Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). DPIAs are intended to make an organization identify and weigh the benefits that may flow from processing personal data against the potential risks that might be caused by the processing (as mitigated by any steps that the organization has taken to minimize those risks). The following identifies the factors required to be considered when conducting a DPIA:
Factors Required in a DPIA |
California 2022 CCPA[1] |
California 2023 CPRA[2] |
Colorado 2023 CPA |
Conn. 2023 CTDPA |
Utah 2023 UCPA |
Virginia 2023 VCDPA |
Explain benefits from processing. The DPIA should identify and weigh the benefits that may flow, directly or indirectly, from the proposed processing to either the organization, the data subject, other stakeholders, or the public. | N/A | N/A | ✔[3] | ✔[4] | N/A | ✔[5] |
Explain risks from processing. The DPIA should identify and weigh the potential risks to the rights of the consumer associated with the proposed processing. | N/A | N/A | ✔[6] | ✔[7] | N/A | ✔[8] |
Describe risk mitigations taken. The DPIA should describe any safeguards that the organization has taken to mitigate potential risks. | N/A | N/A | ✔[9] | ✔[10] | N/A | ✔[11] |
Use of de-identification. To the extent that de-identification strategies have been utilized to mitigate risks, those strategies should be indicated. | N/A | N/A | ✔[12] | ✔[13] | N/A | ✔[14] |
Reasonable expectations of data subject. The DPIA should consider whether the proposed processing aligns with the reasonable expectations of data subjects. | N/A | N/A | ✔[15] | ✔[16] | N/A | ✔[17] |
Compliance with other aspects of state privacy law. The DPIA should consider whether the processing complies with other requirements imposed upon controllers under the state privacy laws. | N/A | N/A | ✔[18] | ✔[19] | N/A | ✔[20] |
[1] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[2] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[3] C.R.S. § 6-1-1309(3) (2022).
[4] Conn. Sub. Bill No. 6, § 8(b) (2022).
[5] Va. Code Ann. 59.1-576(B) (2022).
[6] C.R.S. § 6-1-1309(3) (2022).
[7] Conn. Sub. Bill No. 6, § 8(b) (2022).
[8] Va. Code Ann. 59.1-576(B) (2022).
[9] C.R.S. § 6-1-1309(3) (2022).
[10] Conn. Sub. Bill No. 6, § 8(b) (2022).
[11] Va. Code Ann. 59.1-576(B) (2022).
[12] C.R.S. § 6-1-1309(3) (2022).
[13] Conn. Sub. Bill No. 6, § 8(b) (2022).
[14] Va. Code Ann. 59.1-576(B) (2022).
[15] C.R.S. § 6-1-1309(3) (2022).
[16] Conn. Sub. Bill No. 6, § 8(b) (2022).
[17] Va. Code Ann. 59.1-576(B) (2022).
[18] C.R.S. § 6-1-1309(4) (integrating by reference § 6-1-1308) (2022).
[19] Conn. Sub. Bill No. 6, § 8(b) (2022).
[20] Va. Code Ann. 59.1-576(B) (stating that the Attorney General can evaluate the DPIA for compliance with all requirements within §59.1-574) (2022).