Keypoint: The CPRA, CPA and VCDPA require data protection assessments for certain processing activities; however, when and how entities must conduct and prepare assessments varies.

This is the third article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws approach data protection assessments. At first glance, Virginia and Colorado's provisions appear similar; however, definitional differences of key terms result in potentially significant variances. Further, the Colorado Attorney General's office has identified this as a potential topic for rulemaking, which could lead to more differences given that the VCDPA does not authorize such rulemaking. California does not have this concept under the current California Consumer Privacy Act (CCPA) and takes a different approach than Virginia and Colorado in the CPRA. The CPRA charges the California Privacy Protection Agency (CPPA) with issuing regulations on when and how businesses must prepare cybersecurity audits and risk assessments. The CPPA is still drafting those regulations.

Below is a further analysis of this topic.

As a starting point, the concept of requiring controllers to prepare data protection assessments (or data protection impact assessments as they are commonly called in other laws) draws from international privacy laws such as the EU's General Data Protection Regulation (GDPR). GDPR Article 35 requires controllers to prepare data protection impact assessments when a processing activity "is likely to result in a high risk to the rights and freedoms of natural persons." Article 35 requires that the assessment consider a number of factors, including the processing operations, the necessity and proportionality of the processing operations in relation to their purposes, and the risks to the rights and freedoms of data subjects. In 2017, the Article 29 Working Party issued guidelines on preparing assessments, including examples of high-risk processing activities.

With the benefit of that background, we now turn to analyzing how Virginia, Colorado, and California address the issue.

Virginia Consumer Data Protection Act (VCDPA)

Beginning January 1, 2023, controllers subject to the VCDPA will be required to conduct and document data protection assessments for five types of processing activities:

  1. The processing of personal data for purposes of targeted advertising;
  2. The sale of personal data;
  3. The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;
  4. The processing of sensitive data; and
  5. Any processing activities involving personal data that present a heightened risk of harm to consumers.

Notably, the VCDPA does not define what constitutes a "heightened risk of harm to consumers." The law also does not authorize the Virginia Attorney General's office to promulgate interpretive regulations thus leaving this catchall as an area of ambiguity.

In preparing assessments, the VCDPA requires controllers to "identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks." In addition, controllers must consider the "use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed."

Somewhat hidden in the statute is the requirement that assessments also must consider the controller's responsibilities as set forth in § 59.1-578. Specifically, Part C of § 59.1-580 allows the Attorney General to request data protection assessments if relevant to an investigation and "evaluate [them] for compliance with the responsibilities set forth in § 59.1-578." Among other things, § 59.1-578 requires controllers to limit their data collection to what is "adequate, relevant and necessary," implement proper security procedures to protect personal data, obtain consumer consent for processing sensitive data, and provide privacy notices to consumers.

Importantly, the disclosure of a data protection assessment pursuant to an Attorney General request does not "constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment." The necessary takeaway from this provision is that assessments can be conducted under attorney client privilege.

Finally, the law allows a single assessment to address a comparable set of processing operations that include similar activities, and it allows controllers to use assessments completed to comply with other laws so long as those assessments have the same scope and effect as the VCDPA requires.

Colorado Privacy Act (CPA)

Colorado's data protection assessment requirement is similar to Virginia's but with some notable differences.

First, the CPA's data protection assessment provision is phrased differently. Specifically, the CPA prohibits "processing that presents a heightened risk of harm to a consumer" unless the controller first conducts and documents a data protection assessment. The CPA defines "processing that presents a heightened risk of harm to a consumer" to include the first four processing activities identified in the VCDPA with the exception that the CPA does not include profiling that presents a reasonably foreseeable risk of reputational injury. By structuring the law this way, the CPA tries to clarify what constitutes a "heightened risk of harm to a consumer." Although, the statute's use of the word "includes" means that there could be other high risk processing activities that are not specified in the statute.

Second, although both laws require assessments for the processing of sensitive data, they do not have identical definitions of sensitive data. For example, biometric data constitutes sensitive data if used for the purpose of uniquely identifying an individual, but the laws differ in how they define biometric data. We discussed the treatment of biometric data under these laws in a prior article in this series. Further, Colorado's definition of sensitive data includes "sex life" while Virginia's definition does not. Conversely, Virginia includes "precise geolocation data" as a category of sensitive data while Colorado does not. The laws also have different definitions of "sale." We will more fully analyze these differences in future articles in this series.

The scope of factors that need to be included in an assessment may also be broader in Colorado. As noted, the VCDPA states that the Attorney General can "evaluate the data protection assessment for compliance with the responsibilities set forth in § 59.1-578." Colorado's language is broader, authorizing the Attorney General to "evaluate the data protection assessment for compliance with the duties contained in section 6-1-1308 and with other laws, including this article 1 [i.e., the entire CPA]." (Emphasis added). Notably, the CPA similarly provides for attorney-client privilege and work product protection to be maintained in the event an assessment is disclosed to the Attorney General.

Additionally, the CPA does not state (as does the VCDPA) that assessments conducted by a controller for the purpose of compliance with other laws or regulations may satisfy the CPA's requirements if the assessments have a reasonably comparable scope and effect. It is unclear how much this omission will impact controllers as, presumably, an assessment conducted for the same processing activity for VCPDA (or even GDPR) compliance should be sufficient if it incorporates all CPA requirements.

Finally, contrary to the VCDPA, the CPA authorizes the Colorado Attorney General's office to engage in permissive rulemaking. Colorado Attorney General Phil Weiser recently stated that "data protection assessment procedures is [an] area where we might well want to provide guidance." Such rulemaking could lead to more differences between the two laws.

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

The CCPA does not contain a data protection assessment requirement. The CPRA introduces this concept but charges the California Privacy Protection Agency (CPPA) to develop it through the rulemaking process. Specifically, the CPPA is charged with issuing regulations requiring businesses whose processing of personal information presents significant risk to consumers' privacy or security to perform an annual cybersecurity audit that is "thorough and independent" and to submit a risk assessment to the CPPA on a regular basis.

The CPRA does not define what constitutes a "significant risk to consumers' privacy or security" leaving that to the rulemaking process. However, the CPRA does state that factors to be considered when making this determination "shall include the size and complexity of the business and the nature and scope of processing activities."

The risk assessment must identify "whether the processing involves sensitive personal information" and identify and weigh "the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public."

Given that the CPRA rulemaking process is ongoing with no draft rules to date, it is difficult to anticipate how the cybersecurity audit and risk assessment requirements will eventually look. In September 2021, the CPPA published an Invitation for Preliminary Comments on proposed rulemaking under the CPRA. The Agency solicited and received written comments on the following topics related to this issue:

  1. When a business's processing of personal information presents a "significant risk to consumers' privacy or security."
  2. What businesses that perform annual cybersecurity audits should be required to do, including what they should cover in their audits and what processes are needed to ensure that audits are "thorough and independent."
  3. What businesses that submit risk assessments to the Agency should be required to do, including what they should cover in their risk assessments, how often they should submit risk assessments, and how they should weigh the risks and benefits of processing consumers' personal information and sensitive personal information.
  4. When "the risks to the privacy of the consumer [would] outweigh the benefits" of businesses' processing consumer information, and when processing that presents a significant risk to consumers' privacy or security should be restricted or prohibited.

Public comments are available on the CPPA's website.

Consequences of the Variations

The differences between these laws will complicate compliance for entities subject to one or more of them. For example, because of the different definitions between the laws, it is possible that a processing activity could require an assessment in Colorado but not in Virginia (or vice versa). California remains an unknown given the pending CPRA rulemaking process. Similarly, the Colorado Attorney General may engage in rulemaking on this topic.

Ultimately, any compliance effort must begin with understanding the processing activities an entity engages in and then determining whether those activities trigger an assessment requirement. In preparing the assessments, entities will need to focus on the specific statutory requirements and should consider incorporating best practices learned from performing these assessments to comply with international privacy laws. Consideration should also be given to conducting assessments under attorney-client privilege.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.