March 29, 2023

Volume XIII, Number 88

Advertisement
Advertisement

March 29, 2023

Subscribe to Latest Legal News and Analysis

March 28, 2023

Subscribe to Latest Legal News and Analysis

March 27, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

Understanding the differences in the state privacy laws: When is an organization required to conduct a DPIA?

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to sell personal data or use it for targeted advertising. The following chart provides a breakdown of the situations in which a DPIA is mandated under state privacy laws:

Processing Activities That Require a DPIA

California 2022

CCPA1

California 2023

CPRA2

Colorado 2023

CPA

Conn. 2023

CTDPA

Utah 2023

UCPA

Virginia 2023

VCDPA

Targeted advertising. A DPIA is required if an organization engages in targeted advertising.

X

X

3

4

X

5

Sale of data. A DPIA is required if an organization sells personal data.

X

X

6

7

X

8

Sensitive data. A DPIA is required if an organization processes sensitive data.

X

X

9

10

X

11

Profiling with risk of unfair treatment/ discrimination. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact.

X

X

12

13

X

14

Profiling with risk of physical injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of physical injury.

X

X

15

16

X

17

Profiling with risk of financial injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of financial injury.

X

X

18

19

X

20

Profiling with risk of reputational injury. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of reputational injury.

X

X

X

21

X

22

Profiling with a risk of privacy intrusion. A DPIA is required if an organization engages in profiling that has a reasonably foreseeable risk of a physical or other intrusion upon solitude or seclusion that would be offensive to a reasonable person.

X

X

23

24

X

25

Other processing that has a heightened risk of harm. A DPIA is required if an organization processes data that presents a “heightened risk of harm.”

X26

X27

28

29

X

30


FOOTNOTES

While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

C.R.S. § 6-1-1309(1), (2)(a) (2022).

Conn. Sub. Bill No. 6, § 8(a)(1) (2022).

Va. Code Ann. 59.1-576(A)(1) (2022).

C.R.S. § 6-1-1309(1), (2)(b) (2022).

Conn. Sub. Bill No. 6, § 8(a)(2) (2022).

Va. Code Ann. 59.1-576(A)(2) (2022).

C.R.S. § 6-1-1309(1), (2)(c) (2022).

10 Conn. Sub. Bill No. 6, § 8(a)(4) (2022).

11 Va. Code Ann. 59.1-576(A)(4) (2022).

12 C.R.S. § 6-1-1309(1), (2)(a)(I) (2022).

13 Conn. Sub. Bill No. 6, § 8(a)(3)(A) (2022).

14 Va. Code Ann. 59.1-576(A)(3)(i) (2022).

15 C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

16 Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

17 Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

18 C.R.S. § 6-1-1309(1), (2)(a)(II) (2022).

19 Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

20 Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

21 Conn. Sub. Bill No. 6, § 8(a)(3)(B) (2022).

22 Va. Code Ann. 59.1-576(A)(3)(ii) (2022).

23 C.R.S. § 6-1-1309(1), (2)(a)(III) (2022).

24 Conn. Sub. Bill No. 6, § 8(a)(3)(C) (2022).

25 Va. Code Ann. 59.1-576(A)(3)(iii) (2022).

26 While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

27 While the CPRA does not directly require that companies create a DPIA, it empowers the CPPA to issue regulations that might require companies to submit to the agency a risk assessment with respect to certain forms of processing activities. To-date the CPPA has not proposed such regulations.  Cal. Civ. Code § 1798.185(a)(15)(B) (West 2022).

28 C.R.S. § 6-1-1309(1), (2)(a)(IV) (2022).

29 Conn. Sub. Bill No. 6, § 8(a) (2022).

30 Va. Code Ann. 59.1-576(A)(5) (2022).

©2023 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 251
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425