Privacy Impact Assessment
Definition
A formal evaluation that businesses must conduct before engaging in certain high-risk data processing activities. Also called a data protection assessment. It analyzes the benefits and risks of the processing activity to consumers and the business, and must weigh whether the processing presents a heightened risk of harm.
Legal Definition
Under the CPA (C.R.S. 6-1-1309): controllers must conduct data protection assessments for processing that presents a heightened risk of harm, including targeted advertising, profiling, sale of personal data, processing of sensitive data, and any processing that presents a reasonably foreseeable risk of unfair treatment, discrimination, or other substantial injury.
State Laws Using This Term
Practical Example
A company plans to launch a loyalty program that uses customer purchase data for profiling and targeted advertising. Before launch, it must conduct a privacy impact assessment to evaluate the risks to consumers and determine whether safeguards are adequate.
Related Terms
Frequently Asked Questions
When is a privacy impact assessment required?
Most states require assessments before processing data for targeted advertising, selling personal data, profiling that produces legal effects, processing sensitive data, or any processing that presents a heightened risk of harm. The specific triggers vary by state.