State legislatures throughout the country were busy in 2022 introducing comprehensive data privacy bills.

Despite the widespread legislative activity, Connecticut and Utah were the only two states to successfully enact privacy laws this year.

In doing so, they joined California, Colorado, and Virginia, adding to a complex patchwork of state privacy laws enacted over the past few years, and with which companies will be busy complying throughout 2023.

Depending upon which of these state privacy laws apply to your business, your time between now and the end of next year could be spent assessing and implementing information governance controls in order to comply with the California Privacy Rights Act or the Virginia Consumer Data Protection Act by Jan.1, 2023; Connecticut's Act Concerning Personal Data Privacy and Online Monitoring or the Colorado Privacy Act by July 1, 2023; and the Utah Consumer Privacy Act by Dec 31.

This update will discuss some of the core provisions in common among the five states' privacy laws, and provide advice for navigating through them.

Applicability

In general, each state law applies to for-profit entities, generally referred to as "controllers," conducting business or offering products or services targeted to residents of the particular state and meeting certain thresholds with respect to revenue and/or the volume of consumer data within their control.

The CPRA, for example, amends the California Consumer Protection Act, which went into effect on Jan. 1, 2020, to apply to entities that collect personal data from California residents and either: (1) have at least $25M in gross annual revenue; (2) buy, sell or share personal data of 100,000 or more state residents or households; or (3) derive 50% or more of annual revenue from selling or sharing California personal data.

In Connecticut, the CTDPA applies to certain for-profit entities that either: (1) control or process personal data of at least 100,000 consumers; or control or process personal data of at least 25,000 consumers and derive more than 25% gross revenue from the sale of personal data.

In addition to the types of entity-level applicability provisions described above, certain data categories may also be exempt.

All five states currently exclude certain data that are already protected by other state or federal laws, such as health information protected by the Health Insurance Portability and Accountability Act.

Employee human resource data and business-to-business contact data will become subject to protection in California beginning on Jan. 1, when the CPRA takes effect, but is exempt or effectively exempt from each of the other states' laws.

Consumer Rights and Business Obligations

Each state law, in varying degrees, requires a controller to honor certain consumer rights with respect to their personal data.

These rights include the right to: access their personal data and confirm whether it is being processed; correct inaccuracies in their personal data; delete personal data; obtain a copy of their personal data in a transmittable format; and to opt-out of targeted advertising and the sale of their personal data.

Controllers subject to one or more state privacy laws must ensure they have procedures in place to fulfill their obligations to consumers on or before the applicable 2023 effective date.

In addition to consumer rights, state privacy laws obligate controllers to, among other things, provide a privacy notice to consumers, implement administrative, technical, and physical data security practices to protect personal data, implement certain contracting requirements with vendors responsible for processing personal data on their behalf, and conduct data security assessments.

While there is variation among each state's requirements in these areas, they are similar in their fundamentals and should be familiar in concept to any organization that has already been subject to the vanguard General Data Protection Regulation that came into force in the European Union in 2018.

In Connecticut, for example, controllers must provide consumers with a privacy notice describing the categories of personal data processed, the purposes for which each category of data are processed, how a consumer may exercise a right, the categories of personal data shared with third parties and the categories of those third parties, and how the consumer may contact the controller.

The CTDPA also requires controllers to enter into written contracts with third parties to govern their processing of personal data, and to conduct and document data protection assessments for each of its activities presenting a heightened risk of harm to a consumer, including targeted advertising, sale of personal data, and the processing of sensitive data.

Depending on your existing information governance infrastructure, implementing the operational processes required to comply with the various state privacy laws coming into effect next year may require anywhere from a full compliance program build to a series of policy and procedure modifications or enhancements.

Regardless, it is important not only to start the process as soon as possible, but to begin to incorporate the principles of privacy, cybersecurity, and good information governance into your corporate culture at all levels.

Compliance Program

As a preliminary step, consult with an attorney in order to determine which state law(s) apply to your business.

This will then help to assess whether it is most effective and efficient to take a universal approach to compliance, whereby compliance with the most stringent applicable requirement is built into a standardized process, or jurisdictional approach, in which processes may vary depending on the applicable rules.

During the period leading up to the first applicable effective date in 2023, focus on the following:

  • Data inventory and mapping: understand where your data reside, who can access it, how it is being used, and how it is being transmitted or shared (both within your organization, and—most importantly—externally).
  • Review data privacy and security policies, consent processes, and supporting controls you have in place to ensure consistency with applicable law(s).
  • Conduct privacy and security impact assessments, prioritizing high risk data processing activities including, for example, health, financial, or minor data processing.
  • Review vendor contracts and amend as necessary to include privacy/security or data processing provisions as required.
  • Conduct internal privacy and security training covering general privacy and security best practices, and addressing the applicable state-specific privacy and security provisions.

As the compliance deadline approaches:

  • Ensure you have developed a plan to remediate any gaps identified in the privacy impact assessments and that you have begun the process of closing those gaps.
  • Establish privacy, security, and risk metrics in order to measure the success and compliance of your information governance programs.
  • Develop ongoing training and awareness programs for staff, management, and your board.

Finally, keep in mind that any effective compliance program is always a work in progress.

The privacy law landscape will likely continue to evolve in 2023, with potential for rulemaking by the Federal Trade Commission and for a federal data privacy law (the American Data Privacy and Protection Act) to gain additional momentum in Congress for passage or amendment after the mid-term elections.

It is a best practice to revisit your policies and procedures on a regular basis in order to update them in response to legislative developments, and—more importantly—your own lessons learned.

This alert first appeared on CBIA's website and is published here with permission.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.