If you have ever encountered the GDPR as a privacy professional, you will be all too aware of the need to conduct privacy impact assessments (PIAs) to understand the level of risk your processing activities will introduce to rights and freedom of individuals. However, those of us conducting processing activities in the US may have to deal with differing obligations when conducting PIAs owing to the emergence of comprehensive state privacy laws. In this blog series, we have been taking a dive into the key steps in complying with state privacy laws and comparing the different requirements that they place on organizations.
What Challenges do Privacy Impact Assessments Present to US State Privacy Law Compliance?
Organizations that are bound by different state legislation will have different obligations when it comes to conducting a PIA. Understanding when and how to conduct a PIA and be compliant with these laws can become challenging, and with the expected arrival of more state privacy laws across 2022, the challenge will only become greater.
Currently, the California Privacy Rights Act (CPRA) has a very broad threshold for conducting a PIA, stating “Businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA”. Although it is expected that the California Privacy Protection Agency (CPPA) will issue further regulations on the topic, organizations are left currently having to interpret whether their processing activities pose a significant risk without guidance. The CPPA met in February 2022 to discuss the CPRA rulemaking process. The final CPRA regulations are expected to be released in the second half of 2022.
Virginia’s Consumer Data Protection Act (CDPA) is more prescriptive in its approach to PIAs, outlining several specific activities that require a PIA, including:
- The processing of personal data for targeted advertising
- The sale of personal data
- The processing of personal data for profiling under certain circumstances
- The processing of sensitive data
- Processing activities involving personal data that present a heightened risk of harm to consumers
In a similar fashion, the Colorado Privacy Act (CPA) outlines a marginally less restrictive list of processing activities that require a PIA, including:
- Processing for the purposes of targeted advertising or for profiling if said profiling presents a reasonably foreseeable risk
- Selling personal data
- Processing sensitive data
Given that both the CDPA and CPA both explicitly highlight that processing sensitive personal information necessitates the need for a PIA to be conducted, it becomes even more important to understand the definition of personal information and sensitive personal information under each state law. And as we discussed previously, having an up-to-date and accurate data map can be a great help in determining the need to conduct a PIA. It is also worth noting that the CDPA states that PIAs completed in compliance with other privacy laws can satisfy the requirements under the CDPA so long as the original PIA has a similar scope and effect.
And then there is the matter of when these requirements apply. In the case of the CDPA and the CPA, PIAs are required for processing activities created or generated after their respective entry into effect. However, the CPRA has a 12-month lookback period meaning that a PIA must be conducted before processing any personal information that was collected on or before January 1, 2022. Again, knowing when, how, and where this personal information was collected becomes more and more important.
How Do You Perform a Privacy Impact Assessment?
Once you have established whether you need to perform a PIA under the applicable law, you will need to understand how to perform the assessment and what to include. Businesses processing sensitive data in California should include ‘identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with such processing’ as well as considering annual cybersecurity audits.
Similarly, under the CDPA, data controllers must consider the balance between the risks and benefits of the processing activity. On a more granular level, data controllers should also include:
- The context of processing
- The relationship between the controller and the consumer whose personal data will be processed
- The reasonable expectations of consumers
- The use of de-identified data
The CPA also requires businesses to weigh the risks and benefits of the processing activity. The official text of the CPA also states that data controller should include several factors into an assessment, including: (1) the use of de-identified data, (2) the reasonable expectations of consumers, (3) the context of the processing, (4) the relationship between the controller and the consumer whose personal data will be processed.
Can OneTrust Help with Privacy Impact Assessments?
Yes. OneTrust provides the most comprehensive library of customizable assessment templates, built by in-house privacy experts, which can be tailored to fit your specific organizational workflows. OneTrust Assessment Automation helps organizations to unify and scale US privacy compliance efforts by distributing regulation-specific PIAs, and customizable rule-based automation helps privacy teams to assess data processing activities and automatically flag regulation-specific privacy risks. OneTrust Assessment Automation generates visuals to map vendors and state-by-state data flows helping organizations to gain clarity on their regulatory requirements.
Request a demo to speak to one of our experts about how OneTrust can help you work towards complying with US State privacy requirements.
Join us at our annual conference and discover best practices to build trust within your company.