Under expanding U.S. state privacy laws, businesses must be prepared to assess the protection of certain personal information and individuals’ privacy rights prior to initiating planned data processing activities. While similar impact assessments may be familiar if your organization processes personal information of residents of the European Economic Area, Switzerland or the United Kingdom, until recently privacy laws in the U.S. have not mandated PIAs. That is changing with new laws taking effect this year in California, Colorado, Virginia and Connecticut. While Utah’s Consumer Privacy Act also takes effect this year, the law does not require businesses to conduct PIAs.
By performing PIAs, companies can identify risks associated with processing activities and minimize or eliminate these risks as early as possible.
Initial steps: Determining whether a PIA is required
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, and the Virginia Consumer Data Protection Act, which became effective 1 Jan., 2023, both require covered entities to perform PIAs. Likewise, the Colorado Privacy Act and the Connecticut Data Privacy Act, which come into effect 1 July, 2023, also require covered entities to perform PIAs. However, not all processing operations involving personal information trigger the requirement to conduct a privacy impact assessment. The California, Colorado, Connecticut and Virginia privacy laws each define the specific types of activities that trigger the requirement to prepare a PIA.
To ascertain whether a PIA is necessary for existing or planned processing activities, your organization should consider the steps detailed below.
Understand the personal information to be processed: Existing and new processing activities
It is critical for companies to understand not only the processing of personal information that will result from new projects, but also their current or legacy processing activities.
Where companies have already established a record of processing activities, it should be reviewed to get a full view of the personal information being processed. However, where a RoPA is not in place, companies should consider undertaking a data inventory and mapping exercise — a crucial step in identifying and recording personal information being processed and the characteristics of the information and processing.
To gain efficiencies and avoid the risk of rebuilding or re-engineering new processing activities, PIAs should start early in the project development or design phase. A preliminary analysis should be conducted at the outset of new projects to determine whether they will involve the collection, use, retention, security or disposal of personal information. The privacy team should engage project owners, such as development teams, or – in the case of outsourced services – the relationship or contract owners, in order to gain necessary insight into the project and personal information processing.
Does personal information to be processed trigger PIA requirements?
The Colorado, Connecticut and Virginia laws require controllers to prepare PIAs for any activities that present a “heightened risk of harm” to consumers. Although “heightened risk of harm” is not defined by any of these three laws, PIAs are specifically mandated for the following activities:
- Targeted advertising.
- Sales of personal information.
- Processing personal information for profiling which creates certain risks for consumers, including unfair or deceptive treatment, unlawful disparate treatment, financial, physical, or reputational injury, and other risks. Under the CPA, the risk of reputational injury does not specifically warrant a PIA in the context of profiling.
California’s law differs slightly from Connecticut, Colorado and Virginia in requiring PIAs for any activities that present a “significant risk” to consumers’ privacy or security. The type of processing considered to do so is not yet defined and this threshold will have to be specified by the California Privacy Protection Agency.
Finally, processing of certain types of personal information may trigger the requirement to perform a PIA. For example, a PIA is required any time an organization deals with the processing of sensitive personal information. Under the four currently applicable U.S. laws, the requirement to perform a PIA is triggered when collecting or processing sensitive information. Organizations should consult the specific statutory requirements for each law’s definition of sensitive personal information, but this will generally include information revealing racial or ethnic origin, religious beliefs, physical or mental health diagnoses, sexual orientation, immigrant status, as well as processing of genetic or biometric data.
After completing the threshold assessment, organizations can start planning specifics of the PIA — the main purpose being to demonstrate that they have thoroughly considered the risks and taken actions to mitigate them.
There is no specified method to conducting a PIA. This allows companies the flexibility to develop templates or frameworks that work best for their needs. That being said, the assessment should contain four essential components:
- A detailed description of the project and its purpose.
- An assessment of data processing needs and scope.
- An assessment of data protection and consumer privacy risks.
- An explanation of how the organization will mitigate risks and comply with the applicable law.
It should be noted that organizations may use PIAs or data protection impact assessments completed in compliance with other privacy laws, so long as the PIAs have a similar scope and effect.
Review and disposition
When initially designing the PIA process, an individual from the privacy or compliance team must be assigned responsibility for reviewing completed PIAs, considering the identified privacy risks and determining appropriate steps for the project to move forward.
Documentation of remedial actions taken will be essential in demonstrating that the risks have been addressed, particularly because PIAs must be filed with supervisory authorities in some instances, like under California’s law, and in other cases it must be preserved so that it is available in the event of inquiries from regulators. Privacy technology tools — such as OneTrust, Transcend, WireWheel or TrustArc — may provide solutions for bringing a level of automation to the execution of PIAs, but also serve as an easily accessible repository for completed PIAs. Of course, automation is not required and manual execution and storage of properly performed and documented PIAs will meet compliance obligations.
Entities processing personal information of residents of California, Colorado, Connecticut and Virginia must establish processes for conducting PIAs in certain circumstances. While PIAs are a new and potentially time-consuming obligation, entities should also recognize their potential value.
Conducting PIAs raises privacy awareness among stakeholders on the product, IT and procurement side of the business and requires them to address risks associated with processing personal information prior to undertaking such processing. This leads to lower overall business risk, fewer inquiries or complaints from data subjects, reduced chance of regulatory scrutiny and, ultimately, individuals who feel safe and secure sharing their personal information with your business.