Privacy and cybersecurity professionals, the countdown is on. New omnibus privacy laws will go into effect in California and Virginia on January 1, 2023, creating a slew of updated regulatory requirements for businesses.[1] Colorado won’t be far behind, with the state’s own version of the law going into effect on July 1, 2023. This new patchwork of state privacy laws—which will almost certainly trigger similar lawmaking in other states in the future—means it’s time for businesses across the country to start creating plans to comply with new regulations.
The three laws are similar and will put a variety of new items into law, including:
- New privacy notice disclosure requirements
- Restrictions on the use of certain sensitive personal information
- New rights for consumers, including the ability to opt out of data processing
- The creation of an appeal process for consumers to correct their personal information
- Increased regulatory authority
Additionally, California’s updated law will create a European-style data protection agency, known as the California Privacy Protection Agency, with full enforcement and rule-making authority. This will be the first watchdog agency in the United States devoted solely to consumer data privacy—a significant development that will have ramifications across the U.S.
To get ready for the privacy changes coming in 2023, businesses should put these crucial tasks on their to-do lists in the coming months.
Update your privacy notices
Privacy policies are one of the most obvious indicators that a company is noncompliant with privacy laws. As a result, regulators tend to monitor policies closely. Even if you are compliant in all other respects, a noncompliant privacy notice may trigger regulatory interest.
All three new laws require new privacy notice disclosures related to sensitive personal information and data subject requests. Notices may need to be updated to: (1) reflect new data subject rights; (2) expand disclosures about the collection and sharing of information (including identifying how each category of personal information may be shared with categories of third parties); (3) identify retention periods for data storage; and (4) include statements regarding the use of de-identified data.
Review the personal information your company is storing
The new laws create restrictions on the use of certain sensitive personal information, including demographic information (such as race or sexual orientation) and certain personally identifying information (such as Social Security numbers), as well as information used in targeted advertising. If your company has any personal information in its possession, it’s time to review what you have and determine whether you really need it. If you haven’t done so already, 2022 is the year to get data retention schedules and controls in place. The more you minimize your data footprint and streamline your data use, the easier compliance with new laws will be next January.
Get your data subject request process in order
Significantly, all three laws provide for new data subject rights. Citizens of Virginia, California and Colorado now have the right to correct inaccuracies in their personal information and to opt out of the use of their personal information for targeted advertising or profiling. Additionally, the new laws call for the creation of an appeal process for consumers to dispute denials of their data requests.
To comply with new laws, companies will have to update their processes (or perhaps build processes from scratch) to ensure that:
- Data subjects are provided with their personal information in a readily usable format upon request;
- They can verify the accuracy of any information a consumer wants corrected or deleted;
- They respond to data subject requests within 45 days; and
- Consumers have access to an independent and fair appeal process that can pass regulatory muster.
Meeting these requirements is no small feat, especially if your company doesn’t have any existing infrastructure to address consumer data complaints and requests. It’s crucial that you begin nailing down the details of your company’s response to the new rules now, so you aren’t blindsided next January.
Extra considerations for companies that transfer data internationally
International data transfers are becoming more and more challenging as the European Court of Justice’s Schrems II decision invalidated the EU-U.S. Privacy Shield, and summer 2021 saw the adoption of new, more restrictive Standard Contractual Clauses by the European Commission. These mandatory standard contractual clauses must accompany almost all data transfers between the European Union and the United States.
Although this is the latest regulation concerning international data transfers, it almost certainly won’t be the last. The post-Schrems II GDPR environment is constantly shifting, and companies that deal with international data must stay on top of new regulations. If you haven’t done so already, take a close look at the international data transfers in which your company engages. Review the requirements that apply to them, and make sure your documents include the new standard contractual clauses required by the European Commission.
[1] At the time of this writing, Utah appears poised to enact its own comprehensive privacy law. Under the current draft of the bill, the Utah law would take effect December 31, 2023.