What is a data protection assessment?
A data protection assessment (DPA) — also called a data protection impact assessment (DPIA) — is a documented evaluation of how your business processes personal data and the risks that processing poses to consumers. Most state privacy laws require you to conduct and maintain DPAs for certain types of data processing activities.
Think of it as a structured risk analysis: what data are you processing, why, what could go wrong for consumers, and what are you doing to mitigate those risks?
Which states require them?
As of 2026, the following states require data protection assessments:
Required: California, Virginia, Colorado, Connecticut, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Nebraska, Minnesota, Maryland, Kentucky
Not required: Utah, Iowa, Florida, Rhode Island
That's 16 out of 20 states. If you're doing business across multiple states, you almost certainly need DPAs.
When is a DPA required?
State laws generally require a DPA for these processing activities:
Targeted advertising
If you use personal data to serve targeted ads — which includes running Meta/Facebook ads, Google Ads, or any retargeting campaigns — you need a DPA for that activity.
This affects nearly every e-commerce business that does online marketing.
Sale of personal data
If you sell personal data to third parties (or share it in ways that constitute a "sale" under state law), you need a DPA.
Remember: sharing customer data with advertising platforms is considered a "sale" under many state laws.
Profiling
If you use personal data to profile consumers in ways that produce legal or similarly significant effects — such as determining pricing, credit decisions, or insurance rates — you need a DPA.
For e-commerce, this could include dynamic pricing based on user behavior, personalized offers based on purchase history, or automated fraud screening that results in order rejection.
Sensitive data processing
If you process sensitive personal data (precise geolocation, health data, biometric data, data from known children), you need a DPA for that processing.
Processing with heightened risk of harm
Several states also require DPAs for any processing that presents a heightened risk of harm to consumers, even if it doesn't fall into the categories above.
What a DPA must include
While exact requirements vary by state, a compliant DPA generally covers:
1. Description of the processing activity
- What personal data is involved
- How it's collected
- What processing occurs
- Who has access to the data
- How long it's retained
2. Purpose and necessity
- The business purpose for the processing
- Why this processing is necessary to achieve that purpose
- Whether the purpose could be achieved with less data or less intrusive means
3. Benefits assessment
- Benefits to your business (revenue, efficiency, fraud prevention)
- Benefits to consumers (personalization, better service, relevant content)
4. Risk assessment
- Risks to consumer privacy
- Risks of unauthorized access or data breach
- Risks of discrimination or unfair treatment
- Risks of inaccurate profiling
- Likelihood and severity of each risk
5. Mitigation measures
- Technical safeguards (encryption, access controls, data minimization)
- Organizational safeguards (training, policies, oversight)
- Consumer protections (opt-out mechanisms, transparency)
6. Balancing test
- Do the benefits outweigh the risks?
- Are the mitigation measures adequate?
- Is this processing justified given the risks?
Practical framework for e-commerce businesses
Here's a step-by-step approach to conducting your DPAs:
Step 1: Inventory your processing activities
List every way you process personal data. For a typical e-commerce business, this includes:
- Order processing and fulfillment
- Account creation and management
- Email marketing
- Targeted advertising (Meta, Google, TikTok, etc.)
- Retargeting and remarketing
- Analytics and site optimization
- Product recommendations
- Fraud detection and prevention
- Customer reviews and feedback
- Loyalty programs
- Abandoned cart recovery
Step 2: Identify which activities require a DPA
From your inventory, flag activities involving:
- Data sharing with advertising platforms (targeted advertising)
- Profiling consumers for decision-making
- Processing sensitive data
- Sharing data with third parties beyond service providers
For most e-commerce businesses, at minimum: targeted advertising, retargeting, analytics sharing, and fraud detection will require DPAs.
Step 3: Conduct the assessment
For each flagged activity, document the six elements described above. Be specific and honest. The assessment isn't useful if it glosses over real risks.
Step 4: Implement mitigation measures
Based on your risk assessment, implement appropriate safeguards:
- Data minimization: Only collect what you actually need
- Purpose limitation: Only use data for the stated purpose
- Access controls: Limit who can access personal data
- Encryption: Encrypt data at rest and in transit
- Opt-out mechanisms: Provide clear, functional opt-out options
- Vendor management: Ensure third parties receiving data have adequate protections
Step 5: Review and update
DPAs aren't one-and-done. Review them:
- When you change your data processing practices
- When you add new marketing channels or tools
- When new state laws take effect
- At least annually, regardless of changes
Template outline
Here's a practical template structure for each DPA:
Header:
- Assessment title and date
- Processing activity name
- Business unit responsible
- Reviewer name and role
Section 1: Processing Description
- Data categories involved
- Data subjects affected
- Collection methods
- Processing operations
- Third parties involved
- Retention period
Section 2: Purpose and Legal Basis
- Business purpose
- Necessity justification
- Applicable state laws
Section 3: Risk Analysis
- Risk description | Likelihood (Low/Medium/High) | Impact (Low/Medium/High) | Overall Risk Level
- List each identified risk
Section 4: Mitigation Measures
- For each risk: what measures are in place or planned
Section 5: Balancing Conclusion
- Benefits summary
- Residual risk summary
- Conclusion: processing is/is not justified
Section 6: Review Schedule
- Next review date
- Trigger events for earlier review
How long to retain DPAs
Most states require you to make DPAs available to the Attorney General upon request. Retain them for at least three years after the processing activity ends. Some states (California) may require longer retention due to the lookback period extending to 2020.
Stay on top of changes like these — BriefStack monitors all 20 state privacy laws and delivers what matters to your inbox daily.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.