How to Conduct a Privacy Impact Assessment: A Step-by-Step PIA Guide for US State Privacy Laws
What Is a Privacy Impact Assessment?
A privacy impact assessment (PIA) — also called a data protection assessment (DPA) or data protection impact assessment (DPIA) — is a structured evaluation of how a specific data processing activity affects the privacy of individuals. Over 15 US state privacy laws now require businesses to conduct these assessments before engaging in processing activities that present a heightened risk to consumers.
Our companion guide covers which states require PIAs and when they’re triggered. This guide focuses on the practical process: how to actually complete a privacy impact assessment from start to finish, with a reusable template you can adapt to any state’s requirements.
When Do You Need a Privacy Impact Assessment?
Most state privacy laws require a PIA when your processing activity falls into one of these categories:
- Targeted advertising — Processing personal data to serve personalized ads based on consumer behavior, preferences, or demographics.
- Sale of personal data — Exchanging personal data for monetary or other valuable consideration. Maryland’s MODPA bans this for sensitive data entirely.
- Profiling with legal effects — Using personal data to make automated decisions that produce legal or similarly significant effects on consumers (credit decisions, employment screening, insurance pricing).
- Sensitive data processing — Handling categories like racial origin, health information, biometric identifiers, precise geolocation, or children’s data.
- Specific high-risk activities — Some states add unique triggers. California requires assessments for automated decision-making technology (ADMT). Colorado and Connecticut require them for any processing that presents a heightened risk of harm.
Use our Privacy Law Calculator to determine which state laws apply to your business, then review each law’s PIA requirements.
The 8-Step PIA Process
The following process works across all US state privacy laws that require data protection assessments. Adapt it to your organization’s size and complexity.
Step 1: Define the Processing Activity
Start by clearly describing what you plan to do with personal data. Document the following:
- What personal data categories will you collect? (Names, emails, browsing history, biometric data, geolocation)
- Where does the data come from? (Directly from consumers, third-party sources, public records, tracking technologies)
- What is the specific purpose of processing?
- Who will have access to the data internally and externally?
- How long will you retain the data?
Be specific. “We process customer data to improve our services” is not sufficient. Instead: “We collect browsing behavior on product pages to build interest profiles for serving personalized product recommendations and retargeted ads across our ad network partners.”
Step 2: Identify the Legal Basis and Applicable Laws
Determine which state privacy laws apply to this processing activity and what legal basis each law provides. Use our state law comparison tool to see differences across jurisdictions.
Key considerations:
- Does the processing require consumer consent? (Sensitive data in most states requires opt-in consent)
- Does the processing fall under an exemption? (Employee data, B2B contacts, publicly available information)
- Is the processing compatible with the purposes disclosed in your privacy policy?
- Does Maryland’s data minimization standard affect this activity? MODPA requires that processing be “reasonably necessary and proportionate” to the disclosed purpose.
Step 3: Assess Benefits vs. Privacy Risks
This is the core of every PIA. State laws like Colorado’s CPA and Connecticut’s CTDPA explicitly require you to weigh the benefits of the processing against the potential risks to consumer privacy.
Document the benefits:
- Benefits to the controller (business value, operational efficiency, revenue)
- Benefits to the consumer (better user experience, relevant recommendations, fraud prevention)
- Benefits to the public (safety improvements, research contributions)
Document the risks:
- Risk of unauthorized access or data breach
- Risk of discrimination or unfair treatment from profiling
- Risk of chilling effects on consumer behavior (surveillance concerns)
- Risk of secondary use beyond the original purpose
- Risk of re-identification if data is de-identified
Step 4: Evaluate Data Minimization Compliance
Every state privacy law includes some form of data minimization requirement. Ask:
- Are you collecting only the data categories necessary for the stated purpose?
- Could you achieve the same purpose with less data or anonymized data?
- Are your retention periods justified by the processing purpose?
- Have you implemented data lifecycle policies (collection, use, retention, deletion)?
Maryland’s MODPA sets the strictest standard: processing must be “reasonably necessary and proportionate” to the purpose. If your processing wouldn’t pass Maryland’s test, it likely won’t pass other states either.
Step 5: Identify and Document Safeguards
List the technical and organizational measures you will implement to mitigate the identified risks:
- Technical safeguards — Encryption at rest and in transit, access controls, pseudonymization, automated data deletion, audit logging
- Organizational safeguards — Employee training, data handling policies, incident response procedures, vendor management
- Consumer controls — Opt-out mechanisms, universal opt-out signal support, data access and deletion request processes
- Contractual safeguards — Data processing agreements with all third-party recipients
Step 6: Review Third-Party Data Sharing
If the processing involves sharing personal data with third parties, document each recipient and the safeguards in place:
- Who are the third-party recipients? (Ad networks, analytics providers, service providers, affiliates)
- Is the sharing a “sale” under applicable state law definitions?
- Do you have data processing agreements in place with each recipient?
- Can consumers opt out of this sharing? How?
The Tractor Supply CPPA settlement ($1.35 million) highlighted the consequences of failing to maintain proper contracts with data recipients. The Disney settlement ($2.75 million) demonstrated enforcement for making opt-out too difficult.
Step 7: Document Your Conclusion
Your PIA should conclude with a clear determination:
- Proceed as planned — Benefits outweigh risks and adequate safeguards are in place
- Proceed with modifications — Processing can continue but additional safeguards, consent mechanisms, or data minimization measures are required
- Do not proceed — Risks to consumer privacy outweigh the benefits even with safeguards
Include a summary of the key factors that led to your conclusion. This documentation is what regulators will review if they audit your compliance.
Step 8: Schedule Reassessment
A PIA is not a one-time exercise. Schedule periodic reassessments when:
- The scope of the processing changes (new data categories, new purposes, new third-party recipients)
- New state privacy laws take effect that apply to your business
- A data breach or security incident occurs
- Consumer complaint patterns suggest issues with the processing
- At minimum, annually — even if nothing has changed
PIA Template: What Your Assessment Document Should Include
Use this template structure for each privacy impact assessment:
| Section | Contents |
|---|---|
| 1. Assessment Overview | Processing activity name, date, assessor name, business unit, applicable state laws |
| 2. Processing Description | Data categories collected, data sources, processing purposes, data recipients, retention periods |
| 3. Legal Basis | Applicable state laws, consent requirements, exemptions claimed, privacy policy disclosures |
| 4. Benefits Analysis | Benefits to controller, consumer, and public from the processing activity |
| 5. Risk Assessment | Privacy risks identified, likelihood and severity ratings, impact on consumer rights |
| 6. Data Minimization Review | Necessity analysis, alternatives considered, retention justification |
| 7. Safeguards | Technical measures, organizational measures, consumer controls, contractual protections |
| 8. Third-Party Sharing | Recipients list, DPA status, opt-out mechanisms, cross-border transfers |
| 9. Conclusion | Proceed / proceed with modifications / do not proceed, with reasoning |
| 10. Review Schedule | Next reassessment date, trigger conditions for early reassessment |
State-Specific PIA Requirements: Key Differences
While the core PIA process is similar across states, some have unique requirements:
- California (CCPA/CPRA) — Requires “risk assessments” submitted to the CPPA for processing that presents significant risk. Includes cybersecurity audit requirements. Regulations finalized in 2025 detail submission procedures.
- Colorado (CPA) — PIAs must be made available to the AG upon request. Must weigh benefits to the controller, consumer, and public against the risk of harm to the consumer. Colorado also requires assessments for processing for automated profiling.
- Connecticut (CTDPA) — Similar to Colorado. The 2025 amendments (effective July 1, 2026) expand assessment requirements to cover algorithmic discrimination and employment profiling.
- Maryland (MODPA) — Enforcement began April 1, 2026. Requires assessments for targeted advertising, data sales, profiling, sensitive data processing, and children’s data. The strictest data minimization standard affects every PIA conclusion.
- Texas (TDPSA) — Requires assessments for the same categories as Colorado. No threshold exemption means virtually any Texas business processing personal data may need to conduct PIAs.
- Other states — Virginia, Indiana, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, and Delaware have similar assessment requirements with minor variations. Use our comparison tool to check specifics.
Common PIA Mistakes to Avoid
- Being too vague about purposes — “Improving the user experience” is not a specific enough purpose. State regulators expect granular descriptions.
- Skipping the benefits-vs-risks analysis — The weighing exercise is not optional. Colorado and Connecticut explicitly require it in statute.
- Conducting PIAs after launch — Assessments should be completed before the processing begins, not retroactively documented to check a compliance box.
- Failing to update assessments — A PIA from 2024 that hasn’t been reviewed since new state laws took effect in 2025–2026 is a compliance gap.
- Not involving the right stakeholders — PIAs require input from legal, engineering, product, and security teams. A one-person assessment often misses critical risks.
Frequently Asked Questions
Do I need a privacy impact assessment for every processing activity?
No. PIAs are only required for processing activities that present a heightened risk to consumer privacy. The most common triggers are targeted advertising, sale of personal data, profiling that produces legal or significant effects, and processing sensitive data. Routine data processing for order fulfillment, customer service, or internal operations typically does not require a PIA unless it involves sensitive data categories.
How long does a privacy impact assessment take?
For a straightforward processing activity (like adding a new analytics tool), a PIA can be completed in 2–4 hours. For complex activities involving multiple data categories, third-party sharing, and sensitive data (like launching a personalization engine), expect 2–5 business days including stakeholder interviews and legal review.
Do I have to submit my PIA to state regulators?
Most states do not require proactive submission. Instead, you must make PIAs available to the state Attorney General upon request. California is the exception — CPPA regulations require certain risk assessments to be submitted directly. Keep all PIAs organized and accessible in case of a regulatory inquiry.
Can one PIA cover multiple state laws?
Yes, and this is the recommended approach. Design your PIA template to meet the strictest state’s requirements (currently Maryland for data minimization, Colorado/Connecticut for the benefits-vs-risks weighing). A single comprehensive PIA that satisfies the strictest standard will satisfy all applicable states. Our DPIA requirements guide lists each state’s specific requirements.
What happens if I don’t conduct a required PIA?
Failure to conduct required PIAs is a violation of the applicable state privacy law. Penalties vary by state: California can impose $2,500 per violation (or $7,500 for intentional violations), Maryland up to $10,000 per violation ($25,000 for repeat offenses), and most other states impose similar civil penalty ranges. Beyond fines, the lack of a PIA makes it much harder to defend your data practices in an enforcement action or consumer complaint.
For a complete list of which state laws require PIAs and when they’re triggered, see our Data Privacy Impact Assessments Under US State Laws guide. To check which laws apply to your business, use the Privacy Law Calculator. For generating a compliant privacy policy that reflects your PIA findings, try our policy generator tool.
Last updated: March 29, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.