Privacy In Focus®
The last several years have seen major developments in state privacy laws. While Congress remains gridlocked on the federal privacy front, states enacted omnibus data privacy bills that will impact companies that do business across the nation. First, in the fall of 2020, California voters approved the California Privacy Rights Act of 2020 (CPRA), which will amend that state’s California Consumer Privacy Act (CCPA). Next, Virginia became the second state to enact omnibus privacy legislation in March 2021 with the passage of the Consumer Data Protection Act (CDPA). Finally, Colorado followed suit in July 2021, enacting the Colorado Privacy Act (CPA).
Importantly, all three of these new state data privacy frameworks will go into effect in 2023, which makes this year critically important for impacted businesses to plan and prepare their compliance strategies. Below, we provide a closer look at the developments in each of these three states and offer several steps that businesses can take now to develop a comprehensive strategy to be ready to comply with these laws in 2023.
California (CPRA). In November 2020, less than a year after the CCPA took effect, California voters approved the ballot initiative known as CPRA. The CPRA takes effect on January 1, 2023. The law also established a new agency, the California Privacy Protection Agency (CPPA), which will conduct rulemaking proceedings to implement the law. The CPRA requires the agency to enact new regulations by July 1, 2022. To begin this process, the CPPA released an Invitation for Preliminary Comments on Proposed Rulemaking in September 2021, and accepted comments through November 8, 2021. On October 4, 2021, the CPPA selected Ashkan Soltani as the agency’s new Executive Director. These developments show that the new agency is preparing actively for its upcoming deadlines. Businesses that are currently subject to the CCPA should watch developments at the CPPA with interest in 2022. The agency’s rulemaking process seeks to both update existing California privacy regulations and adopt new regulations. Stakeholders should consider weighing in during the comment period as draft rules are proposed.
Virginia (CDPA). On March 2, 2021, Virginia joined California in enacting a comprehensive consumer data privacy law: the CDPA. The CDPA will become effective simultaneously with the CPRA – on January 1, 2023. Importantly, the CDPA does not provide for a rulemaking process, so the law – as currently written – will be the sole enforceable text, absent any legislative action prior to the law going into effect. While there is no rulemaking process, the CDPA did call for the Chairman of the Joint Commission on Technology and Science to establish a work group to “review the provisions of th[e] act and issues related to its implementation” and to “submit the work group’s findings, best practices, and recommendations regarding the implementation of th[e] act.” Accordingly, last year, the Virginia Consumer Data Protection Act Work Group met several times and issued this Final Report, summarizing the group’s meetings and highlighting “points of emphasis,” which the report indicates will be presented in the upcoming legislative session.
Colorado (CPA). On July 7, 2021, Colorado enacted the Colorado Privacy Act (CPA), which will go into effect six months after the CPRA and the CDPA, on July 1, 2023. Like the California privacy law, the CPA authorizes the state’s Attorney General to promulgate rules related to the law. Additionally, when Governor Jared Polis signed the legislation into law, he noted that “several issues remain outstanding” with the CPA, indicating that it will “require clean-up legislation.” Accordingly, between the rulemakings and the potential clean-up legislation, impacted businesses should pay close attention to developments in Colorado this year that may impact compliance strategies.
Preparing for 2023 Compliance
As the 2023 effective dates for the CPRA, CDPA, and CPA approach, there are several measures businesses can take to prepare for these new state privacy law regimes.
Among other things, businesses that are impacted by one or all of these laws can begin to:
- Conduct Data Mapping and Understand Data Practices Across the Organization. A key step in developing a compliance strategy is knowing what data an organization collects, and how that data is used and shared. This exercise will be important for companies navigating these three similar – yet distinct – privacy laws. For example, each of the three laws has special requirements for sensitive data, so it will be critical for organizations to understand whether that data is collected and how it is used.
- Leverage Existing Compliance Programs and Understand How Each New Framework Compares. The three new frameworks are each unique and will require specific compliance, however, there are important similarities across the three new laws, as well as similarities with existing CCPA obligations. Businesses should leverage the work they have already done to comply with the CCPA, and should identify areas where their compliance strategies across all three states can conform. Where there is overlap, businesses can design updates and practices that satisfy obligations across multiple frameworks, which will make complying with a patchwork of state laws more efficient. This exercise will also help companies understand how each of the three laws diverge, which is equally important in developing a compliance strategy.
- Develop Mechanisms and Systems to Receive and Respond to Data Privacy Rights Requests. While the three states define privacy rights differently, each state recognizes various consumer rights, such as the right to access, delete, port, and opt-out – among others. Businesses should start implementing mechanisms to field these privacy rights requests within the parameters set forth in each of the laws (and relevant rules).
- Plan and Conduct Risk Assessments. All three laws will require some type of risk assessment for businesses that engage in certain data processing activities. Companies should begin reviewing its existing assessment practices, and how those practices should be updated to comply with new requirements.
- Draft or Update Agreements with Third Parties. All three laws require subject businesses to have written agreements with data processors/service providers that contain certain elements, including processing instructions or limitations on the use of consumer data. Businesses should review their existing and planned third-party contracts and assess whether their contracts need to be updated in light of the new laws.
- Update Privacy Policies. The state laws all feature notice and transparency requirements, as well, including notice requirements and certain disclosures that are unique to each framework. Businesses subject to the CCPA should already be conducting annual reviews of their privacy policies. This year, as companies review their policies, they should plan on incorporating any needed updates to account for the new laws in California, Virginia, and Colorado.
Developing a comprehensive, multi-state compliance strategy for three distinct new state laws will be challenging, especially given the fact that some of the requirements for compliance are still under development. Businesses should pay close attention to regulatory and legislative updates in all three states this year, as well as in other states looking to follow suit and add to the growing patchwork of state obligations. At the same time, businesses should start taking steps to develop their compliance strategies for the three new state laws that will go into effect next year.
Scott Bouboulis, a Law Clerk at Wiley Rein LLP, contributed to this article