We kicked off 2023 with the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) taking effect. As we move into Summer, businesses should be preparing for more comprehensive data privacy laws to take effect. On July 1, 2023, both the Colorado Privacy Act (ColoPA) and Connecticut Data Privacy Act (CTDPA) will become effective and enforceable, and the CPRA will become enforceable by the California Privacy Protection Agency and California Attorney General. Then, to round out the year, the Utah Consumer Privacy Act (UCPA) will become effective and enforceable on December 31, 2023.
A violation of the ColoPA can result in a $20,000 penalty, which can increase to $50,000 for violations against a person over 60 years old. For the CTDPA, penalties can reach $5,000 per violation. Because of these potentially steep penalties for non-compliance, businesses should ensure they are prepared for the additional regulation and enforcement that 2023 will bring, especially for the laws taking effect on July 1.
In general, these state comprehensive privacy laws regulate certain businesses' uses of personal data of the respective states' residents and increase consumer protections for such personal data. While these laws contain nuances, for the most part, they are substantially similar. Below is a condensed list of important activities each business that is subject to the ColoPA or CTDPA will want to conduct in order to facilitate compliance with these laws before July 1, 2023. Businesses already subject to the CPRA or VCDPA may also want to conduct these activities in order to make any necessary updates for complying with the ColoPA or CTDPA.
- Audit and review all data-related operations to map out what personal data your business has, how you collect and use it, who has access to it, and where you store it.
- Implement policies to annually review all data-related operations.
- Review privacy policies and notices to ensure they contain the proper information, including appropriate disclosures with respect to consumer rights and how to utilize those rights.
- Develop sufficient method(s) for obtaining consumer consent where required, such as for processing sensitive data.
- Ensure data processing agreements with third-party processors include legally-required provisions.
- Evaluate security measures for your business and third-party processors to ensure adequate protection of personal data.
- Implement procedures for handling consumer requests, including processes to receive and timely respond to requests and allow consumers to appeal your decisions.
- Ensure adequate record keeping policies are in place to document compliance, including to ensure you purge personal data after you no longer need it.
- Conduct and document data protection assessments as necessary, such as to engage in targeted advertising, the sale of personal data, processing of sensitive data, or certain profiling.
July 1 is only one of many upcoming, important dates in the data privacy world. The Tennessee Information Protection Act (TIPA), Iowa Consumer Data Protection Act (Iowa CDPA), Indiana Consumer Data Protection Act (Indiana CDPA), and Montana Consumer Data Privacy Act (MCDPA) are all scheduled to become effective between 2024 and 2026.
Because there is significant overlap between these laws, it may be more cost-effective and efficient for your business to review and update its data privacy practices in accordance with all of the applicable laws at once. Lewis Rice's Cybersecurity & Data Privacy group is well-versed in the compliance process and has developed resources to assist clients with reaching and maintaining compliance with these laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.