Understanding the differences in the state privacy laws: When is an organization required to conduct a DPIA?
Free Article Limit This Month
Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as "data protection assessments" or "data protection impact assessments" (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to sell personal data or use it for targeted advertising. The following chart provides a breakdown of the situations in which a DPIA is mandated under state privacy laws:
| Processing Activities That Require a DPIA |
California 2022 CCPA[1] |
California 2023 CPRA[2] |
Colorado 2023 CPA |
Conn. 2023 CTDPA |
Utah 2023 UCPA |
Virginia 2023 VCDPA |
| Targeted advertising. A DPIA is required if an organization engages in targeted advertising. | X | X | ✔[3] | ✔[4] | X | ✔[5] |
| Sale of data. A DPIA is required if an organization sells personal data. | X | X | ✔[6] | ✔[7] | X | ✔[8] |
| Sensitive data. A DPIA is required if an organization processes sensitive data. | X | X | ✔[9] | ✔[10] | X | ✔[11] |
| Profiling with risk of unfair treatment/ discrimination. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact. | X | X | ✔[12] | ✔[13] | X | ✔[14] |
| Profiling with risk of physical injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of physical injury. | X | X | ✔[15] | ✔[16] | X | ✔[17] |
| Profiling with risk of financial injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of financial injury. | X | X | ✔[18] | ✔[19] | X | ✔[20] |
| Profiling with risk of reputational injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of reputational injury. | X | X | X | ✔[21] | X | ✔[22] |
| Profiling with a risk of privacy intrusion. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of a physical or other intrusion upon solitude or seclusion that would be offensive to a reasonable person. | X | X | ✔[23] | ✔[24] | X | ✔[25] |
| Other processing that has a heightened risk of harm. A DPIA is required if an organization processes data that presents a "heightened risk of harm." | X[26] | X[27] | ✔[28] | ✔[29] | X | ✔[30] |
[1] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[2] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[3] C.R.S. § 6-1-1309(1), (2)(a) (2022).
[4] Conn. Sub. Bill No. 6, § 8(a)(1) (2022).
[5] Va. Code Ann. 59.1-576(A)(1) (2022).
[6] C.R.S. § 6-1-1309(1), (2)(b) (2022).
[7] Conn. Sub. Bill No. 6, § 8(a)(2) (2022).
[8] Va. Code Ann. 59.1-576(A)(2) (2022).
[9] C.R.S. § 6-1-1309(1), (2)(c) (2022).
[10] Conn. Sub. Bill No. 6, § 8(a)(4) (2022).
[11] Va. Code Ann. 59.1-576(A)(4) (2022).
[12] C.R.S. § 6-1-1309(1), (2)(a)(I) (2022).
[13] Conn. Sub. Bill No. 6, § 8(a)(3)(A) (2022).
[14] Va. Code Ann. 59.1-576(A)(3)(i) (2022).
[15] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).
[16] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).
[17] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).
[18] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).
[19] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).
[20] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).
[21] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).
[22] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).
[23] C.R.S. § 6-1-1309(1), (2)(a)(III) (2022).
[24] Conn. Sub. Bill No. 6, § 8(a)(3)(C) (2022).
[25] Va. Code Ann. 59.1-576(A)(3)(iii) (2022).
[26] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[27] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[28] C.R.S. § 6-1-1309(1), (2)(a)(IV) (2022).
[29] Conn. Sub. Bill No. 6, § 8(a) (2022).
[30] Va. Code Ann. 59.1-576(A)(5) (2022).
ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.
Accept
My
Account
