Preparing for US State Privacy Law Compliance: The Six Month Mark
With six months before the first of the new US state general privacy laws go into effect, there are several steps companies can take now to begin to prepare. Unfortunately there are some parts of compliance that will be impacted by regulations that have either not been drafted, or if drafted, remain unfinalized. What, then, can companies do now? Familiarizing themselves with the types of requirements and beginning to address and develop mechanics for those requirements is a good start. Fortunately for most, these will not be new, as they are conceptually covered by CCPA, GDPR, or both.
As a reminder, and as we have written previously, the Virginia privacy law and modifications to the California law go into effect January 1, 2023. The Connecticut and Colorado laws go into effect July 1, 2023, and the Utah law December 31, 2023. In putting together your plan, it is helpful to think about the impact that these laws have on the lifecycle of data collection and use. Namely, what impact they have on (1) notice, (2) consent, (3) vendor management, and (4) rights provisions. We have provided thoughts below organized by the order which an entity might want to think about these areas:
Rights Provisions: This is perhaps the area that will require the heaviest lift for companies. The laws expand the current California requirements to provide individuals with the ability to access and delete their information. They also add concepts of data portability and (for all but Utah) the ability to have information corrected.
Vendor Management: The new laws more closely mirror the GDPR in requiring certain contractual provisions when engaging third parties to “process” information on your company’s behalf. Now is a good time to conduct an audit of any such third parties and gather existing contractual terms. Contracts with those entities can be evaluated against what will be required under the upcoming laws.
Consent and Opt-Outs: Companies already have obligations to obtain consent in certain circumstances under various existing privacy laws (TCPA or COPPA for example) and to give individuals the ability to opt-out (CCPA and CAN-SPAM, for example). The upcoming laws add to the matrix by requiring consent for processing sensitive information in some states (Colorado, Connecticut, and Virginia), though an opt-out for the same information in others (California and Utah), and an opt-out of profiling. All states include a right to opt-out of “sale.” Companies can thus think about the extent to which they process sensitive information (which includes biometric and precise geolocation data) or engage in selling or profiling. The laws also introduce into law an opt-out of targeted advertising (already interpreted by the FTC as required to avoid allegations of unfairness and deception under Section 5 of the FTC Act).
Notice: While notice is what consumer’s see first, modifications to notice will likely be last on companies’ roadmaps. As your organization begins to think about notice updates, things to assess now include whether you will offer rights (access, deletion, correction, etc.) to individuals in all locations, or only in those locations that legally require it.
The regulations for each of these laws should (hopefully) clarify many implementation points. However, only California has released draft regulations (and Connecticut has sought pre-rulemaking input), but those have not yet been finalized.
Putting it Into Practice: With six months left before the first of the US state privacy laws go into effect, now is a good time to begin thinking about how your organization will address compliance. Sheppard Mullin has put together this compendium with copies of all of the laws (as well as GDPR), which should serve as a helpful resource.