SHARE

September 08, 2022

Understanding the differences in the state privacy laws: What factors must be considered by an organization when conducting a DPIA?

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as "data protection assessments" or "data protection impact assessments" (generically a DPIA). DPIAs are intended to make an organization identify and weigh the benefits that may flow from processing personal data against the potential risks that might be caused by the processing (as mitigated by any steps that the organization has taken to minimize those risks). The following identifies the factors required to be considered when conducting a DPIA:

Factors Required in a DPIA

California 2022

CCPA[1]

California 2023

CPRA[2]

Colorado 2023

CPA

Conn. 2023

CTDPA

Utah 2023

UCPA

Virginia 2023

VCDPA

Explain benefits from processing. The DPIA should identify and weigh the benefits that may flow, directly or indirectly, from the proposed processing to either the organization, the data subject, other stakeholders, or the public. N/A N/A [3] [4] N/A [5]
Explain risks from processing. The DPIA should identify and weigh the potential risks to the rights of the consumer associated with the proposed processing. N/A N/A [6] [7] N/A [8]
Describe risk mitigations taken. The DPIA should describe any safeguards that the organization has taken to mitigate potential risks. N/A N/A [9] [10] N/A [11]
Use of de-identification. To the extent that de-identification strategies have been utilized to mitigate risks, those strategies should be indicated. N/A N/A [12] [13] N/A [14]
Reasonable expectations of data subject. The DPIA should consider whether the proposed processing aligns with the reasonable expectations of data subjects. N/A N/A [15] [16] N/A [17]
Compliance with other aspects of state privacy law.  The DPIA should consider whether the processing complies with other requirements imposed upon controllers under the state privacy laws. N/A N/A [18] [19] N/A [20]

[1] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[2] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[3] C.R.S. § 6-1-1309(3) (2022).

[4] Conn. Sub. Bill No. 6, § 8(b) (2022).

[5] Va. Code Ann. 59.1-576(B) (2022).

[6] C.R.S. § 6-1-1309(3) (2022).

[7] Conn. Sub. Bill No. 6, § 8(b) (2022).

[8] Va. Code Ann. 59.1-576(B) (2022).

[9] C.R.S. § 6-1-1309(3) (2022).

[10] Conn. Sub. Bill No. 6, § 8(b) (2022).

[11] Va. Code Ann. 59.1-576(B) (2022).

[12] C.R.S. § 6-1-1309(3) (2022).

[13] Conn. Sub. Bill No. 6, § 8(b) (2022).

[14] Va. Code Ann. 59.1-576(B) (2022).

[15] C.R.S. § 6-1-1309(3) (2022).

[16] Conn. Sub. Bill No. 6, § 8(b) (2022).

[17] Va. Code Ann. 59.1-576(B) (2022).

[18] C.R.S. § 6-1-1309(4) (integrating by reference § 6-1-1308) (2022).

[19] Conn. Sub. Bill No. 6, § 8(b) (2022).

[20] Va. Code Ann. 59.1-576(B) (stating that the Attorney General can evaluate the DPIA for compliance with all requirements within §59.1-574) (2022).

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

CFPB Says 'Show Me The (Consumer Unfriendly) Fine Print'

By Timothy A. Butler Greenberg Traurig January 25 , 2023

On Jan. 11, the Consumer Financial Protection Bureau (CFPB) released a proposed rule that would require certain nonbank financial companies subject to its supervisory jurisdiction to submit annual reports about their use of terms and conditions that attempt to waive or limit consumer rights and protections.

FINRA Files Amendments to Proposed Rule Change That Will Allow Remote Inspections

By William B. Mack Greenberg Traurig January 25 , 2023

Last summer, the Financial Regulatory Authority (FINRA) proposed a rule change to its supervision rule (FINRA Rule 3110) to allow member firms to conduct remote inspections of some or all branch offices and locations.

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

More From Privacy

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

Cookies and Other Tracking Technologies May Violate HIPAA

By Karin E. Ross Greenberg Traurig January 18 , 2023

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

Featured Stories
Closeclose
Search
Menu

Working...