In the United States, privacy impact assessments are quickly becoming one of the trending requirements of new legislation and proposed bills. CPRA, CPA, and VCDPA all have privacy impact assessment requirements, and as 2023 approaches rapidly organizations should be thinking about how to complete assessments, where to store them, and reporting on assessment outcomes.
The Utah Consumer Privacy Act has been signed by Gov. Cox. As of right now, there is no assessment requirement, but with the AG having the authority to make changes that could be added in the future. Indiana, Oklahoma, and Wisconsin are rapidly following in Utah’s footsteps. The story continues as almost on a weekly basis a new state is proposing a law.
Michael Hellbusch, Partner at Rutan & Tucker, says “Businesses want and need to be efficient when faced with the multi-jurisdiction regulatory landscape we have in the United States. While state privacy laws are thematically largely the same, the devil is in the details. Being efficient means understanding where compliance efforts in one state can work for another state—and where they can’t. Mapping privacy impact assessment requirements across multiple jurisdictions is an efficient way to handle the increasingly complex U.S. privacy landscape.”
Privacy impact assessments across the board are going to call on controllers to assess their privacy and compliance for activities that run a high risk of consumer harm by analyzing protocols, data storage, access request response, and more. While assessments are becoming standard, each privacy law has variances in how they’re addressed.
Here is a breakdown of assessment requirements and pertinent information for CPRA, CPA, and VCDPA.
CPRA | CPA | VCDPA | |
Assessment Start Date | January 1, 2023
No lookback period provided. Likely to be required for all ongoing processing activities subject to assessment. |
July 1, 2023
No lookback period provided. Likely to be required for all ongoing processing activities subject to assessment. |
January 1, 2023
No lookback period provided. Likely to be required for all ongoing processing activities subject to assessment. |
Processing Activities Triggering Assessment | Processing of personal information that presents a significant risk to consumers’ privacy or security (likely to be further defined by the CCPA) | Processing of personal information that presents a heightened risk of harm to a consumer. | Processing of personal data that present a heightened risk of harm to consumers. |
Processing Activities Automatically Subject to Risk Assessments | Set forth by the CCPA, but will include:
|
|
|
Assessment Requirements | Set forth by the California Privacy Protection Agency, but assessments must:
|
Assessments must:
|
Assessments must:
|
Definition of Sensitive Data | The CPRA defines “sensitive personal information” as “personal information that reveals (a) consumer’s Social Security or other state identification number; (b) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) consumer’s geolocation; (d) consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of a consumer’s mail, email, or text messages, unless the business is the intended recipient of the communication; and (f) consumer’s genetic data. It also includes processing of biometric information for purposes of identifying a consumer; personal information collected and analyzed concerning a consumer’s health, and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.” | “Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child” | “Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal data collected from a known child; or the precise geolocation of an individual.” |
Cross-Over Use | No indication, possibly to be addressed by the CPAA. | A single data protection assessment may address a comparable set of processing operations that include similar activities.
|
Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. |
Vendor Assistance In Conducting Risk Assessments | A contract with a service provider, contractor, or third party must grant the business rights to take reasonable and appropriate steps to help ensure that the third party , service provider uses the personal information in a manner consistent with the business’s obligations under the CPRA. Presumably, this includes the right to request information necessary to conduct risk assessments. | A processor is required to provide information to the controller necessary to enable the controller to conduct and document any data protection assessment. | A processor is required to provide information to the controller necessary to enable the controller to conduct and document any data protection assessment. |
Third-Party Assessments | A business is permitted to monitor a service provider’s compliance with contractual terms through regular assessments. However, this right is not mandatory for service provider agreements.
A business is permitted to monitors a contractor’s compliance with contractual terms through regular assessments. This right must be included in contractor agreements.
|
Processing by a processor must be governed by a contract that requires the processor to make available to the controller all information necessary to demonstrate compliance with processors CPA obligations.
|
Processing by a processor must be governed by a contract that requires the processor to make available to the controller all information necessary to demonstrate compliance with processors VCDPA obligations.
|
Assessment Frequency | No indication, but likely required for ongoing processing activities subject to assessments.
|
No indication, but likely required for ongoing processing activities subject to assessments. | No indication, but likely required for ongoing processing activities subject to assessments. |
Requirement to Submit Risk Assessment to Governmental Agency | The CPPA is tasked to issue regulations requiring businesses to submit risk assessments to the CPPA on a regular basis. | The attorney general and district attorneys are empowered to access and evaluate a company’s data protection assessments.
|
The Attorney General may request, in writing, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection assessment available to the Attorney General.
The Attorney General may evaluate the data protection assessment for compliance with the responsibilities set forth the VDCPA.
|
The Utah Consumer Privacy Act does not have an explicit provision related to privacy impact assessments, but there is language that implies that risks assessments should be done. The language in subsection (a)(ii) talks about reducing the reasonably foreseeable risk of harm to consumers related to the processing of personal data. Anytime you must account for a “foreseeable risk of harm” the covered entity must assess the risks of harm. Therefore, entities will need to assess the risks associated with the processing activities and implement the appropriate practices to reduce those risks. The risks of harm associated with the processing of personal data go beyond risks to the confidentiality and integrity described in subsection (a)(i) and would include privacy risks of the type to be assessed in a privacy risk assessment.
As 2023 looms closer and closer, organizations that fall under the parameters of these laws will need to have privacy impact assessment protocols in place sooner than later. Tools like Truyo’s Privacy Impact Assessment tool can drastically reduce the amount of time it takes to complete assessments, provide ample reporting needed for these laws, and give you the ability to simplify third-party assessments.
If you’re looking for a privacy impact assessment tool to help you simplify the process of preparing for CPRA assessments, Colorado Privacy Act assessments, and Virginia Consumer Data Privacy Act assessments, we would be happy to demo our product for you and give you a free trial so you can see start your road to compliance today.