There’s no doubt 2022 will be a big year for data privacy compliance with three new laws going into effect in 2023. On January 1, 2023, the California Privacy Rights Act (CPRA) will replace and amend California’s most recent, comprehensive data privacy law, the California Consumer Privacy Act (CCPA), and Virginia’s first extensive privacy law, the Consumer Data Privacy Act (VCDPA), will also go into effect. Six months later, on July 1, 2023, Colorado will make history when its first, robust privacy law, the Colorado Privacy Act (CPA), goes into effect. If keeping up with the acronyms alone is difficult, ensuring compliance will likely take some work.
While all three laws have significant overlap, there are nuances in each that warrant strategic planning to help mitigate potential friction with your business operations. Below, we provide an overview of each law, explaining key similarities and differences, and recommend a few areas worth considering as you develop your compliance programs.
California
While the CPRA is an amendment to the CCPA, it brings with it some notable changes. For instance, the law will apply to any for-profit business operating in California that (1) has at least $25 million in annual revenue from the prior year; (2) buys, sells, or shares the personal information of at least 100,000 California residents (double the CCPA’s 50,000 threshold); or (3) derives at least 50 percent of its annual revenue from selling or sharing personal information.
In addition to complying with the underlying framework provided by the CCPA on disclosures, data subject rights, and contractual requirements, to name a few, the CPRA imposes a series of new obligations. Notably, the CPRA expands data subject rights, giving consumers the right to request that businesses correct their personal information and limit the use of their sensitive personal information. The CPRA also includes a broad definition of “sensitive information.” In addition, consumers have more options to control whether their personal information is disclosed in connection with certain interest-based advertising with the advent of the “Do Not Share” right restricting the disclosure of personal information to third parties for cross-context behavioral advertising. Unlike the “Do Not Sell” right under CCPA that rested, in part, on whether data was disclosed for “monetary or other valuable consideration,” this newly minted right applies more broadly in the online behavioral context, regardless of whether the data was disclosed for “monetary or other valuable consideration.” Considering the expansion of certain consumer rights and the new classifications under the law, companies may need to revisit their data inventories to help address the latest consumer rights.
The CCPA introduced user-enabled global privacy controls (GPCs) intended to streamline how consumers opt out of the sale of their personal information. What most likely was intended to simplify how consumers exercised their opt-out rights grew to become a compliance challenge for many. For example, operationalizing GPCs in the context of cookies and other passive online tracking has proven to be difficult, with few technical solutions to alleviate the compliance burden. The CPRA, along with the California Attorney General’s Office’s enforcement letters from July of 2021, reinforce the need for creative solutions to help address how businesses respond to a consumer’s request to opt out using GPCs.
The CPRA also includes “contractors” as a new category to consider when evaluating data exchanges. The “contractor” distinction will be important to consider when evaluating whether a business is serving as a “service provider,” and companies will now need to update their data processing addendums to include the contractual requirements provided by the CPRA for contractors and service providers.
In addition, the exemptions related to personal information processed in the business-to-business (B2B) or employment context are due to sunset, which would expand the law’s reach to cover previously excluded information. This means that any applicability assessments done for CCPA purposes should be revisited. Because of the new scope, it is recommended that businesses update their data inventory to better understand their activities related to previously exempt information. Companies will also need to ensure that proper back-end systems are in place to receive, process, and respond to data subject requests related to business or employee data.
The law also creates a new state agency tasked with enforcement of the CPRA and the promulgation of various rules. While the new state agency is still in its infancy, it will play a key role as the first U.S. data privacy enforcement agency dedicated to enforcement. It has broad regulatory and enforcement powers and will set the tone for compliance in the state and, plausibly, other states.
While the CPRA provides several new compliance obligations, it is important to note that further rulemaking is expected, which may have additional impact on current business practices.
Virginia and Colorado
Comprehensive privacy regulation is no longer reserved for California operations only. In 2023, two more states will have robust privacy laws go into effect. That said, the Colorado and Virginia privacy laws are similar to the California law. For example, the Colorado and Virginia laws contain data subject rights, such as the right to access, correct, and delete personal information. These states will also require a data protection assessment prior to engaging in certain data processing activities. Moreover, companies are required to incorporate certain contractual clauses with entities processing their personal data.
However, the Virginia and Colorado laws also notably differ from the California law. For example, the definition of “personal data” is arguably narrower than it is in the California law, as the Colorado and Virginia laws exclude B2B and employee data. Additionally, these states offer alternative data subject rights, including an appeals process. Moreover, both laws provide a right to cure (although Colorado’s is set to sunset in 2025). Finally, both laws have requirements for “controllers” and “processors,” which align the laws more closely with the General Data Protection Regulation in the EU.
How can you prepare?
Compliance with the California, Colorado, and Virginia privacy laws will necessitate agile, forward-thinking, and strategic planning. Gone are the days when compliance could be achieved by focusing on a single state. In navigating this complex regulatory landscape, companies should consider revisiting their compliance programs, which should include:
- Conducting gap analyses of existing compliance programs against the new requirements
- Creating or updating data inventories to account for changes in the laws
- Considering data exchanges to determine whether additional opt-ins or opt-outs are required
- Ensuring privacy policies have adequate and detailed disclosures
- Developing internal protocols to address new or modified data subject rights
- Updating relevant vendor agreements as needed
Additionally, businesses should closely follow legal developments in these states, as new regulations will likely be issued and may require companies to adjust quickly to comply with this ever-changing area of the law.