With several consumer privacy laws and regulations going into effect this year, businesses need to be conducting and documenting formal assessments of their data practices, known as “Data Protection Impact Assessments” or “DPIAs.” We previously discussed DPIA requirements under the Virginia Consumer Data Protection Act (“VCDPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), California Privacy Rights Act (“CPRA”), and Colorado Privacy Rights Act (“CPA”) here, and DPIA requirements under the California Age-Appropriate Design Code Act (“CAADCA”) and New York City’s Local Law 144 (“Local Law 144”) here.
Privacy World’s Alan Friel and Sasha Kiosse further detail these requirements, and provide practical tips for implementing a DPIA program as part of a broader data governance program. In this recently released Law360 article, Navigating Data Privacy Assessments Amid New State Laws.
For reference, this chart identifies the basic requirements for DPIAs under the VCDPA, CPA, CTPA, and CPRA, as well as CAADCA, the Indiana Consumer Data Protection Act (“ICDPA”), the Tennessee Information Protection Act (“TIPA”), the Montana Consumer Data Privacy Act (“MCDPA”), and Florida’s Act Relating to Technology Transparency (“Florida Law”).
SPB has developed comprehensive DPIA guidance materials, including assessment templates, for clients, which are available for a fixed fee. For more information, please contact the authors or your SPB relationship partner.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.