Skip to content

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to sell personal data or use it for targeted advertising. The following chart provides a breakdown of the situations in which a DPIA is mandated under state privacy laws:

Processing Activities That Require a DPIA

California 2022

CCPA[1]

California 2023

CPRA[2]

Colorado 2023

CPA

Conn. 2023

CTDPA

Utah 2023

UCPA

Virginia 2023

VCDPA

Targeted advertising. A DPIA is required if an organization engages in targeted advertising. X X [3] [4] X [5]
Sale of data. A DPIA is required if an organization sells personal data. X X [6] [7] X [8]
Sensitive data. A DPIA is required if an organization processes sensitive data. X X [9] [10] X [11]
Profiling with risk of unfair treatment/ discrimination. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact. X X [12] [13] X [14]
Profiling with risk of physical injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of physical injury. X X [15] [16] X [17]
Profiling with risk of financial injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of financial injury. X X [18] [19] X [20]
Profiling with risk of reputational injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of reputational injury. X X X [21] X [22]
Profiling with a risk of privacy intrusion. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of a physical or other intrusion upon solitude or seclusion that would be offensive to a reasonable person. X X [23] [24] X [25]
Other processing that has a heightened risk of harm. A DPIA is required if an organization processes data that presents a “heightened risk of harm.” X[26] X[27] [28] [29] X [30]

[1] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[2] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[3] C.R.S. § 6-1-1309(1), (2)(a) (2022).

[4] Conn. Sub. Bill No. 6, § 8(a)(1) (2022).

[5] Va. Code Ann. 59.1-576(A)(1) (2022).

[6] C.R.S. § 6-1-1309(1), (2)(b) (2022).

[7] Conn. Sub. Bill No. 6, § 8(a)(2) (2022).

[8] Va. Code Ann. 59.1-576(A)(2) (2022).

[9] C.R.S. § 6-1-1309(1), (2)(c) (2022).

[10] Conn. Sub. Bill No. 6, § 8(a)(4) (2022).

[11] Va. Code Ann. 59.1-576(A)(4) (2022).

[12] C.R.S. § 6-1-1309(1), (2)(a)(I) (2022).

[13] Conn. Sub. Bill No. 6, § 8(a)(3)(A) (2022).

[14] Va. Code Ann. 59.1-576(A)(3)(i) (2022).

[15] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

[16] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

[17] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

[18] C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

[19] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

[20] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

[21] Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

[22] Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

[23] C.R.S. § 6-1-1309(1), (2)(a)(III) (2022).

[24] Conn. Sub. Bill No. 6, § 8(a)(3)(C) (2022).

[25] Va. Code Ann. 59.1-576(A)(3)(iii) (2022).

[26] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[27] While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

[28] C.R.S. § 6-1-1309(1), (2)(a)(IV) (2022).

[29] Conn. Sub. Bill No. 6, § 8(a) (2022).

[30] Va. Code Ann. 59.1-576(A)(5) (2022).