Chapter 6: State Comprehensive Privacy Laws
Purpose Limits, Risk Assessments, and Security
California, Colorado, Connecticut, Virginia impose purpose/processing limitations and require risk assessments for heightened-risk processing; Utah lacks both. All five require reasonable administrative, technical, and physical security.
| Obligation | States |
|---|---|
| Purpose/processing limitation (necessary/proportionate) | California, Colorado, Connecticut, Virginia (NOT Utah) |
| Risk assessment for heightened-risk processing | California, Colorado, Connecticut, Virginia (NOT Utah) |
| Reasonable administrative, technical, physical security | All five |
Processing that triggers a risk assessment includes targeted advertising, selling personal data, processing sensitive data, and certain profiling.
Utah skips purpose limits and risk assessments
Utah is the outlier - it does not impose purpose/processing limitations and does not require risk assessments. But all five states, including Utah, require reasonable security measures.
Key terms - quick answers
What is “Purpose/processing limitation”?
An obligation to collect/process personal data only for a specific purpose, often described as necessary and proportionate; not imposed by Utah.
What is “Risk assessment”?
A formal privacy/cybersecurity assessment required for processing that presents a heightened risk of harm; required by all but Utah.