State Privacy Laws and Data Protection Impact Assessments

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

Do new U.S. state laws require you to do a DPIA?

Some pointers:

  • Assess whether or not you have processes that require conducting a DPIA (these are situations where there is a “heightened risk” to the rights of individuals due to the processing of the data
  • Under the new state laws (almost all of them), you need to conduct a DPIA when you process information:
    • Personal information for targeted advertising
    • Personal information for sale
    • Personal information for profiling with reasonably foreseeable risk of (a) unfair or deceptive treatment; (b) unlawful disparate impact on consumers; (c) financial physical or reputational injury; (d) physical or other form of intrusion on solitude or seclusion in which the intrusion would be offensive to a reasonable person; (e) other substantial injury
    • Sensitive information/data
  • Generally, the DPIA must:
    • Identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks as mitigated by measures
    • Factor in: (1) use of deidentified data; (2) reasonable expectations of consumers, (3) context of the processing and the relationship between the controller and the consumer whose personal data will be processed
  • In addition to this, Colorado has detailed regulations that lay out what goes into the DPIA document with specific requirements where profiling is involved. This is the model to use (and beat) right now
    • California. In the public comment process for its DPIA regs, the state has specifically asked whether Colorado (and GDPR) should be a model and the majority of the comments received point to this
    • 24 US Attorney Generals have all pointed to the Colorado model in discussing what should be the DPIA model for assessments regarding AI that involves personal data
  • The DPIA does not need to be public (and they are not subject to FOIA), but the AG may require disclosure. You would then need to have one ready.
  • One DPIA can address comparable sets of processing operations with similar activities
  • Also, DPIAs that you conduct under other laws will work if the requirements are reasonably similar in scope (So you can use your California DPIA for Colorado, and vice versa)
  • Start now because the AGs are watching and the Federal Trade Commission is scrutinizing profiling as well

I recently participated in a OneTrust DataGuidance webinar that touched on this subject: US Privacy Laws on the Horizon: Which States Will Be Next?

A video of the webinar can be viewed here.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide