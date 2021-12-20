Virginia Consumer Data Protection Act (VDCPA), in force Jan 1, 2023

"Heightened risk of harm"

VDCPA requires controllers1 to prepare DPIAs for any activities that present a "heightened risk of harm" to consumers. Definition "Heightened risk of harm" is not defined, however, DPIAs are specifically mandated for: Targeted advertising;

Sales of personal data;

Processing personal data for profiling which creates certain risks for consumers (including unfair or deceptive treat; unlawful disparate treatment; financial, physical, or reputational injury; and other risks); and

Processing sensitive data.2

Benefits v risks

The DPIA must "identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks."3 Conducting and documenting the DPIA

In conducting and documenting the DPIA, controllers must consider:

"[t]he use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed."4