With the passage of numerous comprehensive state laws, many U.S. companies are now subject to a formal requirement to complete a Privacy Impact Assessment (“PIA”). While the various state and international PIA requirements may seem daunting, it is possible to align an organization’s PIA process to the most nuanced laws and achieve a baseline founded on the consistency across the states.
Below are the core concepts that you should be familiar with. See Kilpatrick Townsend’s recent Legal Alert for the answers to some commonly asked questions and practical suggestions for approaching the PIA requirements landscape.
Core Concepts/Key Information At a Glance
- Many states follow a “baseline” model which provides that PIAs are generally required before processing personal data in a manner that presents a heightened risk of harm to consumers.
- “PIA” is a broad term for privacy evaluations that also covers more targeted assessments, such as GDPR or GDPR-style data protection impact assessments (DPIAs). U.S. state laws often refer to PIAs as data protection assessments. PIAs are a means of documenting details around personal data use cases / processing activities and are essentially risk/benefit analyses.
- Heightened risk of harm generally includes (but is not limited to) activities involving targeted advertising, profiling, sale of personal data, and handling sensitive personal data.
- Colorado has documented a set of detailed PIA requirements via regulation, and California is expected to finalize a set of detailed requirements for privacy risk assessments very soon.
- For U.S. based companies, model the overall PIA process on the “baseline states”. Focus on the common factors triggering PIAs. Layer on CA and CO specific requirements where applicable. If the company plans to expand globally, be sure to include questions about the jurisdictions in which they will be operating.
- Identify additional likely candidates for “high-risk” / “heightened risk” processing based on what the organization does (e.g., the company’s business model, data handling, industry, etc.).
- If the company also has GDPR or other global exposure and an established GDPR PIA/DPIA template in place, build in screening questions to see if additional assessments/questions are needed for the U.S. states.
- Include or be prepared to include questions related to AI / ADMT.
- Continue to monitor for developments in the U.S. state privacy arena, as well as municipal-level or topic-specific requirements. <
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.