The Comprehensive Privacy Law Deluge: Record-Keeping and Related Requirements

Liisa Thomas
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Sheppard Mullin Richter & Hampton LLP

[co-author: Kathryn Smith*]

It’s been a busy summer for US state privacy laws, and companies now need to keep track of a growing list of requirements from these laws. These include many we have written about in the past, including notice, vendor contract provisions, and offering consumers rights and choices. The laws also impose certain record keeping requirements, which we discuss here.

But first, as a reminder, the laws have rolling effective dates. Only California, Virginia, Colorado, Connecticut are in effect. The others go into effect as follows:

The laws impose record keeping requirements on companies to whom the laws apply (for more about the laws’ applicability read our prior post). These requirements overlap in many respects. They include:

  • Rights requests: Records of rights requests must be kept for 24 months[1] (CA, CO), and in readable and secure format. (CO). Each record must include the date and nature of the consumer request and include any business responses or denials (CA, CO).
  • Deletion requests: Companies must also keep records of deletion requests and the minimum amount of data necessary to ensure that the consumer’s personal data remains deleted and not used for any other purpose (CA, CO, CT, DE, FL, IN, MT, OR, TN, TX, VA).
  • Metrics: Companies must compile annual metrics for the number of consumer requests and opt-out requests they’ve received. (CA) As part of this, companies must track how many requests were processed or denied, and whether this was done in whole or in part[2] (CA).
  • Data limitation: Information kept for record-keeping purposes should not be used for any other purpose (CA, CO).
  • Assessments: If engaging in targeted advertising, selling data, engaging in profiling, or processing sensitive data, companies must conduct data protection assessments under all states’ laws except those of Iowa and Utah. We discuss these requirements in more detail in our recent webinar. (And keep in mind that California is still working on regulations for these assessments.) Companies should keep in mind that these assessments also carry record keeping requirements. Namely:
    • Document every DPA conducted (CA, CO, CT, DE, FL, IN, MT, OR, TN, TX, VA).
    • DPAs must be kept for three (CO) or five years (OR)

*Kathryn Smith is a fellow in the firm’s Chicago office.

Putting it into Practice: As the summer comes to a close, now is a good time to revisit your privacy programs. Keeping in mind the various requirements under the laws is getting more complex. Having a scalable program that addresses record keeping and other requirements can make compliance easier.

FOOTNOTES

[1] § 7101(a); CPA Rule 6.11(A).

[2] CA Regs § 7102(a).

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide