2023 New Year’s Resolution: Effectively Comply with New Comprehensive State Privacy Laws
Tuesday, January 10, 2023
New Comprehensive State Privacy Laws for California and Virginia
Print Mail Download i

More than just New Year’s resolutions went into effect when the clock struck midnight on January 1, 2023. The California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCPDA”) are now effective in California and Virginia, respectively. These comprehensive data privacy laws, along with three other state laws going into effect this year, establish new and complex obligations for businesses. If your business has not taken steps to prepare for these privacy laws, it is high time to start that process to avoid violations and enforcement likely to follow later in the year. See below for a timeline of key dates.

The CPRA amends the California Consumer Privacy Act (“CCPA”), which was the first comprehensive privacy law in the United States. The CPRA does not expand the applicability of the CCPA, but does impose a number of new requirements. In addition to creating several new consumer rights, two important CCPA exemptions are no longer in effect as of January 1, 2023: (1) the exemption for certain employment-related information of workforce members, meaning employers’ obligations in handling workforce personal information have significantly expanded; and (2) the temporary exemption for certain business-to-business (“B2B”) personal information, meaning businesses will have to apply expanded requirements to personal information about business partners.

While the CPRA is in effect, the California Privacy Protection Agency (“CPPA”), the new agency created by the CPRA and tasked with enforcing the CCPA, has delayed issuance of final rules. During a December 16, 2022 board meeting, the CPPA Executive Director noted that the final rules will likely be released in late January. Until the final regulations are approved, existing regulations will be in effect.

As we discussed previously, though the state laws going into effect this year diverge in some significant ways, the laws share a common goal of protecting consumer data and, therefore, contain numerous similarities. This checklist of questions below may help your business prepare for compliance with these laws, as well as similar laws that may be enacted by other states in the future.

  • Have you conducted data mapping to identify the types, locations and uses of personal information (including sensitive personal information) collected or used about consumers, workforce members, and individuals obtained in B2B contexts?

  • Have you determined whether the personal information could qualify as a sale or sharing to any third parties?

  • Have you determined if your company is able to generate reports about personal information maintained pertaining to each consumer, and to correct or delete data?

  • To the extent personal information is sold or shared or characteristics are inferred from sensitive personal information, have you decided whether to: (a) comply with the CPRA’s opt-out or restrictions requirements; or (b) take steps to end any further sales, sharing, or inferring of characteristics?

  • Have you revised your website privacy policies?

  • Have you revised or implemented a CPRA privacy policy regarding how workforce members can exercise their data privacy rights?

  • Have you developed administrative processes to manage the response to requests to exercise rights?

  • Have you created governance structures to monitor compliance and coordinate with other departments within your company?

  • How will your organization monitor the rulemaking process in the relevant states and update any policies and practices accordingly?

  • Have you evaluated if your company should engage a reliable third-party auditor to conduct annual cybersecurity audits and privacy impact assessments?

  • Have you identified all service providers, contractors, and third parties that collect or use personal information and ensure that the agreements with such parties comply with any state law requirements?

  • Have you identified any contractual, statutory, or operational needs for retaining personal information, identified any redundant data for deletion, and considered engaging counsel to assist in establishing appropriate record retention policies and communications?

©2024 Epstein Becker & Green, P.C. All rights reserved.

Current Legal Analysis

More from Epstein Becker & Green, P.C.

U.S. Department of Labor Issues Final Overtime Rule Raising Salary Thresholds
by: Jeffrey H. Ruzal , Alexandria (Alex) Adkins
Medical Clinic’s Use of NDAs to Suppress Negative Online Reviews Violates Federal Consumer Review Fairness Act, Washington Federal Judge Finds
by: Eric J. Neiman
Chamber of Commerce and Others Swiftly File Lawsuits Seeking to Enjoin and Vacate the FTC’s Noncompete Rule
by: Daniel R. Levy , Erik W. Weibust
The FTC Finally Pulls the Trigger on a Final Noncompete Rule, with a Few Changes, but Remains Unlikely to Ever Hit Its Target
by: Erik W. Weibust , Peter A. Steinmeyer
Employment Law This Week Episode 343 - SCOTUS Expands Title VII, EEOC’s Final PWFA Rule, AI Screening Tools [Video, Podcast]
by: George Carroll Whipple, III
EEOC Final Rule Implementing the Pregnant Workers Fairness Act
by: Jennifer Stefanick Barna , Marguerite (Maggie) McGowan Stringer
Interested in Opening a Medical Spa? Here’s What You Need to Know
by: John W. Eriksen , Nivedita B. Patel
Five Commissioners and a Vote on Noncompetes to Come
by: E. John Steren , Patricia M. Wagner
U.S. Judicial Conference Aims to Curb "Judge Shopping": New Guidance Promoting Random Civil Case Assignments
by: Lori A. Medley , Scarlett L. Freeman
FTC Vote on Rule to Ban Non-Competes Scheduled for April 23rd
by: Mark L. Daniels

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins