Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to sell personal data or use it for targeted advertising. The following chart provides a breakdown of the situations in which a DPIA is mandated under state privacy laws:
Processing Activities That Require a DPIA |
California 2022 CCPA[1] |
California 2023 CPRA[2] |
Colorado 2023 CPA |
Conn. 2023 CTDPA |
Utah 2023 UCPA |
Virginia 2023 VCDPA |
Targeted advertising. A DPIA is required if an organization engages in targeted advertising. | X | X | ✔[3] | ✔[4] | X | ✔[5] |
Sale of data. A DPIA is required if an organization sells personal data. | X | X | ✔[6] | ✔[7] | X | ✔[8] |
Sensitive data. A DPIA is required if an organization processes sensitive data. | X | X | ✔[9] | ✔[10] | X | ✔[11] |
Profiling with risk of unfair treatment/ discrimination. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact. | X | X | ✔[12] | ✔[13] | X | ✔[14] |
Profiling with risk of physical injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of physical injury. | X | X | ✔[15] | ✔[16] | X | ✔[17] |
Profiling with risk of financial injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of financial injury. | X | X | ✔[18] | ✔[19] | X | ✔[20] |
Profiling with risk of reputational injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of reputational injury. | X | X | X | ✔[21] | X | ✔[22] |
Profiling with a risk of privacy intrusion. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of a physical or other intrusion upon solitude or seclusion that would be offensive to a reasonable person. | X | X | ✔[23] | ✔[24] | X | ✔[25] |
Other processing that has a heightened risk of harm. A DPIA is required if an organization processes data that presents a “heightened risk of harm.” | X[26] | X[27] | ✔[28] | ✔[29] | X | ✔[30] |
[1] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[2] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[3] C.R.S. § 6-1-1309(1), (2)(a) (2022).
[4] Conn. Sub. Bill No. 6, § 8(a)(1) (2022).
[5] Va. Code Ann. 59.1-576(A)(1) (2022).
[6] C.R.S. § 6-1-1309(1), (2)(b) (2022).
[7] Conn. Sub. Bill No. 6, § 8(a)(2) (2022).
[8] Va. Code Ann. 59.1-576(A)(2) (2022).
[9] C.R.S. § 6-1-1309(1), (2)(c) (2022).
[10] Conn. Sub. Bill No. 6, § 8(a)(4) (2022).
[11] Va. Code Ann. 59.1-576(A)(4) (2022).
[12] C.R.S. § 6-1-1309(1), (2)(a)(I) (2022).
[13] Conn. Sub. Bill No. 6, § 8(a)(3)(A) (2022).
[14] Va. Code Ann. 59.1-576(A)(3)(i) (2022).
[15] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).
[16] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).
[17] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).
[18] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).
[19] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).
[20] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).
[21] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).
[22] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).
[23] C.R.S. § 6-1-1309(1), (2)(a)(III) (2022).
[24] Conn. Sub. Bill No. 6, § 8(a)(3)(C) (2022).
[25] Va. Code Ann. 59.1-576(A)(3)(iii) (2022).
[26] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[27] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations. Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).
[28] C.R.S. § 6-1-1309(1), (2)(a)(IV) (2022).
[29] Conn. Sub. Bill No. 6, § 8(a) (2022).
[30] Va. Code Ann. 59.1-576(A)(5) (2022).