It's been a busy summer for US state privacy laws, and companies now need to keep track of a growing list of requirements from these laws. These include many we have written about in the past, including notice, vendor contract provisions, and offering consumers rights and choices. The laws also impose certain record keeping requirements, which we discuss here.
- December 31, 2023: Utah
- July 1, 2024: Florida, Oregon, and Texas
- October 1, 2024: Montana
- January 1, 2025: Delaware (pending governor signature), Iowa, andTennessee
- January 1, 2026: Indiana
The laws impose record keeping requirements on companies to whom the laws apply (for more about the laws' applicability read our prior post). These requirements overlap in many respects. They include:
- Rights requests: Records of rights requests must be kept for 24 months1 (CA, CO), and in readable and secure format. (CO). Each record must include the date and nature of the consumer request and include any business responses or denials (CA, CO).
- Deletion requests: Companies must also keep records of deletion requests and the minimum amount of data necessary to ensure that the consumer's personal data remains deleted and not used for any other purpose (CA, CO, CT, DE, FL, IN, MT, OR, TN, TX, VA).
- Metrics: Companies must compile annual metrics for the number of consumer requests and opt-out requests they've received. (CA) As part of this, companies must track how many requests were processed or denied, and whether this was done in whole or in part2 (CA).
- Data limitation: Information kept for record-keeping purposes should not be used for any other purpose (CA, CO).
- Assessments: If engaging in targeted
advertising, selling data, engaging in profiling, or processing sensitive data,
companies must conduct data protection assessments under all
states' laws except those of Iowa and Utah. We discuss these
requirements in more detail in our recent webinar. (And keep in mind that California is
still working on regulations for these assessments.)
Companies should keep in mind that these assessments also carry
record keeping requirements. Namely:
- Document every DPA conducted (CA, CO, CT, DE, FL, IN, MT, OR, TN, TX, VA).
- DPAs must be kept for three (CO) or five years (OR)
Putting it into Practice: As the summer comes to a close, now is a good time to revisit your privacy programs. Keeping in mind the various requirements under the laws is getting more complex. Having a scalable program that addresses record keeping and other requirements can make compliance easier.
1. § 7101(a); CPA Rule 6.11(A).
2. CA Regs § 7102(a).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.