While data protection or privacy impact assessments may be familiar to businesses that process personal information of individuals from certain countries outside the U.S. — e.g., those in Europe — until recently, consumer privacy laws applicable to businesses in the U.S. have not mandated PIAs. The specific processing activities for which businesses are required to conduct a PIA, however, vary from state to state. Businesses that are subject to these laws and operate nationally should review the PIA thresholds under each law and develop a strategy for compliance that caters to these differences. Data, Privacy & Cybersecurity partner Jacqueline Klosek and associate Federica De Santis, and summer associate David Peterson explain more in Law360.