Protection file

Comparison of Data Protection Assessment Requirements in the Next Generation of US State Privacy Laws – Privacy

United States: Comparison of data protection assessment requirements in the next generation of U.S. state privacy laws

To print this article, simply register or connect to

What is a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment or Data Protection Assessment (DPIA) is a form of risk assessment designed to help organizations identify, analyze, and minimize the privacy risks associated with their collection practices. , use, retention and disclosure of data.

DPIA is a familiar concept for those familiar with the General Data Protection Regulation (GDPR), which imposes DPIAs for all “high-risk” processing under the “privacy by design” principle.

Historically, consumer privacy laws in the United States did not dictate the performance of DPIAs, but that is about to change.

The table below explains:

  • When a company must perform a DPIA under each of the new laws,
  • The required content, and
  • Whether the DPIA will be subject to mandatory disclosure.

Data protection impact assessment

Privacy Act

DPIA triggers

Content required

Disclosure required?


Virginia Consumer Data Protection Act (VDCPA), in force Jan. 1, 2023

“Increased risk of harm”
VDCPA requires controllers1 prepare DPIAs for any activity presenting an “increased risk of harm” to consumers.


“Increased risk of harm” is not defined, however, DPIAs are specifically mandated to:

  • Targeted advertising;
  • Sales of personal data;
  • Process personal data for profiling purposes that creates certain risks for consumers (including unfair or deceptive treatment; different and unlawful treatment; financial, physical or reputational harm; and other risks); and
  • Processing of sensitive data.2

Benefits versus risks
The DPIA must “identify and assess the benefits that may arise, directly and indirectly, from the processing for the controller, the consumer, other stakeholders and the public against the potential risks to consumer rights associated with such processing,” as mitigated by safeguards that can be used by the controller to reduce these risks. “3

Conduct and document the DPIA
When conducting and documenting the DPIA, controllers should take into account:
“[t]the use of anonymized data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.4

Government investigations
At the request of the state attorney general, as part of an investigation, controllers must disclose any DPIA relevant to the investigation.5

Waiver of privilege?
Disclosure of a DPIA does not constitute a waiver of attorney-client privilege or work product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.6

Disclosures will be treated as confidential and exempt from state public inspection and copying law (i.e. state FOIA laws).seven


Colorado Privacy Protection Act (CPA), effective Jul 1, 2023

Closely reflects VDCPA
Like the VDCPA, the CPA requires controllers to conduct DPIAs for all activities that pose an increased risk of harm to consumers, and specifically mandate DPIAs in the same contexts as the VDCPA.8

Unlike VDCPA, the risk of reputational damage would not justify a DPIA for profiling.

Required content VDCPA mirrors
The content requirements for DPIAs under the CPA mirror those of the VDCPA.

VDCPA mirrors
The disclosure requirements for DPIAs under the CPA mirror those of the VDCPA.


California Privacy Regulations Act (CPRA), effective Jan 1, 2023

“Considerable risk”
Under CPRA’s regulatory provisions, the Attorney General is responsible for issuing regulations requiring risk assessments for processing activities that pose a “significant risk” to the privacy or safety of consumers.9 Therefore, this requirement could be added by the July 1, 2022 deadline for adopting final regulations.

“Significant risk” is not defined in the ACPL, but may be specified by regulations.

Required content reflects GDPR
A “risk assessment” required under the ACPL must:

  • indicate whether the processing involves sensitive personal information, and
  • identify and assess the benefits resulting from the processing for the business, the consumer, other stakeholders and the public, against the potential risks to consumer rights associated with such processing, with the aim of restricting or prohibiting such processing such processing if the risks to consumer privacy outweigh the benefits resulting from the processing for the consumer, the business, other stakeholders and the public.ten

Submission to CAPP
Businesses will be required to submit their “risk assessments” to the California Privacy Protection Agency on a regular basis.11

Other reports?
Again, we expect the DPIA’s reporting requirements to be expanded by regulation.

Adapt an existing privacy program to meet new requirements


The good news for organizations looking to understand how to adapt their privacy programs to these new laws is that the data protection assessment requirements of these laws are similar enough that organizations probably do not need to expand. separate DPIA policies and procedures to address each law.

Updates and Alerts

  • Stay tuned, as a future alert will discuss the steps organizations can take to successfully conduct and document a DPIA.
  • Be sure to follow our alerts as we continue to examine other key aspects of the next generation of U.S. privacy laws and the steps businesses can take to start addressing them.
  • Our advance alerts are available here.


1. The data controllers under the VDCPA and the CPA are generally defined as the natural or legal person who, alone or jointly with others, determines the purpose and means of the processing of personal data.

2. VDCPA, § 59.1-576 (A) (1-5).

3. VDCPA, § 59.1-576 (B).

4. VDCPA, § 59.1-576 (B).

5. VDCPA, § 59.1-576 (C).

6. VDCPA, § 59.1-576 (C).

7. VDCPA, § 59.1-576 (C).

8. CPA, § 6-1-1309 (2) (a) – (c).

9. CPRA, § 1798.185 (a) (15) (B).

10. CPRA, § 1798.185 (a) (15) (B).

11. CPRA, § 1798.185 (a) (15) (B).

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.