Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). DPIAs are intended to make an organization identify and weigh the benefits that may flow from processing personal

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to

Several modern state data privacy statutes refer to precise geolocation information as a “sensitive” category of personal information. What constitutes precise geolocation information differs slightly between and among states. The following table provides a side-by-side comparison of the how the states have defined the term.

Click here for a side-by-side comparison of the how the

Most modern state data privacy laws exempt from their definition of personal information “publicly available information.” What constitutes publicly available information differs between state privacy laws and may not correlate to the lay definition understood by many businesses and individuals. For example, while some businesses may consider information available on the internet “publicly available information

Modern state privacy laws mandate that agreements with service providers or processors contain specific contractual provisions to govern the parties’ relationship. Which provisions should be included in a vendor agreement, however, differ by state statute. In addition, some state privacy laws impose statutory obligations upon vendors that do not necessarily need to be memorialized in

Modern state privacy laws confer upon individuals the ability to ask for their personal information to be deleted. Statutes differ, however, in the scope of the “deletion right.” For example, some states only permit consumers to request the deletion of personal information that the consumer provided to the organization (allowing the organization to keep personal

All modern data privacy statutes allow individuals the ability to request that organizations take certain actions in relation to their personal information. Organizations are not always required to take the actions requested, however, and often exercise discretion in terms of how to handle a data subject request. For example, if an individual asks an organization

Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not

Many modern data privacy statutes rely heavily on regulatory enforcement. The amount of civil penalty that a regulator can see for violations differs between and among the states. It should also be noted, there may be ambiguity within certain states regarding how violations are “counted.” For example, a business might consider the inadvertent selling of

Many modern data privacy statutes are designed to encourage compliance by permitting organizations to cure an alleged violation of the statute prior to a regulatory enforcement action. The ability to cure may have been included in recognition of the fact that modern data privacy statutes impose obligations that may be foreign to many organizations (i.e.,