SHARE

September 08, 2022

Understanding the differences in the state privacy laws: When is an organization required to conduct a DPIA?

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as "data protection assessments" or "data protection impact assessments" (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to sell personal data or use it for targeted advertising. The following chart provides a breakdown of the situations in which a DPIA is mandated under state privacy laws:

Processing Activities That Require a DPIA

California 2022

CCPA[1]

California 2023

CPRA[2]

Colorado 2023

CPA

Conn. 2023

CTDPA

Utah 2023

UCPA

Virginia 2023

VCDPA

Targeted advertising. A DPIA is required if an organization engages in targeted advertising. X X [3] [4] X [5]
Sale of data. A DPIA is required if an organization sells personal data. X X [6] [7] X [8]
Sensitive data. A DPIA is required if an organization processes sensitive data. X X [9] [10] X [11]
Profiling with risk of unfair treatment/ discrimination. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact. X X [12] [13] X [14]
Profiling with risk of physical injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of physical injury. X X [15] [16] X [17]
Profiling with risk of financial injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of financial injury. X X [18] [19] X [20]
Profiling with risk of reputational injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of reputational injury. X X X [21] X [22]
Profiling with a risk of privacy intrusion. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of a physical or other intrusion upon solitude or seclusion that would be offensive to a reasonable person. X X [23] [24] X [25]
Other processing that has a heightened risk of harm. A DPIA is required if an organization processes data that presents a "heightened risk of harm." X[26] X[27] [28] [29] X [30]

[1] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[2] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[3] C.R.S. § 6-1-1309(1), (2)(a) (2022).

[4] Conn. Sub. Bill No. 6, § 8(a)(1) (2022).

[5] Va. Code Ann. 59.1-576(A)(1) (2022).

[6] C.R.S. § 6-1-1309(1), (2)(b) (2022).

[7] Conn. Sub. Bill No. 6, § 8(a)(2) (2022).

[8] Va. Code Ann. 59.1-576(A)(2) (2022).

[9] C.R.S. § 6-1-1309(1), (2)(c) (2022).

[10] Conn. Sub. Bill No. 6, § 8(a)(4) (2022).

[11] Va. Code Ann. 59.1-576(A)(4) (2022).

[12] C.R.S. § 6-1-1309(1), (2)(a)(I) (2022).

[13] Conn. Sub. Bill No. 6, § 8(a)(3)(A) (2022).

[14] Va. Code Ann. 59.1-576(A)(3)(i) (2022).

[15] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

[16] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

[17] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

[18] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

[19] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

[20] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

[21] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

[22] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

[23] C.R.S. § 6-1-1309(1), (2)(a)(III) (2022).

[24] Conn. Sub. Bill No. 6, § 8(a)(3)(C) (2022).

[25] Va. Code Ann. 59.1-576(A)(3)(iii) (2022).

[26] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[27] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[28] C.R.S. § 6-1-1309(1), (2)(a)(IV) (2022).

[29] Conn. Sub. Bill No. 6, § 8(a) (2022).

[30] Va. Code Ann. 59.1-576(A)(5) (2022).

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Dutch Presented Tax Measures for 2023

By Thomas van der Vliet Greenberg Traurig September 21 , 2022

On Budget Day, 20 September 2022 (Prinsjesdag), the Dutch Ministry of Finance presented its 2023 tax plan (the Proposal). For the proposed bills discussed in this GT Alert to have effect, Parliament first must approve them.

Commerce Issues Final Rule on AD/CVD Grace Period

By Laura Siegel Rabinowitz Greenberg Traurig September 20 , 2022

The Department of Commerce (DOC) has issued the final rule implementing the two-year moratorium on anti-dumping or countervailing duties (AD/CVD) for solar panels and cells from Cambodia, Malaysia, Thailand, and Vietnam in accordance with the June 6, 2022, Presidential Proclamation (Declaration of Emergency and Authorization for Temporary Extensions of Time and Duty-Free Importation of Solar Cells and Modules from Southeast Asia; See GT Alert, Biden Uses Emergency Powers to Pause New Solar Import Tariffs—Frequently Asked Questions), which provided for the two year moratorium on those tariffs.

The Tide May Be Turning on Flood of ERISA Excessive Fee Class Actions

By Jeffrey D. Mamorsky Greenberg Traurig September 20 , 2022

The contours of plaintiff pleading requirements for ERISA fiduciary breach claims sketched by the Supreme Court in Hughes v. Northwestern University1 continue to evolve.

More From Privacy

Data Subject (EEA) → Processor Z (non-EEA) → Processor Y (non-EEA)

By David A. Zetoony Greenberg Traurig September 12 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA) → Processor Z (EEA) → Controller B (Non-EEA)

By David A. Zetoony Greenberg Traurig September 09 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Understanding the differences in the state privacy laws: What factors must be considered by an organization when conducting a DPIA?

By David A. Zetoony Greenberg Traurig September 08 , 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities.

Featured Stories
Closeclose
Search
Menu

Working...