{"formats":[{"name":"JSON","format":"json","url":"\/downloads\/2025\/code-json\/59.1-580.json"},{"name":"Plain Text","format":"text","url":"\/downloads\/2025\/code-text\/59.1-580.txt"},{"name":"XML","format":"xml","url":"\/downloads\/2025\/code-xml\/59.1-580.xml"},{"name":"HTML","format":"html","url":"\/downloads\/2025\/code-html\/59.1-580.html"}],"law_id":60582,"edition_id":1,"section_id":60582,"structure_id":14234,"section_number":"59.1-580","catch_line":"Data protection assessments","history":"2021, Sp. Sess. I, cc. 35, 36; 2024, cc. 840, 844.","full_text":"A\n\nA controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:1\n\nThe processing of personal data for purposes of targeted advertising;2\n\nThe sale of personal data;3\n\nThe processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;4\n\nThe processing of sensitive data; and5\n\nAny processing activities involving personal data that present a heightened risk of harm to consumers.B\n\nEach controller that offers any online service, product, or feature directed to consumers whom such controller has actual knowledge are children shall conduct a data protection assessment for such online service, product, or feature that addresses (i) the purpose of such online service, product, or feature; (ii) the categories of known children&#8217;s personal data that such online service, product, or feature processes; and (iii) the purposes for which such controller processes known children&#8217;s personal data with respect to such online service, product, or feature.C\n\nData protection assessments conducted pursuant to this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.D\n\nThe Attorney General may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection assessment available to the Attorney General. The Attorney General may evaluate the data protection assessment for compliance with the responsibilities set forth in &#xA7; 59.1-578. Data protection assessments shall be confidential and exempt from public inspection and copying under the Virginia Freedom of Information Act (&#xA7; 2.2-3700 et seq.). The disclosure of a data protection assessment pursuant to a request from the Attorney General shall not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.E\n\nA single data protection assessment may address a comparable set of processing operations that include similar activities.F\n\nData protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect.G\n\nData protection assessment requirements shall apply to processing activities created or generated after January 1, 2023, and are not retroactive.","order_by":null,"text":{"0":{"id":221448,"text":"A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:","type":"section","prefixes":["A"],"prefix":"A","entire_prefix":"A","prefix_anchor":"A","level":1,"next_prefix":"A1"},"1":{"id":221449,"text":"The processing of personal data for purposes of targeted advertising;","type":"section","prefixes":["A","1"],"prefix":"1","entire_prefix":"A1","prefix_anchor":"A1","level":2,"prior_prefix":"A","next_prefix":"A2"},"2":{"id":221450,"text":"The sale of personal data;","type":"section","prefixes":["A","2"],"prefix":"2","entire_prefix":"A2","prefix_anchor":"A2","level":2,"prior_prefix":"A1","next_prefix":"A3"},"3":{"id":221451,"text":"The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;","type":"section","prefixes":["A","3"],"prefix":"3","entire_prefix":"A3","prefix_anchor":"A3","level":2,"prior_prefix":"A2","next_prefix":"A4"},"4":{"id":221452,"text":"The processing of sensitive data; and","type":"section","prefixes":["A","4"],"prefix":"4","entire_prefix":"A4","prefix_anchor":"A4","level":2,"prior_prefix":"A3","next_prefix":"A5"},"5":{"id":221453,"text":"Any processing activities involving personal data that present a heightened risk of harm to consumers.","type":"section","prefixes":["A","5"],"prefix":"5","entire_prefix":"A5","prefix_anchor":"A5","level":2,"prior_prefix":"A4","next_prefix":"B"},"6":{"id":221454,"text":"Each controller that offers any online service, product, or feature directed to consumers whom such controller has actual knowledge are children shall conduct a data protection assessment for such online service, product, or feature that addresses (i) the purpose of such online service, product, or feature; (ii) the categories of known children&#8217;s personal data that such online service, product, or feature processes; and (iii) the purposes for which such controller processes known children&#8217;s personal data with respect to such online service, product, or feature.","type":"section","prefixes":["B"],"prefix":"B","entire_prefix":"B","prefix_anchor":"B","level":1,"prior_prefix":"A5","next_prefix":"C"},"7":{"id":221455,"text":"Data protection assessments conducted pursuant to this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.","type":"section","prefixes":["C"],"prefix":"C","entire_prefix":"C","prefix_anchor":"C","level":1,"prior_prefix":"B","next_prefix":"D"},"8":{"id":221456,"text":"The Attorney General may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection assessment available to the Attorney General. The Attorney General may evaluate the data protection assessment for compliance with the responsibilities set forth in &#xA7; 59.1-578. Data protection assessments shall be confidential and exempt from public inspection and copying under the Virginia Freedom of Information Act (&#xA7; 2.2-3700 et seq.). The disclosure of a data protection assessment pursuant to a request from the Attorney General shall not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.","type":"section","prefixes":["D"],"prefix":"D","entire_prefix":"D","prefix_anchor":"D","level":1,"prior_prefix":"C","next_prefix":"E"},"9":{"id":221457,"text":"A single data protection assessment may address a comparable set of processing operations that include similar activities.","type":"section","prefixes":["E"],"prefix":"E","entire_prefix":"E","prefix_anchor":"E","level":1,"prior_prefix":"D","next_prefix":"F"},"10":{"id":221458,"text":"Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect.","type":"section","prefixes":["F"],"prefix":"F","entire_prefix":"F","prefix_anchor":"F","level":1,"prior_prefix":"E","next_prefix":"G"},"11":{"id":221459,"text":"Data protection assessment requirements shall apply to processing activities created or generated after January 1, 2023, and are not retroactive.","type":"section","prefixes":["G"],"prefix":"G","entire_prefix":"G","prefix_anchor":"G","level":1,"prior_prefix":"F"}},"ancestry":[{"id":14234,"edition_id":1,"name":"Consumer Data Protection Act","identifier":"53","label":"chapter","depth":2,"order_by":1,"parent_id":12809,"metadata":{},"date_created":"2026-06-26 03:47:24","date_modified":"2026-06-26 03:47:24","permalink":{"id":262743,"object_type":"structure","relational_id":14234,"identifier":"53","token":"59.1\/53","url":"\/59.1\/53\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12809,"edition_id":1,"name":"Trade and Commerce","identifier":"59.1","label":"title","depth":1,"order_by":1,"parent_id":null,"metadata":{},"date_created":"2026-06-26 03:43:54","date_modified":"2026-06-26 03:43:54","permalink":{"id":259521,"object_type":"structure","relational_id":12809,"identifier":"59.1","token":"59.1","url":"\/59.1\/","edition_id":1,"permalink":0,"preferred":1}}],"structure_contents":[{"id":81398,"structure_id":14234,"section_number":"59.1-575","catch_line":"(Effective January 1, 2026) Definitions","url":"\/59.1-575\/","token":"59.1\/53\/59.1-575","metadata":false},{"id":63761,"structure_id":14234,"section_number":"59.1-576","catch_line":"Scope; exemptions","url":"\/59.1-576\/","token":"59.1\/53\/59.1-576","metadata":false},{"id":83673,"structure_id":14234,"section_number":"59.1-577","catch_line":"Personal data rights; consumers","url":"\/59.1-577\/","token":"59.1\/53\/59.1-577","metadata":false},{"id":57451,"structure_id":14234,"section_number":"59.1-577.1","catch_line":"(Effective January 1, 2026) Social media platforms; responsibilities and prohibitions related to minors","url":"\/59.1-577.1\/","token":"59.1\/53\/59.1-577.1","metadata":false},{"id":84222,"structure_id":14234,"section_number":"59.1-578","catch_line":"Data controller responsibilities; transparency","url":"\/59.1-578\/","token":"59.1\/53\/59.1-578","metadata":false},{"id":55458,"structure_id":14234,"section_number":"59.1-579","catch_line":"Responsibility according to role; controller and processor","url":"\/59.1-579\/","token":"59.1\/53\/59.1-579","metadata":false},{"id":60582,"structure_id":14234,"section_number":"59.1-580","catch_line":"Data protection assessments","url":"\/59.1-580\/","token":"59.1\/53\/59.1-580","metadata":false},{"id":83283,"structure_id":14234,"section_number":"59.1-581","catch_line":"Processing de-identified data; exemptions","url":"\/59.1-581\/","token":"59.1\/53\/59.1-581","metadata":false},{"id":83633,"structure_id":14234,"section_number":"59.1-582","catch_line":"Limitations","url":"\/59.1-582\/","token":"59.1\/53\/59.1-582","metadata":false},{"id":83422,"structure_id":14234,"section_number":"59.1-583","catch_line":"Investigative authority","url":"\/59.1-583\/","token":"59.1\/53\/59.1-583","metadata":false},{"id":71726,"structure_id":14234,"section_number":"59.1-584","catch_line":"Enforcement; civil penalty; expenses","url":"\/59.1-584\/","token":"59.1\/53\/59.1-584","metadata":false},{"id":80279,"structure_id":14234,"section_number":"59.1-585","catch_line":"Repealed","url":"\/59.1-585\/","token":"59.1\/53\/59.1-585","metadata":false}],"previous_section":{"id":55458,"structure_id":14234,"section_number":"59.1-579","catch_line":"Responsibility according to role; controller and processor","url":"\/59.1-579\/","token":"59.1\/53\/59.1-579","metadata":false},"next_section":{"id":83283,"structure_id":14234,"section_number":"59.1-581","catch_line":"Processing de-identified data; exemptions","url":"\/59.1-581\/","token":"59.1\/53\/59.1-581","metadata":false},"metadata":false,"official_url":"https:\/\/law.lis.virginia.gov\/vacode\/59.1-580\/","history_text":"<p>The record of this law\u2019s original creation isn\u2019t available online. It has been modified 1 time. Those modifications are cataloged by \u201cThe Acts of Assembly,\u201d a state publication, by year and chapter. Those modifications that can be read on the General Assembly\u2019s website will be linked accordingly. That modification is as follows: in 2024, chapters <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?241+ful+CHAP0840\">840<\/a> and <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?241+ful+CHAP0844\">844<\/a>.<\/p>","references":false,"refers_to":[{"id":55569,"section_number":"2.2-3700","catch_line":"Short title; policy","order_by":null,"url":"\/2.2-3700\/"},{"id":84222,"section_number":"59.1-578","catch_line":"Data controller responsibilities; transparency","order_by":null,"url":"\/59.1-578\/"}],"permalink":{"id":262769,"object_type":"law","relational_id":60582,"identifier":"59.1-580","token":"59.1\/53\/59.1-580","url":"\/59.1-580\/","edition_id":1,"permalink":0,"preferred":1},"url":"\/59.1-580\/","token":"59.1\/53\/59.1-580","dublin_core":{"Title":"Data protection assessments","Type":"Text","Format":"text\/html","Identifier":"\u00a7 59.1-580","Relation":"Code of Virginia"},"html":"\n\t\t\t\t\t\t<section id=\"A\"><p><span class=\"prefix-number\">A.<\/span> A <span class=\"dictionary\">controller<\/span> shall conduct and document a data protection assessment of each of the following <span class=\"dictionary\">processing<\/span> activities involving <span class=\"dictionary\">personal data<\/span>: <a id=\"paragraph-221448\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#A\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A1\" class=\"indent-1\"><p><span class=\"prefix-number\">1.<\/span> The <span class=\"dictionary\">processing<\/span> of <span class=\"dictionary\">personal data<\/span> for purposes of <span class=\"dictionary\">targeted advertising<\/span>; <a id=\"paragraph-221449\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#A1\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A2\" class=\"indent-1\"><p><span class=\"prefix-number\">2.<\/span> The <span class=\"dictionary\">sale of personal data<\/span>; <a id=\"paragraph-221450\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#A2\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A3\" class=\"indent-1\"><p><span class=\"prefix-number\">3.<\/span> The <span class=\"dictionary\">processing<\/span> of personal data for purposes of <span class=\"dictionary\">profiling<\/span>, where such <span class=\"dictionary\">profiling<\/span> presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, <span class=\"dictionary\">consumers<\/span>; (ii) financial, physical, or reputational injury to <span class=\"dictionary\">consumers<\/span>; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of <span class=\"dictionary\">consumers<\/span>, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to <span class=\"dictionary\">consumers<\/span>; <a id=\"paragraph-221451\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#A3\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A4\" class=\"indent-1\"><p><span class=\"prefix-number\">4.<\/span> The <span class=\"dictionary\">processing<\/span> of <span class=\"dictionary\">sensitive data<\/span>; and <a id=\"paragraph-221452\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#A4\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"A5\" class=\"indent-1\"><p><span class=\"prefix-number\">5.<\/span> Any <span class=\"dictionary\">processing<\/span> activities involving personal data that present a heightened risk of harm to <span class=\"dictionary\">consumers<\/span>. <a id=\"paragraph-221453\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#A5\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B\"><p><span class=\"prefix-number\">B.<\/span> Each <span class=\"dictionary\">controller<\/span> that offers any <span class=\"dictionary\">online service, product, or feature<\/span> directed to <span class=\"dictionary\">consumers<\/span> whom such <span class=\"dictionary\">controller<\/span> has actual knowledge are children shall conduct a data protection assessment for such <span class=\"dictionary\">online service, product, or feature<\/span> that addresses (i) the purpose of such <span class=\"dictionary\">online service, product, or feature<\/span>; (ii) the categories of known children&#8217;s personal data that such <span class=\"dictionary\">online service, product, or feature<\/span> processes; and (iii) the purposes for which such <span class=\"dictionary\">controller<\/span> processes known children&#8217;s personal data with respect to such <span class=\"dictionary\">online service, product, or feature<\/span>. <a id=\"paragraph-221454\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#B\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C\"><p><span class=\"prefix-number\">C.<\/span> Data protection assessments conducted pursuant to this section shall identify and weigh the benefits that may flow, directly and indirectly, from the <span class=\"dictionary\">processing<\/span> to the <span class=\"dictionary\">controller<\/span>, the <span class=\"dictionary\">consumer<\/span>, other stakeholders, and the public against the potential risks to the rights of the <span class=\"dictionary\">consumer<\/span> associated with such <span class=\"dictionary\">processing<\/span>, as mitigated by safeguards that can be employed by the <span class=\"dictionary\">controller<\/span> to reduce such risks. The use of <span class=\"dictionary\">de-identified data<\/span> and the reasonable expectations of <span class=\"dictionary\">consumers<\/span>, as well as the context of the <span class=\"dictionary\">processing<\/span> and the relationship between the <span class=\"dictionary\">controller<\/span> and the <span class=\"dictionary\">consumer<\/span> whose personal data will be processed, shall be factored into this assessment by the <span class=\"dictionary\">controller<\/span>. <a id=\"paragraph-221455\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#C\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"D\"><p><span class=\"prefix-number\">D.<\/span> The <span class=\"dictionary\">Attorney General<\/span> may request, pursuant to a civil investigative demand, that a <span class=\"dictionary\">controller<\/span> disclose any data protection assessment that is relevant to an investigation conducted by the <span class=\"dictionary\">Attorney General<\/span>, and the <span class=\"dictionary\">controller<\/span> shall make the data protection assessment available to the <span class=\"dictionary\">Attorney General<\/span>. The <span class=\"dictionary\">Attorney General<\/span> may evaluate the data protection assessment for compliance with the responsibilities set forth in &#xA7; <a class=\"law\" title=\"Data controller responsibilities; transparency\" href=\"\/59.1-578\/\">59.1-578<\/a>. Data protection assessments shall be confidential and exempt from public inspection and copying under the Virginia Freedom of Information Act (&#xA7; <a class=\"law\" title=\"Short title; policy\" href=\"\/2.2-3700\/\">2.2-3700<\/a> et seq.). The disclosure of a data protection assessment pursuant to a request from the <span class=\"dictionary\">Attorney General<\/span> shall not constitute a <span class=\"dictionary\">waiver<\/span> of attorney-client <span class=\"dictionary\">privilege<\/span> or work product protection with respect to the assessment and any information contained in the assessment. <a id=\"paragraph-221456\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#D\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"E\"><p><span class=\"prefix-number\">E.<\/span> A single data protection assessment may address a comparable set of <span class=\"dictionary\">processing<\/span> operations that include similar activities. <a id=\"paragraph-221457\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#E\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"F\"><p><span class=\"prefix-number\">F.<\/span> Data protection assessments conducted by a <span class=\"dictionary\">controller<\/span> for the purpose of compliance with other <span class=\"dictionary\">laws<\/span> or regulations may comply under this section if the assessments have a reasonably comparable scope and effect. <a id=\"paragraph-221458\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#F\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"G\"><p><span class=\"prefix-number\">G.<\/span> Data protection assessment requirements shall apply to <span class=\"dictionary\">processing<\/span> activities created or generated after January 1, 2023, and are not retroactive. <a id=\"paragraph-221459\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/59.1-580\/#G\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>","plain_text":"                                 CODE OF VIRGINIA\n\nDATA PROTECTION ASSESSMENTS (\u00a7 59.1-580)\n\nA. A controller shall conduct and document a data protection assessment of each\nof the following processing activities involving personal data:\n\n   1. The processing of personal data for purposes of targeted advertising;\n\n   2. The sale of personal data;\n\n   3. The processing of personal data for purposes of profiling, where such\n   profiling presents a reasonably foreseeable risk of (i) unfair or deceptive\n   treatment of, or unlawful disparate impact on, consumers; (ii) financial,\n   physical, or reputational injury to consumers; (iii) a physical or other\n   intrusion upon the solitude or seclusion, or the private affairs or concerns,\n   of consumers, where such intrusion would be offensive to a reasonable person;\n   or (iv) other substantial injury to consumers;\n\n   4. The processing of sensitive data; and\n\n   5. Any processing activities involving personal data that present a heightened\n   risk of harm to consumers.\n\nB. Each controller that offers any online service, product, or feature directed\nto consumers whom such controller has actual knowledge are children shall\nconduct a data protection assessment for such online service, product, or\nfeature that addresses (i) the purpose of such online service, product, or\nfeature; (ii) the categories of known children&#8217;s personal data that such\nonline service, product, or feature processes; and (iii) the purposes for which\nsuch controller processes known children&#8217;s personal data with respect to\nsuch online service, product, or feature.\n\nC. Data protection assessments conducted pursuant to this section shall identify\nand weigh the benefits that may flow, directly and indirectly, from the\nprocessing to the controller, the consumer, other stakeholders, and the public\nagainst the potential risks to the rights of the consumer associated with such\nprocessing, as mitigated by safeguards that can be employed by the controller to\nreduce such risks. The use of de-identified data and the reasonable expectations\nof consumers, as well as the context of the processing and the relationship\nbetween the controller and the consumer whose personal data will be processed,\nshall be factored into this assessment by the controller.\n\nD. The Attorney General may request, pursuant to a civil investigative demand,\nthat a controller disclose any data protection assessment that is relevant to an\ninvestigation conducted by the Attorney General, and the controller shall make\nthe data protection assessment available to the Attorney General. The Attorney\nGeneral may evaluate the data protection assessment for compliance with the\nresponsibilities set forth in &#xA7; 59.1-578. Data protection assessments shall\nbe confidential and exempt from public inspection and copying under the Virginia\nFreedom of Information Act (&#xA7; 2.2-3700 et seq.). The disclosure of a data\nprotection assessment pursuant to a request from the Attorney General shall not\nconstitute a waiver of attorney-client privilege or work product protection with\nrespect to the assessment and any information contained in the assessment.\n\nE. A single data protection assessment may address a comparable set of\nprocessing operations that include similar activities.\n\nF. Data protection assessments conducted by a controller for the purpose of\ncompliance with other laws or regulations may comply under this section if the\nassessments have a reasonably comparable scope and effect.\n\nG. Data protection assessment requirements shall apply to processing activities\ncreated or generated after January 1, 2023, and are not retroactive.\n\nHISTORY: 2021, Sp. Sess. I, cc. 35, 36; 2024, cc. 840, 844.","edition":{"id":1,"name":"2025","slug":"2025","date_created":"2026-06-21 22:39:22","date_modified":"2026-06-21 22:39:22","current":1,"order_by":1,"last_import":null}}