

Featured Stories
Closeclose
Search
Menu

Working...