Privacy & Information Security Law Blog

On February 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) published a discussion paper on Comparison of U.S. State Privacy Laws: Data Protection Assessments. The paper analyzes the data protection assessment requirements set forth in an ever-growing number of comprehensive U.S. state privacy laws. The paper represents the first deliverable of CIPL’s ongoing project on U.S. state privacy laws, in which CIPL is collaborating with its member organizations to identify areas of alignment and divergence between state privacy laws. The paper also examines the compliance challenges organizations face as a result of the divergences, and provides recommendations to state law and policymakers who may be considering changes to existing laws or the introduction of new ones.

Key recommendations of the discussion paper include:

• Organizations need consistency in terminology and definitions in order to build cohesive and effective data protection assessment and compliance programs.

• Organizations strive to build comprehensive privacy programs—of which data protection assessments are a fundamental building block—to satisfy important compliance obligations across a number of U.S. states and global jurisdictions, and to ensure consistent protections for their customers. Many organizations use the requirements of the EU General Data Protection Regulation (“GDPR”) as the highest common denominator. But as new state laws introduce additional elements, the need to make a variety of ad hoc amendments to an already comprehensive assessment renders an otherwise streamlined approach inefficient and unworkable.

• Responsible organizations meaningfully engage with a range of internal and external organizations (including auditing companies) to conduct comprehensive data protection assessments, but the form and substance of the engagement varies from organization to organization. Regulators and lawmakers should incentivize meaningful engagement relating to effective risk assessments as a best practice, but not prescribe particular methods or elements.

• It is unnecessary and burdensome in a dynamic regulatory and technological landscape, for organizations to be required to share data protection assessments with regulators or enforcement bodies proactively on a regular basis, in detail or summary form.. Instead, organizations should be required to maintain records of their data protection assessments and be ready to produce them to appropriate authorities upon request in the event of an investigation or other enforcement action.

• To the extent organizations are required to provide regulators with a summary version of a data protection assessment, regulators should provide clear guidance on the elements to include in such summaries to ensure consistency. This will also preempt potential questions about apparent discrepancies or potential claims of misrepresentation relating to a comparison between a full, underlying data protection assessment and the summary of it.

• Existing data protection assessment requirements should be written and/or interpreted to enable organizations to use one assessment to satisfy the requirements in most or all states, and to make them interoperable between jurisdictions, to the extent possible.

For more information about the findings, recommendations and other insights, read the full discussion paper.