Winter is Coming: 10 Steps Organizations Should be Taking Now to Meet Their Obligations Under Expansive, New Privacy Laws
By: Laura Clark Fey,* Privacy Law Specialist (IAPP), Fey LLC, and Maddie Level,** Fey LLC.
Five state comprehensive privacy laws will become fully effective in 2023. The first two, the California Privacy Rights Act, which significantly updates the current California Consumer Privacy Act, and the Virginia Consumer Data Protection Act, will become fully effective on January 1st. These comprehensive state privacy laws impose strict obligations on organizations that collect and use personal information of state residents’ personal information and impose significant penalties for violations. This makes it particularly important not to give compliance the cold shoulder this winter. For many entities, the patchwork quilt of U.S. data protection and privacy laws, soon to include multiple, comprehensive state privacy laws, creates a regulatory maze of obligations. We have written this article to provide a guide designed to assist readers in understanding and meeting their obligations arising from these state comprehensive data privacy laws, including: The California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Virginia Consumer Data Protection Act (VCDPA), and the Utah Consumer Privacy Act (UCPA).
These laws provide consumers with multiple privacy protections and rights concerning their personal information. The laws also impose a number of privacy and security obligations on organizations collecting or processing personal information.
Each comprehensive law designates enforcing authority. Typically, enforcement power rests with a state’s attorney general. However, there are key differences between enforcing parties and penalties for noncompliance. Under Colorado law, both the attorney general and district attorneys have the authority to enforce the CPA. CPA § 6-1-1311(1)(a). In addition to the California Privacy Protection Agency authorized by the CPRA and the California Attorney General, California residents also maintain a private right of action for violations of the CPRA. CPRA § 1798.150(a)(1). Over 270 civil cases to date cite to the CPRA’s predecessor, the California Consumer Privacy Act (CCPA). See Perkins Coie, CCPA Litigation Tracker (last updated Sep. 2022), https://www.perkinscoie.com/en/ccpa-litigation-tracker.html. A recent enforcement action by California’s Attorney General resulted in beauty retailer Sephora, paying a $1.2 million settlement. See Rob Bonta, Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.
- 10 Critical Steps Organizations Should be Taking Now to Prepare for Compliance
To prepare to meet their obligations under the 2023 state comprehensive privacy laws, organizations should take the following steps, if such steps have not already been started.
- Analyze Applicability of Laws
Doing business in a state or collecting personal information from any residents in any of the states does not, in and of itself, trigger the applicability of state comprehensive privacy laws. Applicability thresholds vary from state-to-state and involve consideration of factors such as annual gross revenues; the processing of data of specified numbers of consumers; and derivation of profits from data sales. See CPA § 6-1-1304(1); CTDPA § 2; VCDPA § 59.581; UCPA § 13-61-102(1). California has a secondary applicability trigger for affiliated entity CPRA § 1798.140(d)(2). As a critical first step, entities doing business in California Colorado, Connecticut, Utah, or Virginia should carefully review the primary and secondary applicability triggers for each law to determine whether each such law is applicable to them.
It is important to be aware that each state law has significant carve outs for certain types of entities and certain types of data. For example, none of the laws other than California’s CPRA will apply in the context of processing of personal information of employees and B2B contacts. See CPA § 6-1-1303(6); CTDPA § 1(7); VCDPA § 59.1-581; UCPA § 13-61-101(10). As another example, each of the state laws exempt entities or data subject to the Gramm-Leach-Bliley Act, or both. CPRA § 1798.145(e); CPA § 6-1-1304(j(II),(q) CTDPA § 3(a)(4); VCDPA § 59.1-576(B); UCPA § 13-61-102(2)(k)). Other notable exemptions that, depending on the law, apply based on either entity or a data type, are the HIPAA, FCRA, and non-profit exemptions. The availability and scope of each exemption varies by state and, therefore, should be considered by entities on a state-by-state basis.
- Assess Compliance Readiness
After assessing the applicability of the state laws, we recommend that organizations assess the current state of their compliance with the specific obligations set forth in the laws that are applicable. Organizations should interview subject matter experts throughout the organization to help ensure they have a thorough understanding of their organization’s current and anticipated data collection, use, and transfer practices, as well as their organization’s privacy and information security practices. Before conducting these interviews, interviewers should review not only key obligations under relevant laws, but also relevant definitions for key terms, such as personal information/data, sensitive personal information/data; deidentified data; sales; sharing; business/controller; service provider/contractor/processor; third party. See CPRA § 1798.140; CPA § 6-1-1303; CTDPA § 1; VCDPA § 59.1-575; UCPA § 13-61-101 (definitions). Compliance assessments should be conducted with an eye toward the primary obligations imposed on an organization under applicable state comprehensive data privacy laws, including notice, consent, information security, data subject rights, third-party contracting, training, and recordkeeping obligations. During the assessment process, organizations should identify any gaps in compliance. Then, they should develop a phased, risk-remediation plan for addressing non-compliance. Such plan should prioritize the highest risk compliance gaps, including but not limited to insufficient information security measures; failure to provide requisite links and privacy policies or to implement required technology measures, such as recognition of the GPC controls; lack of training and procedures setting forth compliance steps for responding to data subject requests and for preparing Data Protection Assessments; and/or lack of implementation of requisite contractual terms.
- Prepare or Update Data Maps
As part of their assessment, organizations should ensure they have a strong understanding of their personal information flows. They should confirm that their data maps are up-to-date and provide the necessary level of information to enable organizations to meet their notice, contracting, and data subject rights obligations. Data maps allow organizations to see how data moves throughout their organization and how data is ultimately used and processed. Knowing what personal information the organization collects, how it is collected, where it is stored, how it is protected, and to whom it is transferred is essential to compliance with comprehensive privacy laws. As part of the data mapping process, an organization should ensure it has a good understanding of the extent to which personal information is shared inside and outside of the organization, including the reasons for which they are granting access to personal information to employees or third parties. Along with other updates, we recommend that organizations update their data maps, as necessary, to cover any data flows for purposes of targeted advertising or profiling; data flows in connection with their use of analytics; and other data flows that could be viewed as presenting a heightened risk to consumers, including those involving sensitive personal information.
- Prepare or Update Privacy Notices
Organizations should prepare and publish compliant privacy policies before applicable comprehensive privacy laws take effect. Utilizing the information gathered through data mapping and self-assessments, organizations should update their current privacy notices to reflect current and reasonably anticipated data processing, use, and transfer practices and to comply with applicable laws. It is important to be aware that the employee and B2B contact exemptions set forth in the CCPA will no longer be in effect as of January 1, 2023, so organizations subject to California’s CPRA should ensure they are meeting all notice obligations to employees and business contacts in a B2B context, along with their notice obligations with respect to customers and website and app users. See CPRA § 1798.145(m)(1). Compliant privacy policies should include descriptions of personal information collected, sources of personal information, purposes for processing, categories of information sold or shared, categories of third parties to whom information is sold or shared, an enumeration of consumer rights (and how consumers may exercise their rights), requisite links and affirmations (e.g., opt out of sale; affirmation concerning sale of personal information), and retention periods for various data types, along with other statutorily-required information.
While updating privacy policies, organizations subject to the CPRA should also update their notice at collection. In addition to the requirements set for under the CCPA, the CPRA imposes three new disclosure obligations for notices at collection: (1) disclosure of whether the organization sells or shares personal information; (2) disclosure regarding the collection, processing, and use of sensitive personal information; and (3) disclosure of the length of time each category of personal information will be retained. See CPRA § 1798.100(a). Organizations also should take note of relevant, separate, notice requirements that are tied to specific data practices. For example, the CPRA imposes additional notice obligations upon organizations who sell or share data, and upon those who offer financial incentives to consumers. See CPRA § 1798.120(b), § 1798.125(b)(2).
- Draft Consent Forms and Links
Organizations should also ensure that any required links are published (e.g., the “Do Not Sell or Share” link required by the CPRA, if applicable). Additionally, organizations should maintain a process by which privacy policies, notices, links, and consent forms are updated as relevant practices change, and, at a minimum, in compliance with any applicable annual update requirements (e.g., under the CPRA). Entities will need to stay on top of changes or anticipated changes to data collection, usage, and disclosure practices, as such changes may require organizations to obtain consent from data subjects under relevant comprehensive privacy laws. See VCDPA § 59.1-578; CPA § 6-1-1308(4); CDTPA § 6(a)(2).
- Prepare Data Subject Rights Procedures and Implement Required Technical Measures
Organizations also need to prepare data subject request forms; clear procedures or checklists; and trainings designed to help ensure that the detailed obligations for the different types of data subject rights (e.g., requests to know, delete, opt-out of sales) and the deadlines set forth in applicable comprehensive privacy laws are met. Clear operating procedures are vital as the timeframe for action is relatively short, especially given the number of potential requests that may be received and the challenges that can arise in evaluating applicability of data subject rights, locating relevant personal information, and substantively responding to requests. This will be particularly true in California, where many workers are unionized and will enjoy access to substantive rights under the CPRA as of January 1, 2023. States generally provide organizations with 45 days after receiving a data subject request to act on a request. See CPA § 6-1-1306(2)(a); CTDPA § 4(c)(1)); VCDPA § 59.1-577(B)(1); UCPA § 13-61-203(2)(a); Draft CPRA Regs. § 7021(b). However, certain obligations arise sooner. For example, in California, businesses must confirm to the data subject that they received his or her request to know or delete information and provide information on how they will process the request within 10 business days of receiving the request. Draft CPRA Regs. § 7021(a).
Organizations must also consider the technical measures that will need to be implemented to obtain compliance with some of these new laws. For example, under the CPA, data controllers who sell personal information or process personal information for the purposes of targeted advertising must allow consumers to opt-out “through a user-selected universal opt-out mechanism.” CPA § 6-1-1306(1)(a)(C)(IV)(B). This provision of the CPA becomes effective July 1, 2024. This focus on universal opt-out mechanisms is also shared by California’s Attorney General who, in the recent Sephora enforcement action, indicated organizations to which California’s comprehensive privacy law applies must recognize opt-out signals from mechanisms like the Global Privacy Control. See Rob Bonta, Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.
- Update Third-Party Agreements
Given the explicit contractual requirements set forth for specific types of third-party arrangements that are set forth in state comprehensive data privacy laws (e.g., third parties, service providers, contractors), it is important that organizations review their existing contracts with different types of third parties and update those contracts, as necessary, to include requisite statutory language, which can vary depending on the type of third party. In addition to updating to meet regulatory contracting obligations, organizations should update their contracts, as necessary, to help ensure that privacy and cybersecurity obligations and risks are properly addressed in each arrangement into which they have entered that involves transfer of or access to personal information. Organizations may, for example, need to update terms concerning indemnification and liability, cyber insurance, confidentiality, information security, statutory and regulatory compliance, secure disposition or return of records and information at contract termination or upon specific, written request, in their agreements. In addition to updating current contracts, organizations should create exemplar third-party contractual terms and/or data processing addenda that can be used in connection with future contracting.
- Develop Procedures Governing Data Protection Assessment Templates and Cybersecurity Audits
Data Protection Assessments (DPAs) will also be required for specified processing activities in California, Colorado, Connecticut, and Virginia. Examples of circumstances in which DPAs may be mandated include processing of sensitive personal information; selling personal information; sending targeted advertisements; profiling; and undertaking activities resulting in “heightened risks” to consumers. Taking into account DPA obligations set forth in relevant laws and in any applicable regulations that are implemented in the future, organizations should develop DPA procedures, that describe the factual circumstances that will trigger a DPA, and templates designed to be used in conducting requisite DPAs. In preparing such DPAs, organizations will be expected to weigh the direct and indirect benefits to the consumer and the public from their desired processing practices against any potential risks to the rights of consumers that may be associated with such processing. In conducting the necessary assessment, organizations may take into account any mitigating safeguards that could be implemented to reduce such risks. Organizations should prepare their DPAs with close consideration to relevant, specified requirements as DPAs must be made available to the appropriate attorney general upon request. Further, organizations subject to the CPRA will be expected to file such assessments with the California Privacy Protection Agency. See CPRA § 1798.185(a)(15)(B)).
The CPRA also provides for the issuance of regulations setting forth obligations for performing annual security audits on covered businesses whose processing presents “significant risk” to privacy or security. See CPRA § 1798.185(a)(15). Such regulations are expected to define the audit scope and establish a procedure designed to ensure that audits are “thorough and independent.” At minimum, we anticipate that organizations collecting and processing “sensitive personal information” will be expected to comply with the audit requirement. Entities whose processing presents “significant risks” will need to ensure they have procedures in place for conducting such annual audits. See id.
- Implement Information Governance Initiatives to Support Privacy Compliance
Organizations should implement fulsome information governance initiatives to support their privacy compliance efforts. Such initiatives include implementing appropriate information governance policies and procedures and actionable records retention schedules; developing processes designed to ensure necessary privacy-related records are retained; conducting legacy review and remediation projects; prospective personal information collection reduction; and training. Good information governance practices are critical in seeking to ensure compliance with relevant comprehensive privacy laws and the privacy principles set forth in therein, such as purpose limitation, data minimization, and transparency, and in seeking to ensure that recordkeeping, training, and other obligations set forth in such laws are met.
- Assess and Improve Information Security Measures
Last, but definitely not least, organizations should assess and improve their information security measures. Comprehensive state privacy laws require organizations to take “appropriate technical and organizational measures” to fulfill their data security obligations to consumers. See CPA § 6-1-1305(2)(a); CDTPA § 7(a)(1); VCDPA § 59.1-581(D); UCPA § 13-61-301(1)(b). Security measures must be appropriate to the risk of processing. What exactly constitutes “appropriate technical and organizational measures” is not explicit under the laws. However, the California Attorney General has previously endorsed the use of CIS Controls. Kamala D. Harris, California Data Breach Report (Feb. 2016), https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf. As another example, the Federal Trade Commission has stated the National Institute of Standards and Technology’s Cybersecurity Framework are consistent with the Federal Trade Commission’s security expectations and indicated that the Framework will help businesses better understand, manage, and mitigate cybersecurity risks. Federal Trade Commission, The NIST Cybersecurity Framework and the FTC (Aug. 31, 2016), https://www.ftc.gov/business-guidance/blog/2016/08/nist-cybersecurity-framework-and-ftc
- What Comes Next?
These five comprehensive privacy laws are the proverbial tip of the iceberg. Currently, there are active consumer privacy bills pending in Michigan, New Jersey, Ohio, and Pennsylvania. Multiple other states have introduced similar legislation in 2022 and over the past few years. On a federal level, the Federal Trade Commission announced it “is exploring rules to crack down on harmful commercial surveillance and lax data security.” Federal Trade Commission, Agency Seeks Public Comment on Harms from Business of Collecting, Analyzing, and Monetizing Information About People (Aug. 11, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices. Although federal legislators introduced the American Data Privacy and Protection Act (ADPPA) in June of this year with bipartisan support, such legislation is unlikely to pass anytime soon, particularly because of the issues arising relating to the extent to which such a law would preempt state privacy laws. See, e.g., Nancy Pelosi, Pelosi Statement on Federal Data Privacy Legislation (Sep. 1, 2022), https://www.speaker.gov/newsroom/9122; Stacey Gray, The Bipartisan House Privacy Bill Would Surpass State Protections, Lawfare (July 21, 2022), https://www.lawfareblog.com/bipartisan-house-privacy-bill-would-surpass-state-protections. Organizations should expect that the patchwork quilt approach to U.S. privacy regulation will continue for the foreseeable future.
As winter turns to spring and spring turns to summer (and so on), it will continue to be important for entities doing business in the United States to continue to stay abreast of the ever-changing landscape of U.S. data protection and privacy laws and regulations. Thus, we want to close this article with a “bonus” recommendation to monitor relevant legal developments. Privacy and security obligations, in the U.S., and also globally, will continue to be a moving target for organizations. Entities should remain vigilant in monitoring for relevant legislative and regulatory developments in the area of privacy and data protection, and also in staying on top of privacy and security obligations imposed agreements with both customers and third-parties that receive or share personal information with them.
***
Fey, Laura, Level, Maddie, (2022), Winter is Coming: 10 Steps Organizations Should be Taking Now to Meet Their Obligations Under Expansive, New Privacy Laws, DRI’s For the Defense: October 2022, pg. 16-20
*Laura Clark Fey, Chair of DRI’s Cybersecurity and Data Privacy Committee and one of the first twenty-seven U.S. attorneys recognized as Privacy Law Specialists through the International Association of Privacy Professionals (IAPP), leads Fey LLC, a global data privacy and information governance law firm. She and her team help multinational and U.S. organizations develop and implement practical solutions to their unique data privacy and information governance challenges. Ms. Fey is a member of the inaugural class of IAPP Fellows of Information Privacy (FIP), a Certified U.S. and European Information Privacy Professional (CIPP/US/E), and a Certified Information Privacy Manager (CIPM). The U.S. Department of Commerce and the European Commission selected her as an arbitrator in connection with the former EU-U.S. Privacy Shield Framework Binding Arbitration Program. Ms. Fey, who is also an IADC member, teaches Global Data Protection Law at the University of Kansas School of Law and International Issues at Baylor Law School.
** Maddie Level is an associate at Fey LLC. She assists the firm’s clients in navigating a broad variety of global data privacy and information governance issues.