In 2023, new comprehensive data privacy laws come into effect in five states — California, Colorado, Connecticut, Utah, and Virginia. The California Privacy Rights Act of 2020 (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) kicked in on January 1, 2023, to be followed by the Colorado Privacy Act (CPA) and the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) on July 1, 2023, and the Utah Consumer Privacy Act (UCPA) bookending the year on December 31, 2023 (collectively, the Acts). The Acts implement several new compliance obligations for applicable entities. We highlight the most important ones below.

Vendor agreements

One of the bigger undertakings that entities will have to tackle is updating downstream vendor agreements. The Acts contain a host of mandatory contract requirements for downstream vendors, including:

• Imposing a duty of confidentiality on vendors.
• The right for a controller to:
• Assess/audit a vendor’s privacy and security obligations.
• Object to a vendor’s new or replacement subprocessors.
• Requirements for a vendor to:
• Identify specifics about the vendor’s data processing (e.g., the nature and purpose of processing, the duration of processing, and the types of data being processed).
• Return or delete personal information at the controller’s direction.
• Implement appropriate technical and organizational measures.
• Assist with data protection assessments.
• Notify the controller if the vendor determines that it can no longer meet its obligations.
• Prohibitions against:
• The reidentification of de-identified data.
• The service provider or contractor selling or sharing personal information it receives from or on behalf of the entity.
• Uses other than those expressly permitted in the contract.
• The combining of personal information that the vendor receives from other persons or customers.

To comply with the Acts, entities must include these terms in their template data processing agreements and work to amend the data processing agreements they currently have in place with downstream vendors.

The Acts also provide that an entity must pass down a consumer’s request for access, deletion, or correction across all vendor data flows. CPRA regulations specifically call out a business’s obligation to instruct all service providers and contractors that maintain the personal information at issue, pursuant to their written contract with the business, to make the necessary corrections in their respective systems. Service providers and contractors must comply with the entity’s instructions to correct or delete the personal information or enable the entity to make the changes directly. Vendors must also provide assistance to the entity in responding to a verifiable consumer “request to access/ know” by providing the consumer’s personal information it has in its possession, which it collected as a result of providing services to the entity or by enabling the entity to access that personal information directly.

Action items: Review existing data processing agreements to determine whether appropriate terms are included or need to be amended; draft template data processing agreements to use with new vendors.

Data subject requests

Each of the Acts empowers a consumer to exercise certain data subject rights. These include the rights to:

• Access/know.
• Correction.
• Erasure.
• Opt out of behavioral advertising.
• Opt out of the sale and sharing of personal information.
• Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
• Limit the use of sensitive personal information.
• Nondiscrimination.
• Data portability

Under comprehensive U.S. privacy laws, many of these rights are new, particularly the right to correction. Entities will therefore need to update their internal processes in order to adequately and timely respond to these requests. Entities must respond within 45 days, with the option of a 45-day extension upon notice to the individual. Additionally, Virginia, Colorado, and Connecticut provide individuals with the ability to appeal an entity’s initial decision.

It is important to note that entities need not comply with all data subject requests — each law (or its draft regulations) provides applicable exceptions. For example, an entity does not have to delete personal information if the information is needed to continue providing services to the individual. Further, an entity may decide not to act on a correction request if the entity contends the data is accurate, with varying degrees of conviction required by the Acts. Such determinations still must be defensible and communicated to the consumer.

Action items: Establish policies and procedures for the submission and quick intake of customer requests; ensure personal information is accessible, portable, and editable.

Sensitive personal information

While sensitive personal information is not an entirely new concept under U.S. privacy laws, the Acts introduce new categories of sensitive information and include new obligations for entities. Under existing U.S. state breach notification laws, categories of information such as Social Security numbers, financial account information and drivers’ license numbers are treated as sensitive. Now, comprehensive U.S. state privacy laws introduce new categories of sensitive information that more closely align with the categories found under Article 9 of the European Union’s General Data Protection Regulation. These include racial or ethnic origin, religious or philosophical beliefs, precise geolocation, genetic data, biometric data, and health information.

The expanded identification of sensitive personal information under these laws means entities need to take additional steps when collecting, using and disclosing such information. With limited (and varied) exceptions, the CPA, CTDPA, and VCDPA require entities to obtain consent, or provide a clear opportunity to opt out, prior to processing sensitive personal information (and sensitive personal information inferences under the CPA). Consent must be separate from any broad or general terms, actively assented to and freely given, regularly refreshed, and revokable. The UCPA is more business-friendly, requiring clear notice to the consumer and an opportunity to opt out.

The CPRA does not require consent for the collection of sensitive personal information; however, it does grant the consumer the right to limit the use of sensitive personal information if the entity is using the information for purposes that do not align with the services to the individual or commonly accepted business practices (e.g., to prevent or detect security incidents or to resist fraudulent or illegal actions).

Action items: Identify whether sensitive personal information is collected (or inferred) from individuals; implement, maintain and annually renew consumer consents and notices; operationalize optout links.

Cookies

There is no question that the Acts have taken a deliberate approach to challenging the collection and use of personal information through cookies and other tracking technologies. The CPRA has introduced the concept of sharing, which addresses the disclosure of personal information for crosscontext behavioral advertising. Similarly, Virginia, Colorado, Connecticut, and Utah also now address targeted advertising.

If an entity is selling or sharing personal information or conducting targeted advertising, directly or through a vendor, the Acts require additional compliance measures. Entities must provide adequate notice of such processing activities in the entity’s privacy notice (including identifying the categories of third parties to whom information is being sold or shared), implement opt-out links and be able to comply with opt-out preference signals. While it is clear that these state regulators are looking to give consumers more control over tracking technologies, the more nuanced expectations for entities are still murky. At least in California, there have been a couple of lessons. For example, the California Privacy Protection Agency (CPPA) has expressed that cookie banners are not an adequate opt-out mechanism for the selling or sharing of personal information. The California attorney general’s enforcement action against Sephora also showcased that a business’s backend privacy practices must align with its public-facing privacy notice. This is a fairly easy way for a regulator to confirm whether a business is complying with applicable requirements.

Action items: Conduct cookie scans; analyze whether personal information is disclosed to third parties; implement optout links and recognize opt-out preference signals if needed.

Employee data

Businesses subject to the CPRA need to address a key difference from the other Acts — employees are included in its definition of consumers (and the previous partial exception expired January 1, 2023). Employers will need to tread carefully in navigating the unique ways employee and applicant data is utilized as a part of regular operations against the rights and obligations established by the CPRA.

Employers will need to provide their California-resident employees and applicants notice at collection, explaining:

• The types of personal information it collects.The purposes of collection.
• The individual’s rights, including:
• Data subject requests.
• Nondiscrimination.
• Opting out of the sale or sharing of information.
• Limiting the use of sensitive personal information.
• Retention periods.
• To whom employers may further disclose the personal information.

All the rights established in the CPRA will apply to employee and applicant data, including performance reviews, payroll, etc. Businesses will need to ensure the appropriate personnel are trained and ready to respond to requests within the CPRA’s time constraints, particularly when and how a business vets the validity of and is permitted to deny such requests.

Much of what human resources collects about applicants and maintains on employees falls in the categorical definition of sensitive data under the CPRA. The definition also includes “the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication.” CPRA § 1798.140(ae)(1) (E). However, if sensitive data is collected or processed “without the purpose of inferring characteristics about a consumer,” it is treated as personal information. CPRA § 1798.121(d). Employers will need to carefully review how they utilize HR data and how they communicate with employees if they want to avoid the additional obligations carried by sensitive data.

A hot topic with regard to employee data is the conflict between the CPRA and federal and state law retention requirements. The CPRA contemplates such a conflict by stating that it “shall not restrict a business’s ability to … [c]omply with federal, state, or local laws.” CPRA § 1798.145(a)(1). Businesses will need to analyze their obligations under these retention requirements with the deletion and correction requirements under the CPRA.

For example, federal employment law requires entities to maintain personal information related to applicants for a period of at least one year. 29 C.F.R. § 1602.14. Further, federal law also mandates every employer keep personnel or employment records for a period of one year. 29 C.F.R. § 1627.3(b)(1)(i). While an employer would therefore not have to comply with an applicant’s data deletion request given its obligation to retain such personal information under federal law, the employer will still need to meet the CPRA’s timely response and explanation requirements in its notice of request denial to the applicant.

Action items: Review applicant and employee data uses; revise employee notices to California employees; review retention requirements under state and federal laws and incorporate them into data request response processes.

Conclusion

On top of the new compliance obligations above, further regulations from the CPPA regarding automated decision making, cybersecurity audits, and privacy risk assessments remain outstanding. Limited privacy laws targeting topics like biometric data and reproductive tracking continue to further complicate the U.S. privacy law landscape. And while it is seeming more unlikely, a federal privacy law may also add a wrinkle or offer consistency in this regulatory topography. What is clear is that there will be no shortage of privacy compliance steps that organizations will have to take in 2023.