Data Privacy Impact Assessments Under US State Laws: Complete 2026 Guide
What Is a Data Privacy Impact Assessment?
A data privacy impact assessment (DPIA) — also called a data protection assessment (DPA) or privacy impact assessment (PIA) — is a systematic evaluation of how a specific data processing activity affects consumer privacy. It identifies risks, evaluates whether the processing is necessary and proportionate, and documents the safeguards you have in place.
Under at least 15 US state privacy laws, businesses must conduct DPIAs before engaging in certain high-risk processing activities. Unlike GDPR DPIAs (which have been required in Europe since 2018), US state DPIAs are a newer requirement and each state has its own nuances. This guide covers what you need to know for 2026 compliance.
Which States Require DPIAs?
The following states require data protection assessments as part of their comprehensive privacy laws. Use our state comparison tool to see detailed differences, or check each state's dedicated guide:
| State | Law | DPIA Required? | Key Notes |
|---|---|---|---|
| California | CCPA/CPRA | Yes — "Risk Assessments" | Most detailed requirements; must be submitted to the CPPA upon request. Covers cybersecurity audits too. |
| Colorado | CPA | Yes | Required before processing that presents heightened risk to consumers. AG can request copies. |
| Connecticut | CTDPA | Yes | Required for targeted advertising, sale of data, profiling, sensitive data, and children's data processing. |
| Virginia | VCDPA | Yes | The model for most state DPIA frameworks. AG can request assessments during investigations. |
| Indiana | ICDPA | Yes | Follows the Virginia framework. Effective January 1, 2026. |
| Kentucky | KCDPA | Yes | Follows the Virginia framework. Effective January 1, 2026. |
| Rhode Island | RIDPA | Yes | Effective January 1, 2026. AG can request assessments. |
| Oregon | OCPA | Yes | Applies to nonprofits too. Required for high-risk processing including sensitive data. |
| Montana | MCDPA | Yes | Expanded by SB 297 — lower thresholds mean more businesses must conduct DPIAs. |
| Maryland | MODPA | Yes | One of the strictest — data minimization + DPIA. Enforcement begins April 1, 2026. |
| Delaware | DPDPA | Yes | Required for profiling, targeted advertising, sale of data, sensitive data. |
| Nebraska | NDPA | Yes | Follows Virginia framework. Applies to all businesses with no revenue threshold. |
| New Hampshire | NHPA | Yes | Required before processing sensitive data or engaging in targeted advertising. |
| Tennessee | TIPA | Yes | Required but has a more business-friendly 60-day cure period. |
| Iowa | ICDPA | No | Iowa does NOT require DPIAs — one of the few state laws that omits this requirement. |
| Utah | UCPA | No | Utah does NOT require DPIAs — the most business-friendly state privacy law. |
What Triggers a DPIA Requirement?
While the specific triggers vary by state, most state laws require a DPIA before engaging in any of the following processing activities:
- Targeted advertising — using personal data to display ads based on consumer behavior, interests, or demographics
- Sale of personal data — exchanging personal data for monetary or valuable consideration
- Profiling — automated processing that produces legal or similarly significant effects on consumers (e.g., credit decisions, employment screening, insurance pricing)
- Processing sensitive data — handling data categories like racial/ethnic origin, religious beliefs, health data, biometric identifiers, precise geolocation, or sexual orientation
- Processing children's data — collecting or using personal information from known minors
Not sure which laws apply to you? Use our Privacy Law Calculator to check your obligations across all 20+ state privacy laws.
How to Conduct a Data Privacy Impact Assessment: Step-by-Step
Step 1: Identify the Processing Activity
Clearly describe the specific data processing activity you are assessing. Be precise — a DPIA should cover a particular processing operation, not your entire business. For example: "Using customer purchase history and browsing behavior to serve personalized product recommendations via targeted advertising."
Step 2: Document the Data Flow
Map how personal information moves through the processing activity:
- What categories of personal data are collected?
- From whom? (consumers, employees, third parties)
- How is it collected? (directly, via cookies, from data brokers)
- Where is it stored? (cloud, on-premises, third-party processors)
- Who has access? (internal teams, vendors, partners)
- How long is it retained?
- How is it eventually deleted?
Step 3: Assess Necessity and Proportionality
Evaluate whether the processing is necessary for your stated purpose and proportionate to the privacy risks. Ask:
- Can you achieve the same business goal with less data or less invasive processing?
- Is the volume and sensitivity of data proportionate to the benefit?
- Have you considered data minimization? (Especially important under Maryland's MODPA, which has strict data minimization requirements.)
Step 4: Identify and Assess Privacy Risks
Consider the risks to consumers from the processing activity:
- Unauthorized access — data breaches, insider threats
- Discrimination — profiling that produces unfair outcomes
- Loss of autonomy — consumers unaware their data is being used for decisions affecting them
- Financial harm — identity theft, fraud
- Reputational harm — exposure of sensitive information
- Chilling effects — surveillance that discourages free expression or association
Step 5: Document Safeguards and Mitigations
For each identified risk, document the technical, organizational, and legal safeguards you have in place:
- Encryption and access controls
- Data minimization practices
- Anonymization or pseudonymization
- Consumer rights mechanisms (opt-out, deletion)
- Vendor agreements and data processing contracts
- Employee training and access policies
- Incident response procedures
Step 6: Make a Determination
Conclude whether the benefits of the processing outweigh the risks to consumers, considering the safeguards in place. If the risks outweigh the benefits, you should modify or abandon the processing activity.
Step 7: Document and Retain
Keep the completed DPIA on file. Under most state laws, the attorney general can request your assessment during an investigation. California's CPPA may require you to submit assessments proactively. Retain DPIAs for at least three years (or as long as the processing continues).
California vs. Virginia Framework: Key Differences
Most state DPIA requirements follow one of two models:
- California (CCPA/CPRA) — calls them "risk assessments," requires submission to the CPPA, includes cybersecurity audit requirements, and applies to large-scale processing of sensitive personal information. The CPPA has proposed detailed regulations specifying format and content requirements. See our CCPA compliance guide for more.
- Virginia (VCDPA) — requires assessments for specific activities (targeted advertising, sale, profiling, sensitive data, children's data), must weigh benefits to the controller/consumer against risks. Most other states (Colorado, Connecticut, Indiana, Kentucky, etc.) adopted this framework with minor variations.
Common Mistakes to Avoid
- One-size-fits-all assessments — each processing activity needs its own DPIA. A single document covering "all marketing activities" is not sufficient.
- Treating DPIAs as one-time exercises — reassess when processing changes, new data categories are added, or new state laws take effect
- Ignoring vendor risks — your DPIA must consider risks from third-party processors, not just your own practices
- Failing to document the balancing test — state AGs want to see that you actually weighed benefits against risks, not just listed safeguards
- Not involving the right stakeholders — DPIAs should involve legal, IT/security, product, and business teams, not just the privacy officer
Frequently Asked Questions
Are US state DPIAs the same as GDPR DPIAs?
Similar in concept but different in execution. GDPR DPIAs (Article 35) must be conducted before processing and may need to be shared with the Data Protection Authority. US state DPIAs are generally kept internal unless requested by the state attorney general. The core elements — risk identification, necessity assessment, safeguards documentation — overlap significantly.
Do I need separate DPIAs for each state law?
Not necessarily. If your DPIA addresses the most comprehensive requirements (typically California's or Maryland's), it should satisfy other states' requirements as well. However, ensure your assessment covers all the triggers specified in each applicable state law. Use our state comparison tool to identify differences.
Can the attorney general demand to see my DPIA?
Yes. In most states, the AG can request your data protection assessments as part of an investigation or enforcement action. In California, the CPPA may require proactive submission. DPIAs are generally protected by attorney-client privilege if prepared with legal counsel involvement, but this varies by jurisdiction.
What happens if I don't conduct required DPIAs?
Failure to conduct required DPIAs can be treated as a violation of the state privacy law. Penalties vary by state — from $7,500 per violation in California to $10,000-$25,000 per violation in Maryland. Beyond penalties, the lack of a DPIA can weaken your legal position if a data breach occurs or a consumer complaint is filed. See our penalties guide for details.
How often should I update my DPIAs?
Review and update your DPIAs whenever there is a material change to the processing activity, when new data categories are added, when you onboard new vendors, or when new state privacy laws take effect that may change your obligations. At a minimum, review all DPIAs annually.
This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.