Your organization must act now to become compliant with new state privacy regulations in the United States. With consumer privacy laws from California, Colorado, Virginia and now Connecticut and Utah set to take effect in 2023,1 there is little time for covered organizations to review their data processing activities and to implement the policies and procedures needed for compliance. Organizations that fail to become compliant with the new state privacy regulations by the 2023 deadlines may become ideal targets for cyberattacks, subject to data privacy lawsuits, and subject to regulatory fines and penalties. Moreover, although only a limited number of states have enacted comprehensive data privacy regulations to date, the effects of these laws reach beyond the states in which they were enacted and will surely impact organizations throughout the nation.
Most Companies Are Not Ready for Privacy Law Compliance
A new U.S. Data Privacy Law Compliance Survey (the "Survey")2 reveals how companies are getting ready for the major changes needed in their data processing activities in light of the consumer privacy laws from California, Connecticut, Colorado, Utah and Virginia that go live next year. A majority of the executives who responded to the Survey expressed satisfaction with the state of their compliance efforts, with 59% saying their companies are very prepared to meet the more stringent guidelines, 31% reporting that they are moderately prepared, and 89% disclosing that they have increased their budgets to comply with the new privacy regulations.3 However, when asked about the concrete steps taken toward compliance with the new regulations, less than half of the executives said their companies have completed the critical tasks needed to ensure they meet the new regulatory obligations, including data mapping, performing data assessments, and establishing timelines to track compliance. Thus, the Survey reveals that company executives may be too quick to report their companies are ready for compliance with the upcoming privacy laws, when a deeper look into their compliance efforts will show a major deficit in actual preparation.
Privacy Law Requirements and 2023 Compliance Deadlines
Generally, the new privacy laws will require businesses to ensure that their consumers have more access to and control over how their personal information is handled. Although these laws share key similarities, such as granting consumers rights of access, correction, deletion and rights to opt out of the sale of their personal data, they also contain important nuances that may complicate compliance efforts. For example, the laws contain minor differences concerning consumer rights, responses to global opt-out signals, and how to handle sensitive personal information. Ideally, every organization should develop a cross-functional team that includes legal and data privacy compliance professionals, as well as tech and risk management leads to ensure things get done properly.
The deadlines to comply with the new U.S. privacy regulations are as follows:4
- CPRA - The California Privacy Rights Act, which strengthens the state's landmark California Consumer Privacy Act, will take effect on Jan. 1, 2023.
- VCDPA - The Virginia Consumer Data Protection Act will take effect on Jan. 1, 2023.
- CPA - Colorado's Privacy Act will take effect on July 1, 2023.
- CTDPA - Connecticut's Data Protection Act will take effect on July 1, 2023.
- UCPA - The Utah Consumer Privacy Act will take effect on Dec. 31, 2023.
A Push for Federal Privacy Standard Could Ease Compliance Complications
A push by business and consumer advocacy groups to enact federal privacy legislation may be the best hope in offsetting the complications born from the expanding patchwork of state laws. One of the most promising efforts to date on this front comes from a bipartisan trio of congressional leaders who developed a proposal that would set a uniform national standard for how companies use, share and secure consumer information. The draft legislation would allow consumers to sue companies for alleged data processing violations and it would also preempt comprehensive state privacy laws while allowing more targeted state statutes to survive. Respondents to the Survey were overwhelmingly in favor of a national consumer privacy framework, with 88% of respondents indicating they would like to see a federal privacy standard that preempts individual state legislation.5
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.