While data protection or privacy impact assessments may be familiar to businesses that process personal information of individuals from certain countries outside the U.S. — e.g., those in Europe — until recently, consumer privacy laws applicable to businesses in the U.S. have not mandated PIAs.
PIAs help businesses identify risks that may be associated with certain information processing activities, and then develop policies to address and mitigate those risks. A number of the recently enacted state consumer privacy laws require PIAs for certain processing activities that have a higher risk of causing harm to consumers.
The specific processing activities for which businesses are required to conduct a PIA, however, vary from state to state. Businesses that are subject to these laws and operate nationally should review the PIA thresholds under each law and develop a strategy for compliance that caters to these differences.
Background
A PIA is a process to help businesses identify what risks might be associated with their information processing activities, as well as help them manage and mitigate those risks.
The European Union‘s General Data Protection Regulation requires controllers to carry out PIAs when a processing activity “is likely to result in a high risk to the rights and freedoms” of individuals. European regulators have issued guidelines on conducting PIAs, including examples of high-risk processing activities that require a PIA.
PIA Requirements Under State Laws
Consumer privacy laws in California, Colorado, Connecticut, Virginia, Montana, Indiana and Tennessee each require a PIA for information processing practices which create a risk of harm to the consumer. California also requires PIAs for certain processing activities covered under the California Age Appropriate Design Code Act.
California
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, is the most open-ended of the PIA requirements under state laws. Under the CCPA, a risk assessment is required for processing activities that present “significant risk to consumers’ privacy or security.”
The statute itself does not define what is considered a significant risk, though it states that businesses should consider the size and complexity of the business, as well as the nature and scope of the processing activities in determining whether there is significant risk to the security of the information.
The CCPA directs the California Privacy Protection Agency to issue regulations requiring businesses whose processing of personal information presents significant risk to consumers’ privacy or security to perform a “thorough and independent” annual cybersecurity audit and to submit a risk assessment to the CPPA on a regular basis.
The CPPA has begun preliminary rulemaking activity for cybersecurity audits and risk assessments — which also addresses the types of processing activities requiring a risk assessment — but it has not yet issued regulations.
A PIA requirement also exists under the California Age Appropriate Design Code Act, which was signed into law in September 2022 and is set to enter into force in July 2024. The CAADA requires businesses to complete a data protection impact assessment before offering to the public any new online service, product or feature that is likely to be accessed by children.
The assessment should document the risk of material detriment to children that arises from the data management practices of the business, and businesses should put in place a plan to mitigate or eliminate the risk prior to the service being accessed by children. Businesses must promptly make any completed assessments available to the attorney general upon written request.
Other States
Privacy laws in the other six states all follow a similar framework in outlining what processing activities require a PIA. For example, they all require that companies engaging in any one of the following practices conduct a PIA:
- Using personal data for targeted advertising;
- Selling personal data;
- Processing the data for purposes of profiling, where such profiling presents a reasonable likelihood of unfair or deceptive treatment, physical or financial injury, or an offensive intrusion into the consumer’s privacy; or
- Processing sensitive data.
Most of the statutes define sensitive data as data which could reveal a consumer’s race, ethnicity, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic data or biometric data that is processed to uniquely identify an individual; personal data collected from a known child; or precise geolocation data.
Privacy laws in Tennessee and Colorado do not include precise geolocation data in their respective enumerated definitions of sensitive data.
It is important to note that Colorado, Connecticut and Montana privacy laws use the factors above to define what is considered a heightened risk of harm to consumers.
Virginia, Indiana and Tennessee, on the other hand, include processing activities that present a heightened risk of harm to consumers as an additional category that requires conducting a PIA. These statutes do not further define what is considered to be a processing activity that presents a heightened risk of harm to consumers.
What to Do if You Are Subject to a PIA Requirement
If a business’s processing activities require a PIA under local state privacy laws, then the business must also ensure that the PIA is conducted in accordance with those laws.
Under the CCPA, the PIA must include a determination of whether the processing involves sensitive personal information. To do so, businesses are tasked with identifying and weighing the benefits arising from the processing activity, which flow to the business, the consumer, other stakeholders or the public against potential risks to the consumer’s rights associated with the processing activities.
While the other states’ privacy laws do not require businesses to determine whether the processing involves sensitive information, many businesses have followed the CCPA’s guidance in this regard.
When balancing the benefits of processing data against the risks, businesses should also include any safeguards currently in place to mitigate the risks to consumer data.
In the context of children’s data, the CAADA is prescriptive as to the content of PIAs. For each online product, service or feature that is likely to be accessed by children, the PIA must address:
- Whether the design could harm children, including by exposing them to harmful content;
- Whether the design could lead to children being targeted by harmful contacts;
- Whether the design could permit children to witness, participate in or be subject to harmful conduct;
- Whether the design could allow children to be party to or exploited by harmful contact;
- Whether algorithms used by the online product, service or feature, could harm children;
- Whether targeted advertising used by the same could harm children;
- Whether and how the online product, service or feature uses system design features to increase, sustain or extend use by children, including by automatically playing media, providing rewards for time spent, or notifications; and
- Whether, how and for what purposes the children’s sensitive data is collected or processed.
Businesses may also be subject to specific PIA reporting obligations. Under the CCPA, businesses are required to submit their PIAs to the CPPA on a regular basis. The CCPA does not specify in what format the PIA should be submitted.
In the other states, businesses are only required to maintain records in the instance that the attorney general in that state requests the records as a part of an ongoing investigation.
Finally, and helpfully, state privacy laws — except the CCPA — include explicit provisions that allow businesses to use the same PIA prepared to comply with another state’s PIA requirement, or used for another processing activity, provided that the PIA complies with the relevant state laws and the activities covered under the PIA are sufficiently similar in scope.
Conclusion
Although PIAs are a relatively recent development in the private sector in the U.S., it is apparent from recently enacted legislation that state legislatures view them as a valuable tool in helping to protect the rights of consumers.
While the recent trend is for states to use similar frameworks to determine what a PIA should address, the CAADA demonstrates that states are willing to incorporate other factors to further the goals of particular legislation.
For these reasons, it is crucial that businesses processing personal information across states familiarize themselves with the applicable PIA requirements in the jurisdictions where they operate.
Businesses should pay attention to relevant regulatory guidance that will be issued by local authorities, including guidance on the types of processing activities that require a PIA and any PIA templates issued by regulators.
This article was originally published on Law360 on June 27, 2023. Read the original article here.
The post Conducting Privacy Impact Assessments State-By-State appeared first on Data, Privacy & Cybersecurity Insights.