DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: CA)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive personal information (CPRA definition per Cal. Civ. Code § 1798.140(ae)): Check all that apply: (1) Social security, driver's license, state ID, or passport number; (2) Account log-in, financial account, debit/credit card number with access/security code; (3) Precise geolocation (within 1,850 feet); (4) Racial or ethnic origin, religious or philosophical beliefs, union membership; (5) Contents of mail, email, or text messages (unless business is intended recipient); (6) Genetic data; (7) Biometric information processed for uniquely identifying a consumer; (8) Personal information collected and analyzed concerning health; (9) Personal information collected and analyzed concerning sex life or sexual orientation; (10) Citizenship or immigration status; (11) Personal information of a consumer known to be under 16 years of age. Right to limit applies unless exception exists (e.g., fulfilling transaction, detecting security incidents, ensuring product quality/safety, or other enumerated purposes).
• Volume and retention: [records/year], [retention schedule and deletion triggers per business purpose; no retention beyond necessary period].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status]. CPRA definitions: "Sale" = disclosing PI to third party for monetary/other valuable consideration; "Sharing" = disclosing PI to third party for cross-context behavioral advertising.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): California Privacy Rights Act (CPRA), Cal. Civ. Code § 1798.100 et seq., as amended effective January 1, 2023; CPPA regulations effective January 1, 2026.
• Applicability thresholds: Business must meet one or more of: (1) Annual gross revenue exceeding $26,625,000 (adjusted annually); OR (2) Buys, sells, or shares personal information of 100,000+ California consumers or households annually; OR (3) Derives 50%+ of annual revenue from selling or sharing California consumers' personal information.
• Entity type exemptions: GLBA-covered financial institutions, HIPAA-covered entities/business associates for protected health information, certain nonprofit organizations, vehicle information subject to DPPA.
• Consumer rights covered: (1) Right to know what personal information is collected, used, shared, or sold; (2) Right to delete personal information; (3) Right to correct inaccurate personal information; (4) Right to opt-out of sale or sharing of personal information; (5) Right to limit use and disclosure of sensitive personal information; (6) Right to data portability. Response timeline: 45 days (with one 45-day extension if reasonably necessary). Authentication: Reasonable security measures to verify consumer identity.
• Consent/opt-out mechanics required for sensitive data, minors, targeted ads, sale/sharing: (1) Consumers under 16: Opt-in consent required for sale/sharing; (2) Sensitive personal information: Right to limit use to purposes necessary to perform services/provide goods; (3) Opt-out link required for sale/sharing and targeted advertising via "Do Not Sell or Share My Personal Information" link; (4) Limit Sensitive PI button required.
• Notice/labeling requirements: Privacy notice at or before collection including categories of PI collected, purposes, sale/sharing status, retention periods, consumer rights, links to opt-out mechanisms. Universal opt-out signal (browser-based) must be honored.
• Contracts with processors/service providers: Service provider/contractor agreements required with specific flow-down provisions per Cal. Civ. Code § 1798.140(w) and (v): prohibition on selling/sharing/retaining data outside contract, audit rights, compliance certifications.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: Encryption in transit/at rest [specify algorithms/key lengths], key management [HSM/KMS], network segmentation, endpoint protections [EDR/AV], logging/monitoring [SIEM], DLP, backups [frequency/retention/testing], vulnerability management [scanning cadence/remediation SLAs].
• Organizational controls: Written information security policies, annual training cadence [CPRA-specific awareness], vendor due diligence [security questionnaires/assessments], incident response playbook [tested annually], change management, privacy-by-design reviews.
• Authentication/authorization: Multi-factor authentication required per CPPA 2026 regulations for access to systems containing personal information. [MFA method: TOTP/FIDO2/SMS]; [SSO/SAML provider]; session timeouts [specify]; privileged access reviews [quarterly/semi-annual].
• CPPA cybersecurity audit requirement: If business has $25M+ annual revenue and processes PI of 250,000+ consumers presenting significant risk, annual cybersecurity audit required beginning January 1, 2026. Audit must be conducted by qualified independent third party. Retain audit reports and make available to CPPA upon request.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Breach notification statute: Cal. Civ. Code § 1798.82 (as amended by SB 446, effective January 1, 2026).
• Timeline: 30 calendar days from discovery of breach to notify affected California residents (replaces prior "most expedient time possible" standard). Exception: Notification may be delayed if law enforcement determines it will impede criminal investigation, or as necessary to determine scope and restore integrity.
• Notification triggers: Unauthorized acquisition of computerized data compromising security, confidentiality, or integrity of personal information (name plus SSN, DL/ID, account number with security code, medical/health insurance information, unique biometric data).
• Encryption safe harbor: Notification not required if personal information was encrypted and encryption key was not acquired or reasonably believed to have been acquired.
• Regulator/AG notice: Notice to California Attorney General required within 15 calendar days of notifying residents if breach affects 500 or more California residents. Substitute notice (if individual notice cost exceeds $250,000 or affects 500,000+ persons): email + conspicuous website posting + notification to major statewide media.
• Content requirements: Notice must include: (1) Name and contact information of reporting entity; (2) List of types of personal information reasonably believed to have been acquired; (3) Date or estimated date of breach; (4) Relevant circumstances; (5) Toll-free numbers and addresses for credit reporting agencies if SSN/DL compromised; (6) Contact info for business.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [Coordinate breach notification obligations; GLBA and HIPAA have separate timelines and requirements].

9. State Overlay Checklist (CA)

• Applicability thresholds and exemptions: $26,625,000+ annual gross revenue OR 100,000+ consumers/households OR 50%+ revenue from sale/sharing. Exemptions: GLBA financial institutions, HIPAA covered entities (for PHI), nonprofits, vehicle info under DPPA, publicly available information, deidentified/aggregate data.
• Sensitive data definition and consent/opt-out requirements: 11 categories of sensitive PI (see Section 2 above). Consumers have right to limit use/disclosure to necessary purposes. Opt-in consent required for sale/sharing of PI of consumers under 16.
• Consumer rights and response timelines/appeals: Know, delete, correct, portability, opt-out of sale/sharing, limit sensitive PI use. Response: 45 days + one 45-day extension. Appeals: If request denied, business must inform consumer of right to appeal; response to appeal within 45 days.
• Opt-out of sale/targeted advertising/profiling requirements: "Do Not Sell or Share My Personal Information" link required. Must honor universal opt-out signals (e.g., Global Privacy Control). No opt-out required for cross-context behavioral advertising if consumer directed business to intentionally disclose PI.
• Processor/service provider contract requirements (flow-downs, audit rights, deletion/return): Written contract required. Must include: (1) Prohibit retention/use/disclosure outside contract; (2) Prohibit sale/sharing; (3) Require compliance with CPRA; (4) Grant business audit rights; (5) Require subprocessor compliance; (6) Certify understanding and compliance. Cal. Civ. Code §§ 1798.140(v), (w).
• Data Protection Assessment / Risk Assessment triggers: Required for processing that "presents significant risk to consumers' privacy or security." Effective January 1, 2026. Must submit attestation to CPPA by April 1, 2028. Update within 45 days of material changes. Review at least every 3 years. Risk assessment must involve stakeholders across organization and weigh benefits vs. risks.
• Security measures expectations (reasonable security; specific mandates if any): Cal. Civ. Code § 1798.150 (private right of action for certain breaches). CPPA 2026 regulations require: written technical and organizational security controls, multi-factor authentication, access controls, data inventory, vendor management, regular security testing. Cybersecurity audits required for businesses with $25M+ revenue processing 250,000+ consumers presenting significant risk (effective January 1, 2026; first audit deadline varies by business size).
• Breach notice timeline and content requirements: 30 days to notify consumers (effective January 1, 2026); 15 days to notify AG if 500+ residents affected. Content: entity name/contact, PI types affected, breach date, circumstances, credit agency contacts (if SSN/DL affected), business contact info.
• Children/minors rules (e.g., COPPA; state-specific if any): Opt-in consent required for sale/sharing of PI of consumers under 16. If under 13, parent/guardian consent required. Personal information of consumer known to be under 16 is sensitive personal information subject to right to limit.
• Non-discrimination/retaliation prohibitions under state law: Cal. Civ. Code § 1798.125. Business cannot discriminate against consumer for exercising CPRA rights, including denying goods/services, charging different prices/rates, providing different level/quality, or suggesting consumer will receive different price or quality. Financial incentives permitted if not unjust/unreasonable/discriminatory and with opt-in consent after clear disclosure.
• Recordkeeping: ROPA/DPIA retention and appeal tracking: Maintain records of consumer requests and business responses for 24 months. Risk assessments must be made available to CPPA upon request. Track appeals and responses. Document compliance with security audit requirements.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and DPAs/SCCs.
• Legitimate interests assessment or risk assessment (if applicable).
• Testing summaries and pen test reports (if applicable).
• State-specific notices/links and breach templates.