Upcoming Data Privacy Laws a Reminder to be All Over Your Map

Kevin Gildea
DarrowEverett LLP
Contact
LinkedIn
Facebook
X
Send
Embed

DarrowEverett LLP

Much like the beginning of 2023, when two new state data privacy acts went into effect, the midpoint of 2023 will feature two more state data privacy acts coming onto the books. On July 1, 2023, the Colorado Privacy Act (“CPA”) and the Connecticut Data Privacy Act (“CDPA”) become effective, and those states join California and Virginia as states with data privacy laws.

To effectively prepare for the CPA and CDPA, or any new data privacy laws, businesses should start with a review of how they collect, use and/or disclose consumer data. Businesses should focus on assessing whether they engage in any activities that present a heightened risk to consumers. It is worth pointing out that both the CPA and CDPA will require businesses to formally assess privacy and cybersecurity risks to comply with each state’s respective requirements.

What’s in the CPA and CDPA?

The CDPA requires businesses to perform and document an assessment if a business (1) processes personal data for the purposes of targeted advertising, (2) sells personal data, (3) processes personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of (a) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (b) financial, physical or reputational injury to consumers, (c) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or (d) other substantial injury to consumers, and (4) processes sensitive data. The CPDA identifies these specific activities as “present[ing] a heightened risk of harm to a consumer.”[1]

The CPA stipulates more comprehensive requirements for businesses covered under that act. Pursuant to the CPA, a “Data Protection Assessment” must be a “genuine, thoughtful” analysis of the business’s activities (collection, use, sale, storage, disclosure, analysis, deletion or modification of consumer personal data) that presents a heightened risk of harm to a consumer. A Data Protection Assessment of the CPA (1) identifies and describes the risks to the rights of a consumer associated with the processing, (2) documents measures considered and taken to address and offset those risks, (3) contemplates the benefits of the processing, and (4) demonstrates that the benefits of the processing outweigh the risks offset by safeguards in place.[2]

Your Map Will Get You Places

Diagramming a “road map” of a consumer’s data as it is collected, used and/or shared is an assessment tool that businesses can use to identify gaps in their processes, business strategy and policies. A data road map should start with any first touchpoint where consumer data can be collected, such as a website homepage or online intake form. Take a moment to consider all the ways consumers share their information with you — then ask, are your consumers informed about your use of their data, such as through a privacy policy? If not, you have just identified a potential hazard.

Fill in the details of your data road map by tracing all the possible routes of consumer data through your business, such as internal processing or analytics by a third-party service provider. Highlight all the different ways consumer data is used by your business — then ask, are all these different uses accounted for in your privacy policy? If not, you just identified another hazard.

Next, identify where consumer data eventually ends up after being used by your business, including whether consumer data is stored or if data ever leaves your control. Look for any final hazards — ask, do you disclose if you sell or share consumer data with any other business, including affiliated, parent, or subsidiary companies?

And finally, remember to update your data road map as your business strategy and processes adapt. Your road map is only useful as long as it accurately reflects how consumer data is actually collected, used and/or shared by your business. But with a complete data road map, businesses can identify the critical next steps to address hazards and stay compliant with data privacy laws.

Conclusion

It is critical that businesses take this opportunity to assess their data privacy compliance, not only because of imminent data privacy act requirements coming into effect soon, but also because more and more states (Indiana, Iowa, Montana and Tennessee are among those) are considering their own data privacy laws.

[1] https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF

[2] https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DarrowEverett LLP | Attorney Advertising

Written by:

DarrowEverett LLP
DarrowEverett LLP
Contact
more
less

DarrowEverett LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide