DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: VA)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (VCDPA definition per Va. Code § 59.1-571): Check all that apply: (1) Personal data revealing racial or ethnic origin; (2) Religious beliefs; (3) Mental or physical health diagnosis; (4) Sexual orientation; (5) Citizenship or immigration status; (6) Genetic or biometric data processed for purpose of uniquely identifying a natural person; (7) Personal data collected from a known child (under 13 years of age); (8) Precise geolocation data. Affirmative opt-in consent required before processing sensitive data.
• Volume and retention: [records/year], [retention schedule and deletion triggers per business purpose].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status]. VCDPA definitions: "Sale" = exchange of personal data for monetary consideration (narrower than CA/CO/CT which include "other valuable consideration"); "Targeted advertising" = displaying to consumer advertisement selected based on personal data obtained from consumer's activities over time and across nonaffiliated websites/applications; "Profiling" = automated processing of personal data to evaluate, analyze, or predict personal aspects concerning a consumer.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-571 et seq., effective January 1, 2023; 2025 amendments regarding social media platforms and minors effective January 1, 2026.
• Applicability thresholds: Entity conducting business in Virginia or targeting Virginia residents that, during preceding calendar year: (1) Controlled or processed personal data of at least 100,000 Virginia consumers; OR (2) Controlled or processed personal data of at least 25,000 Virginia consumers AND derived over 50% of gross revenue from sale of personal data. No minimum revenue threshold. Consumer definition: Virginia residents acting in individual or household context (not commercial or employment context).
• Entity type exemptions: GLBA-covered financial institutions, HIPAA-covered entities/business associates for protected health information, nonprofit organizations, higher education institutions, certain state/tribal entities, air carriers subject to 49 U.S.C. Title 49.
• Consumer rights covered: (1) Right to access personal data; (2) Right to correct inaccuracies in personal data; (3) Right to delete personal data; (4) Right to data portability (portable and readily usable format); (5) Right to opt out of sale of personal data, targeted advertising, and profiling in furtherance of decisions producing legal or similarly significant effects. Response timeline: 45 days (with one 45-day extension if reasonably necessary and consumer is notified). Authentication: Reasonable efforts to verify consumer identity and request authenticity.
• Consent/opt-out mechanics required for sensitive data, minors, targeted ads, sale/sharing: (1) Affirmative consent (opt-in) required before processing sensitive data (consent must be freely given, specific, informed, unambiguous indication of consumer's wishes); (2) Opt-out required for sale, targeted advertising, and profiling for decisions with legal/similarly significant effects; (3) Personal data of known children (under 13) is sensitive data requiring consent.
• Notice/labeling requirements: Privacy notice must be reasonably accessible, clear, and meaningful, disclosing: categories of personal data processed, purposes, how consumers may exercise rights, categories of personal data shared with third parties, categories of third parties, how to opt out of sale/targeted advertising/profiling. Notice must be available to consumers in manner that draws attention to collection of sensitive data.
• Contracts with processors/service providers: Data processing agreement required per Va. Code § 59.1-577. Must include: processing instructions, nature and purpose of processing, type of data, duration, controller and processor rights and obligations, requirement that processor deletes or returns data at controller's direction, assistance with consumer rights requests, and requirement that processor makes available information necessary to demonstrate compliance.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: Encryption in transit/at rest [specify algorithms/key lengths], key management [HSM/KMS], network segmentation, endpoint protections [EDR/AV], logging/monitoring [SIEM], DLP, backups [frequency/retention/testing], vulnerability management [scanning cadence/remediation SLAs].
• Organizational controls: Written information security policies, annual training cadence [VCDPA-specific awareness], vendor due diligence [security questionnaires/assessments], incident response playbook [tested annually], change management, privacy-by-design reviews.
• Authentication/authorization: [MFA method: TOTP/FIDO2/SMS]; [SSO/SAML provider]; session timeouts [specify]; privileged access reviews [quarterly/semi-annual].
• Reasonable security: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to volume and nature of personal data processed.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk, unfair treatment, financial/physical/reputational injury, intrusion on private affairs].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• Profiling-specific risks per Va. Code § 59.1-578: Check all that apply: (1) Unfair or deceptive treatment of consumer or unlawful disparate impact on consumer; (2) Financial, physical, or reputational injury to consumer; (3) Physical or other intrusion upon solitude or seclusion or private affairs or concerns of consumer that would be offensive to reasonable person; (4) Other substantial injury to consumer.

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Breach notification statute: Va. Code § 18.2-186.6 (Breach of personal information notification) and Va. Code § 32.1-127.1:05 (for medical information).
• Timeline: Notice to affected Virginia residents required without unreasonable delay after determining breach occurred and that it causes or is reasonably believed to cause or will cause identity theft or fraud. Notice to Virginia Attorney General required concurrently.
• Notification triggers: Unauthorized access and acquisition of unencrypted or unredacted personal information. Personal information = Virginia resident's first name or first initial and last name in combination with one or more of: (a) SSN; (b) Driver's license/state ID number issued by Virginia DMV or similar agency of another state; (c) Financial account/credit/debit card number with security code/access code/password/PIN permitting account access; (d) Medical information; (e) Health insurance information.
• Encryption safe harbor: Notice not required if personal information accessed was encrypted or redacted and encryption key or redaction method was not accessed and is not reasonably believed to have been accessed.
• Regulator/AG notice: Notice to Virginia Attorney General required concurrently with resident notification. If more than 1,000 persons are notified at one time, must notify all consumer reporting agencies that compile files on consumers on a nationwide basis without unreasonable delay.
• Content requirements: Notice must include to extent possible: description of incident, type of information subject to unauthorized access/acquisition, actions taken to protect from further unauthorized access, contact information for credit reporting agencies (if applicable), advice to remain vigilant by reviewing account statements and monitoring credit reports.
• Permitted delays: Notice may be reasonably delayed to determine scope of breach and restore integrity of systems. Notice may be delayed if law enforcement determines it will impede investigation or jeopardize national/homeland security.
• Third-party service providers: Person maintaining computerized data on behalf of another must notify data owner without unreasonable delay following discovery of breach.
• Penalties: Virginia AG may impose civil penalty not to exceed $150,000 per breach or series of breaches of similar nature discovered in single investigation.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [Coordinate breach notification obligations; GLBA and HIPAA have separate timelines and requirements].

9. State Overlay Checklist (VA)

• Applicability thresholds and exemptions: 100,000+ Virginia consumers OR 25,000+ consumers + >50% revenue from sale. No revenue minimum. Consumers = VA residents in individual/household context (not commercial/employment). Exemptions: GLBA financial institutions, HIPAA covered entities (for PHI), nonprofits, higher education, state/tribal entities, air carriers under 49 U.S.C.
• Sensitive data definition and consent/opt-out requirements: 8 categories of sensitive data (see Section 2 above): racial/ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration, genetic/biometric data, child data (under 13), precise geolocation. Affirmative opt-in consent required (freely given, specific, informed, unambiguous). Notice must draw attention to sensitive data collection.
• Consumer rights and response timelines/appeals: Access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + one 45-day extension (with notice). Appeals: Consumer may appeal denial within reasonable period as specified in controller's notice; controller must respond to appeal within 60 days; must inform consumer of right to contact Attorney General to submit complaint.
• Opt-out of sale/targeted advertising/profiling requirements: Must provide clear and conspicuous means of opting out. Profiling opt-out required for profiling in furtherance of decisions producing legal or similarly significant effects. Controllers must respond to opt-out requests as soon as feasible but no later than 15 business days.
• Processor/service provider contract requirements (flow-downs, audit rights, deletion/return): Data processing agreement required per Va. Code § 59.1-577. Must include: processing instructions, nature/purpose, data type, duration, controller/processor obligations, deletion/return requirements, consumer rights assistance, processor's obligation to make available information demonstrating compliance.
• Data Protection Assessment / Risk Assessment triggers: Required for processing activities that present heightened risk of harm to consumers: (1) Processing sensitive data; (2) Sale of personal data; (3) Targeted advertising; (4) Profiling if reasonably foreseeable risk of: (a) unfair/deceptive treatment or unlawful disparate impact, (b) financial/physical/reputational injury, (c) intrusion upon solitude or private affairs offensive to reasonable person, or (d) other substantial injury. Attorney General may request DPA via civil investigative demand and may evaluate for compliance with Va. Code § 59.1-578.
• Security measures expectations (reasonable security; specific mandates if any): Va. Code § 59.1-578 requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to volume and nature of personal data processed. Assessments should document security controls.
• Breach notice timeline and content requirements: Without unreasonable delay to residents and AG concurrently. Content: incident description, PI types accessed/acquired, protective actions taken, credit agency contacts (if applicable), advice to remain vigilant. Notify credit agencies if 1,000+ persons affected. Penalties up to $150,000 per breach/series.
• Children/minors rules (e.g., COPPA; state-specific if any): Personal data of known children under 13 is sensitive data requiring affirmative consent. Effective January 1, 2026: Controllers/processors operating social media platforms must use commercially reasonable methods to determine if user is minor (under 16) and limit minor's use to 1 hour per day per service/application. Social media amendments include restrictions on infinite scroll and video auto-play for minors.
• Non-discrimination/retaliation prohibitions under state law: Va. Code § 59.1-576. Controller may not process personal data in violation of state/federal anti-discrimination laws. Controller may not discriminate against consumer for exercising VCDPA rights, including denying goods/services, charging different prices, or providing different level/quality. Bona fide loyalty/rewards/premium features programs permitted with reasonable relationship to value provided by consumer's data.
• Recordkeeping: ROPA/DPIA retention and appeal tracking: Maintain data protection assessments and make available to Attorney General upon civil investigative demand. Maintain documentation of consumer request responses and appeal determinations. Track opt-out requests and response times. Document compliance with 30-day cure period (permanent; does not sunset). Attorney General has exclusive enforcement authority; violations subject to up to $7,500 per violation.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and DPAs/SCCs.
• Data protection assessments (for sensitive data, sales, targeted advertising, profiling).
• Testing summaries and pen test reports (if applicable).
• State-specific notices/links and breach templates.