Data Processing Impact Assessments, or DPIAs, are emerging as a new norm in the United States. Data Protection Impact Assessment (“PIA”) requirements have been associated with the GDPR, but now a spate of privacy laws has many states establishing their version of these requirements, which went or will go into effect this year or in the next two years.
California, Colorado, Connecticut, Indiana, and Virginia have recently or are posed to enact legal data privacy laws requiring DPIAs. Iowa and Utah have recently passed bills and could include DPIA requirements through regulatory enactment. Given the greater speed at which new data privacy laws are being enacted, including the pending issuance of regulations under the Utah Consumer Privacy Act, many privacy professionals recommend that DPIAs be performed for all processing of personal information in the U.S.
The Subtle Distinction Between a PIA and DPIA
Though many use the terms and associated acronyms interchangeably, there are subtle but important differences between a Data Protection Impact Assessment and a Data Processing Impact Assessment.
Familiar Data Protection Impact Assessment requirements appear under Article 35 of the GDPR and are part of the privacy by design principles. “A Data Protection Impact Assessment . . . is required under the GDPR any time you begin a new project that is likely to involve ‘a high risk’ to other people’s personal invitation.”
- PIAs apply only to high-risk activities that an organization has yet to undertake. Additionally, the EU has clarified PIA processes by including a template for conducting PIAs in GDPR guidance.
- DPIAs seek to identify and minimize the risks of processing personal data more generally. They are not dependent on whether there is the processing of sensitive information and apply to processing activities generally, including well-established processing activities.
These broader DPIA requirements have been included under the California Consumer Privacy Act of 2018 (“CCPA”), as modified by the California Consumer Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CPDA”), and the Virginia Consumer Data Protection Act (“VCDPA”) by various names. All require an evaluation of harms that could arise from processing activities undertaken by a company, even if the processing has been ongoing and is not a change in processing.
California
Pursuant to Section 1798.185 (a)(15)(B) of the CPRA, the California Privacy Protection Agency must establish regulations requiring “regular” risk assessments of processing activities “identifying and weighing the benefits resulting from the processing to the business, the consumer and other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting processing if the risks to the privacy of the consumer outweigh the benefits resulting from the processing to the consumer, the business, other stakeholders, and the public.” The risk assessments must be submitted annually to the Privacy Protection Agency.
The California requirements went into effect as of January 1, 2023. They may be subject to additional regulatory requirements, such as narrowing the activities that trigger the condition when the new Privacy Protection Agency begins to act. Right now, the language suggests DPIAs are required for all processing of personal information.
Colorado
Colorado’s DPIA requirements are outlined in Colorado Revised Statutes Section 6-1-1309, which housed the CPA, and mirror those in the earlier enacted Virginia CDPA, discussed further below. Both laws prohibit processing personal information that presents a “heightened risk of harm to a consumer” unless a DPIA is conducted.
“[P]rocessing [activities] that present a heightened risk of harm to a consumer” are listed as the processing of personal information for the following purposes:
- Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- Financial or physical injury to consumers;
- A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
- Other substantial injury to consumers; and
- Selling personal data
DPIAs are also required if the processing includes sensitive personal information. The only substantive difference between Colorado’s and Virginia’s law is that Colorado does not include the risk of reputational damage resulting from the foregoing processing activities. In contrast, a high risk of reputational damages does trigger a DPIA under Virginia’s counterpart.
Colorado requires risk assessments to “identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce risks.”
The DPIA requirement applies to the processing of personal information after July 1, 2023.
Connecticut
Drawing from the Virginia law, Section 8 of the CDPA sets forth DPIA requirements for “processing activities that present a heightened risk of harm to a consumer” and lists those activities as the processing of personal data for the following purposes:
- Targeted advertising;
- Sale; and
- Profiling, where the profiling presents a “foreseeable risk” of:
- Unfair or deceptive treatment or unlawful or disparate impact;
- Financial, physical, or reputations injury;
- A physical or other intrusion upon solitude or seclusion or the private affairs or concerns, where the intrusion would be offensive to a reasonable person; or
- Other substantial injury
DPIAs are also required if the processing includes sensitive data. Connecticut’s DPIA applies to processing activities created or generated after July 1, 2023, and requires weighing the benefits of the processing activities against risks to the consumer, as those risks could be mitigated.
Indiana
Like most other laws, the Indiana privacy bill is based on the VCDPA and will require DPIAs for all processing activities involving the following activities:
- Processing of personal data for targeted advertising;
- The sale of personal data; and
- Processing personal data for profiling, where the profiling presents a “foreseeable risk” of:
- Unfair or deceptive treatment or unlawful or disparate impact;
- Financial, physical, or reputations injury;
- A physical or other intrusion upon solitude or seclusion or the private affairs or concerns, where the intrusion would be offensive to a reasonable person;
- Other substantial injury
- Processing of sensitive data; or
- Processing that involves personal data that presents a “heightened risk of harm to consumers”
Similarly, the Indiana law incorporates the need to weigh benefits and risks, taking into account mitigation that the processor could apply to the processing. The new DPIA requirements will go into effect for processing activities conducted after December 31, 2025.
Virginia
The Virginia CDPA is used as the basis for privacy laws in several other jurisdictions. In addition to the triggers carried over to the CPA, Section 59.1-580 of the Virginia CDPA requires a DPIA if there is a risk of reputational injury arising from the processing activity.
Unlike Colorado, the Virginia law does not define what constitutes a “heightened risk of harm” to a consumer, leaving room for speculation about how regulators will approach the issue. The VCDPA includes the familiar requirement regarding weighing risks against benefits, accounting for mitigation that could be employed.
Virginia’s DPIA requirements went into effect on January 1, 2023.
Why Engage in DPIAs, Even in the Absence of a Mandate?
The need to comply with legal obligations is a clear reason to conduct DPIAs for activities triggering the privacy laws in California, Colorado, Connecticut, Indiana, and Virginia. But why are privacy professionals recommending DPIAs in all U.S. jurisdictions? The answer is simple: the benefits of conducting DPIAs far outweigh the costs and disruption to normal business operations.
- It’s good business practice. Given the speed at which these statutory and regulatory requirements are evolving in the U.S., it’s advisable to stay ahead of mandates proactively. It avoids the rush to comply with obligations later. It also helps ensure that the collection and processing of personal information is being discussed.
- It fosters customer trust. By highlighting that the risk assessments have been performed on a company’s website, companies reassure customers that their privacy rights are respected and carefully considered in company operations.
- It avoids surprises later. Because a thorough understanding of processing and sources of information are discovered through creating DPIAs, conducting them can lead to discovering unidentified risks.
How modCounsel Can Help
modCounsel has a team of attorneys and paralegals who render services in the Privacy and Privacy Operations areas. Among the services we provide is counseling on whether new or established processing activities trigger a requirement to perform and complete PIAs under the GDPR and DPIAs under the various U.S. state laws. We’ve developed targeted questionnaires to help your internal team address the information needed to conduct the risk assessments and render guidance.
For more information about how our Privacy and Privacy Operations team can help you meet DPIA and general privacy requirements, contact us today.