Do new U.S. state laws require you to do a DPIA?

Some pointers:

  • Assess whether or not you have processes that require conducting a DPIA (these are situations where there is a “heightened risk” to the rights of individuals due to the processing of the data
  • Under the new state laws (almost all of them), you need to conduct a DPIA when you process information:
    • Personal information for targeted advertising
    • Personal information for sale
    • Personal information for profiling with reasonably foreseeable risk of (a) unfair or deceptive treatment; (b) unlawful disparate impact on consumers; (c) financial physical or reputational injury; (d) physical or other form of intrusion on solitude or seclusion in which the intrusion would be offensive to a reasonable person; (e) other substantial injury
    • Sensitive information/data
  • Generally, the DPIA must:
    • Identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks as mitigated by measures
    • Factor in: (1) use of deidentified data; (2) reasonable expectations of consumers, (3) context of the processing and the relationship between the controller and the consumer whose personal data will be processed
  • In addition to this, Colorado has detailed regulations that lay out what goes into the DPIA document with specific requirements where profiling is involved. This is the model to use (and beat) right now
    • California. In the public comment process for its DPIA regs, the state has specifically asked whether Colorado (and GDPR) should be a model and the majority of the comments received point to this
    • 24 US Attorney Generals have all pointed to the Colorado model in discussing what should be the DPIA model for assessments regarding AI that involves personal data
  • The DPIA does not need to be public (and they are not subject to FOIA), but the AG may require disclosure. You would then need to have one ready.
  • One DPIA can address comparable sets of processing operations with similar activities
  • Also, DPIAs that you conduct under other laws will work if the requirements are reasonably similar in scope (So you can use your California DPIA for Colorado, and vice versa)
  • Start now because the AGs are watching and the Federal Trade Commission is scrutinizing profiling as well

I recently participated in a OneTrust DataGuidance webinar that touched on this subject: US Privacy Laws on the Horizon: Which States Will Be Next?

A video of the webinar can be viewed here.