UNIVERSAL DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Multi-Jurisdiction Compliance Framework

COVER PAGE

Applicable Jurisdictions

Identify all jurisdictions whose privacy laws apply to this processing activity:

US State Comprehensive Privacy Laws (Check all that apply):

☐ California (CCPA/CPRA) — effective January 1, 2020/2023
☐ Virginia (VCDPA) — effective January 1, 2023
☐ Colorado (CPA) — effective July 1, 2023
☐ Connecticut (CTDPA) — effective July 1, 2023
☐ Utah (UCPA) — effective December 31, 2023
☐ Iowa (ICDPA) — effective January 1, 2025
☐ Delaware (DPDPA) — effective January 1, 2025
☐ Nebraska (NDPA) — effective January 1, 2025
☐ New Hampshire (NHPA) — effective January 1, 2025
☐ New Jersey (NJDPA) — effective January 15, 2025
☐ Tennessee (TIPA) — effective July 1, 2025
☐ Minnesota (MCDPA) — effective July 31, 2025
☐ Maryland (MODPA) — effective October 1, 2025
☐ Indiana (INCDPA) — effective January 1, 2026
☐ Kentucky (KCDPA) — effective January 1, 2026
☐ Rhode Island (RIDTPPA) — effective January 1, 2026
☐ Texas (TDPSA) — effective July 1, 2024
☐ Oregon (OCPA) — effective July 1, 2024
☐ Montana (MCDPA) — effective October 1, 2024

International Laws:
☐ EU GDPR (Regulation (EU) 2016/679)
☐ UK GDPR (UK Data Protection Act 2018)
☐ Canada (PIPEDA / Provincial Laws)
☐ Other: [________________________________]

Federal Sector-Specific Laws:
☐ HIPAA (Health Insurance Portability and Accountability Act)
☐ GLBA (Gramm-Leach-Bliley Act)
☐ FERPA (Family Educational Rights and Privacy Act)
☐ COPPA (Children's Online Privacy Protection Act)
☐ FCRA (Fair Credit Reporting Act)
☐ Other: [________________________________]

Document Classification

☐ Confidential — Attorney-Client Privileged
☐ Confidential — Internal Use Only
☐ Restricted Distribution
☐ Other: [________________________________]

Privilege Note: Most state privacy laws provide that data protection assessments disclosed to the Attorney General during investigation are confidential and do not waive attorney-client privilege or work-product protections. Consult counsel for jurisdiction-specific protections.

EXECUTIVE SUMMARY

Overview of Processing Activity

[________________________________]

Provide a concise description of the data processing activity, its business purpose, scope, categories of consumers affected, and the nature of personal data involved.

Overall Risk Level

☐ Low Risk — Processing presents minimal risk across all applicable jurisdictions
☐ Moderate Risk — Processing presents some risk requiring standard mitigation
☐ High Risk — Processing presents heightened risk requiring enhanced safeguards
☐ Critical Risk — Processing presents severe risk; recommend cessation or redesign

Summary of Key Findings

[________________________________]

Recommendation

☐ Approve processing as described with current safeguards
☐ Approve subject to implementation of recommended mitigations
☐ Defer approval pending further analysis
☐ Do not approve — risks outweigh benefits

Multi-State DPIA Trigger Matrix

SECTION 1: PROCESSING ACTIVITY DESCRIPTION

1.1 Nature of Processing

1.2 Whose Data Is Processed?

☐ Consumers / residents (specify states): [________________________________]
☐ Employees / job applicants
☐ Customers / clients
☐ Website visitors / app users
☐ Vendors / contractors
☐ Minors (under 13)
☐ Minors (13-17)
☐ EU/EEA data subjects
☐ Other: [________________________________]

Estimated data subjects per jurisdiction:

1.3 Purpose of Processing

1.4 How Is Data Processed?

☐ Collection (direct from consumer)
☐ Collection (from third-party sources)
☐ Storage (electronic / physical)
☐ Analysis / profiling
☐ Automated decision-making
☐ Targeted advertising
☐ Sale to third parties
☐ Sharing with service providers
☐ Cross-border transfer (international)
☐ Interstate transfer
☐ Deletion / destruction
☐ Other: [________________________________]

1.5 Retention and Deletion

1.6 Data Storage

SECTION 2: LEGAL BASIS AND NECESSITY

2.1 Multi-Jurisdiction Lawful Basis Matrix

2.2 Purpose Limitation

• Processing limited to disclosed purposes? ☐ Yes ☐ No
• Secondary uses disclosed? ☐ Yes ☐ No ☐ N/A
• Compatible with original collection context? ☐ Yes ☐ No

2.3 Data Minimization

• Minimum necessary data collected? ☐ Yes ☐ No
• De-identified data possible? ☐ Yes ☐ No
• Aggregated data possible? ☐ Yes ☐ No
• Formal minimization review conducted? ☐ Yes ☐ No

2.4 Multi-State Applicability Thresholds

SECTION 3: DATA INVENTORY

3.1 Categories of Personal Data

3.2 Sensitive Data — Multi-State Comparison

Key Differences:
- NH uniquely includes "sex life" as a separate sensitive category and defines precise geolocation as within 1,750 feet
- CA treats data of children 13-15 as requiring opt-in for sale/sharing
- RI requires explicit consent with a mandatory 15-day suspension upon consent revocation
- CO requires universal opt-out mechanism recognition

3.3 Data Sources, Recipients, and Transfers

SECTION 4: STAKEHOLDER CONSULTATION

4.1 Data Subject Consultation

4.2 DPO / Privacy Lead Input

4.3 Business and Legal Stakeholder Input

SECTION 5: NECESSITY AND PROPORTIONALITY

5.1 Necessity Assessment

☐ Yes — processing is essential
☐ Partially — some elements could be reduced
☐ No — less intrusive alternatives exist

Explanation: [________________________________]

5.2 Less Intrusive Alternatives

5.3 Benefits vs. Risks

Benefits to Controller: [________________________________]
Benefits to Consumer: [________________________________]
Benefits to Public: [________________________________]
Risks to Consumer Rights: [________________________________]
Safeguards: [________________________________]

SECTION 6: RISK ASSESSMENT

6.1 Risk Matrix

6.2 Risk Register

6.3 Overall Risk Rating

☐ Low ☐ Moderate ☐ High ☐ Critical

SECTION 7: RISK MITIGATION MEASURES

7.1 Technical Measures

7.2 Organizational Measures

7.3 Contractual Measures

7.4 Residual Risk

SECTION 8: MULTI-STATE COMPLIANCE CHECKLIST

8.1 Consumer Rights Compliance Matrix

8.2 Response Timelines

8.3 Cure Period Comparison

8.4 Breach Notification Requirements Comparison

8.5 Universal Opt-Out Mechanism Requirements

SECTION 9: THIRD-PARTY AND VENDOR ASSESSMENT

9.1 Sub-Processors

9.2 Vendor Security Assessment

☐ SOC 2 Type II or equivalent
☐ Encryption standards verified
☐ Access controls reviewed
☐ Incident response confirmed
☐ Deletion / return procedures documented
☐ Subprocessor restrictions
☐ Insurance verified
☐ Multi-state breach cooperation clause

SECTION 10: AUTOMATED DECISION-MAKING AND PROFILING

10.1 Profiling Activities

• Involves profiling? ☐ Yes ☐ No

10.2 Automated Decision-Making

• Solely automated decisions with significant effects? ☐ Yes ☐ No
• Decision logic: [________________________________]
• Human review: [________________________________]
• Bias testing: ☐ Yes ☐ No
• Accuracy testing: ☐ Yes ☐ No

CA ADMT Note: California CPRA rulemaking imposes detailed obligations for Automated Decision-Making Technology (ADMT), including consumer access to information about ADMT logic and the right to opt out of certain ADMT decisions.

SECTION 11: CHILDREN'S DATA

11.1 Federal COPPA Compliance

• Data of known children under 13? ☐ Yes ☐ No
• Verifiable parental consent (COPPA)? ☐ Yes ☐ No ☐ N/A
• COPPA-compliant privacy policy? ☐ Yes ☐ No
• Age-gating? ☐ Yes ☐ No

11.2 State-Specific Children's Protections

SECTION 12: MONITORING AND REVIEW

12.1 Review Schedule

12.2 Trigger Events

☐ Material change in processing
☐ New data categories or subjects
☐ New jurisdiction applicability
☐ New sub-processor or data recipient
☐ Security incident or breach
☐ Regulatory inquiry from any state AG
☐ Legislative changes in any applicable state
☐ Consumer complaints
☐ Organizational changes (M&A)
☐ Data volume change (> 25%)
☐ New state cure period expiration

12.3 Version Control

SECTION 13: APPROVAL AND SIGN-OFF

Data Protection Officer

CISO

Legal Counsel

Executive Approver

APPENDIX A: DATA FLOW DIAGRAM

[Data Subject] ---> [Collection Point] ---> [Primary Storage]
|
[Processing System]
|
+---------------+---------------+
| | |
[Analytics] [Third Party] [Backup/DR]
| | |
[Reporting] [Sub-Processor] [Archive]
Replace with actual data flow diagram.

APPENDIX B: RISK MATRIX

APPENDIX C: GLOSSARY

MULTI-STATE COMPLIANCE NOTES

Building a Multi-State DPIA Framework

1. Harmonize to the Highest Standard: Where state requirements conflict, design compliance to the most protective standard to ensure coverage across all applicable jurisdictions.

2. Sensitive Data — Use the Broadest Definition: Aggregate sensitive data categories from all applicable states. New Hampshire's nine categories (including sex life and 1,750-foot geolocation) are among the broadest.

3. Response Timelines — Use the Shortest Deadline: When operating across states, use the shortest applicable response timeline (generally 45 days) and the shortest extension period.

4. Breach Notification — Multi-State Playbook: Maintain a state-by-state breach notification matrix with jurisdiction-specific requirements for timing, AG/regulator notification, CRA notification thresholds, and content requirements.

5. Cure Period Awareness: Track cure period sunset dates and adjust compliance posture accordingly. As of 2026, only Texas and Indiana offer permanent cure periods.

6. Universal Opt-Out Compliance: Implement GPC/universal opt-out recognition where required (CA, CO, CT, TX, MT, NJ). Even where not required, consider implementation as a best practice.

7. DPIA Reuse: Most state laws allow a single DPIA to cover comparable processing operations and permit reuse of DPIAs conducted for other regulatory frameworks (GDPR, etc.) if scope and effect are comparable.

8. Privilege Protections: DPIAs are generally protected from public disclosure and do not waive privilege when disclosed to state AGs during investigations. Maintain privilege assertions on all DPIA documents.

SOURCES AND REFERENCES

1. IAPP, US State Privacy Legislation Tracker — https://iapp.org/resources/article/us-state-privacy-legislation-tracker
2. IAPP, "New Year, New Rules: US State Privacy Requirements Coming Online as 2026 Begins" — https://iapp.org/news/a/new-year-new-rules-us-state-privacy-requirements-coming-online-as-2026-begins
3. Mayer Brown, "2025 Mid-Year Review: US State Comprehensive Data Privacy Law Updates" — https://www.mayerbrown.com/en/insights/publications/2025/09/2025-mid-year-review-us-state-comprehensive-data-privacy-law-updates-part-1
4. Osano, "U.S. Data Privacy Laws: A Guide to the 2026 Landscape" — https://www.osano.com/us-data-privacy-laws
5. MultiState, "All of the Comprehensive Privacy Laws That Take Effect in 2026" — https://www.multistate.us/insider/2026/2/4/all-of-the-comprehensive-privacy-laws-that-take-effect-in-2026
6. Baker Donelson, "Privacy Laws Ring in the New Year: State Requirements Expand in 2026" — https://www.bakerdonelson.com/privacy-laws-ring-in-the-new-year-state-requirements-expand-across-the-us-in-2026
7. Wiley, "Five Privacy Checkpoints to Start 2026" — https://www.wiley.law/alert-Five-Privacy-Checkpoints-to-Start-2026
8. CompliancePoint, "State Privacy Laws Taking Effect in 2026" — https://www.compliancepoint.com/privacy/state-privacy-laws-taking-effect-in-2026/
9. EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, Art. 35
10. Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.