With five U.S. states having data privacy laws going into effect in 2023, Bass, Berry & Sims attorney Colton Driver authored an article for Corporate Counsel detailing some time-sensitive considerations for in-house counsel to run an effective “two-minute drill” to ensure their privacy compliance programs are up to par ahead of those deadlines.
“The first thing you should know as you prioritize your compliance initiatives before the end of 2022 is that only two of the five upcoming US state privacy laws actually take effect Jan. 1, 2023,” Colton explained. “Those are the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA). Upcoming laws in Colorado and Connecticut do not go into effect until July 1, 2023, and Utah’s law becomes active on New Year’s Eve 2023.”
While companies will likely want to institute measures designed to cover all these laws at once, they may consider which laws they’re beholden to in order to help prioritize. For example, companies that don’t do business in California or Virginia but do business in Colorado and/or Connecticut may have six additional months to prepare. Still, planning now for whichever regulatory framework the business falls under is a wise step to ensure a well-planned approach.
Looking at the different pieces of legislation holistically, Colton noted that there are common denominators when it comes to the various jurisdictions, such as notice obligations. But he cautioned that different privacy laws have distinctions in requirements that should be taken into account when developing such language. “What you do not want to do is update your privacy notice to be ‘compliant’ without ensuring that everything in the notice is complete and accurate,” Colton explained. “You might not get hit for a privacy violation if a regulator does not dig too deeply, but you could have a larger set of issues on the FTC or SEC front (or from state regulators) if you do things with the data in reality that you ‘don’t’ do according to your privacy notice and your notice is inaccurate or incomplete as a result.”
The upcoming laws include requirements to honor various types of consumer requests, and those also will have variations across the different state requirements. For example, a right to limit what a company does with sensitive data is achieved by opt-out in California but via express consent (opt-in) in Virginia and elsewhere.
While there are differences in what is required across the different statutes, certain considerations are consistent across jurisdictions. These include conducting an inventory of data held by the business, documenting assessment of data impact and provisions in vendor contracts related to data use, and reviewing and managing vendor risk.
The full article, “Two-Minute Drill: Check In on Upcoming State Privacy Laws Now,” was published by Corporate Counsel on November 17 and is available online.