July 1st, 2023 is a big day in the data protection calendar. For the first time, four U.S. states will have privacy laws effective and enforceable:
- The California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA);
- The Virginia Consumer Data Protection Act (VCDPA);
- The Colorado Privacy Act (CPA); and
- The Connecticut Data Privacy Act (CTDPA)
CCPA becomes enforceable on July 1st, having been effective since January 1st, 2023. VCDPA became both effective and enforceable on January 1st, 2023 and both CPA and CTDPA become effective and enforceable on July 1st, 2023.
Fortunately, there is a lot of overlap in the requirements of these four laws, so much of the work businesses have already done to comply with the first state privacy law (CCPA in 2020) will be useful. However, there is definitely more work to do as there are some variations in requirements. A further complication organizations will have to consider is the impending introduction of other state laws including Utah, which are due to come into effect by the end of 2023.
While businesses may be considering waiting to assess the full landscape at the end of the year, this is not recommended and in particular will risk being burned by enforcement action in California and Colorado. Businesses will of course want to avoid the stress and financial penalties that can result from enforcement action, and there are other things to consider. Enforcement action will inevitably result in reputational damage and erosion of consumer trust and could even see consumers responding by taking their business elsewhere.
So where should businesses be focusing their compliance efforts? Here are our Top Tips:
1. Revisit privacy notices
All four laws have slightly different requirements for a privacy notice with CCPA and CPA being the most prescriptive. To comply with CPA a privacy notice must include:
- The categories of personal data collected or processed
- The purposes for which the categories of personal data are processed
- Explanation of how and where consumers may exercise their rights
- The categories of personal data that are shared with third parties
- The categories of third parties with whom the controller shares personal data
- Categories of personal data sold or processed for targeted advertising
The CCPA requirements for a privacy notice go even further, requiring businesses to also communicate:
- Categories of sources of personal data
- Confirmation of whether the business uses or discloses sensitive data for non-specified purposes
- Confirmation of whether the business has actual knowledge that it sells or shares personal information
- Data retention details
- A summary of financial incentives
- The date the policy was last updated
Complying with either the CCPA or CPA will be enough to satisfy the requirements of VCDPA and CTDPA. Although it is worth noting that VCDPA and CTDPA do have provisions requiring businesses to provide consumers with a privacy policy but, unlike CCPA they do not require this information to be provided at the point data is collected from the consumer.
Many businesses find that a layered approach to privacy notices aimed at individuals in different states works best.
2. Targeted Advertising Opt-out Rights
One of the major differences between the CCPA and the other three state laws is the right to opt-out of targeted advertising. The CCPA allows consumers to opt-out of the sharing of personal information with third parties for the purpose of cross-context behavioral advertising, meaning targeting advertising based on the consumer's personal information obtained across businesses and websites, applications or services.
The right to opt-out in the CPA, VCDPA and CTDPA is broader and applies to the processing of personal data for the purposes of targeted advertising. So to comply with the non-Californian acts, when an individual opts out, businesses must not only stop disclosures to third parties for the purpose of targeted advertising, but they must also stop their own internal processing of personal data for this purpose. It will be up to each business to decide whether to have two separate processes for CCPA and other opt-outs. Some organizations will determine that an extra process is worth the opportunity to keep processing data internally for advertising purposes.
3. Data Protection Risk Assessments
The CPA contains the most extensive requirements on data protection assessments including rules on:
- evaluating at least 13 issues relating to the risks associated with the processing of personal data
- updating the assessments whenever the risks levels materially change
- involving all relevant employees from across the business and any necessary external entities to properly assess the risks.
- if the processing activity is profiling, the assessment must be reviewed and updated at least annually
- storage for at least three years after the processing activity has ended.
The VCDPA and CTPA requirements for data protection risk assessments are almost identical and less onerous than CPA, so if businesses follow the rules for CPA they will most likely satisfy the requirements for both VCDPA and CTPA.
Under VCDPA and CTPA businesses must conduct and document a data protection risk assessment that evaluates the risks associated with processing activities when:
- processing sensitive data
- processing personal data for targeted advertising
- selling personal data
- processing personal data for profiling when it presents a reasonably foreseeable risk of harm to consumers
- other processing activities that present a heightened risk of harm
However, while VCDPA and CTPA both specify the types of activities that must be assessed, they fail to indicate how often they must occur and how long they must be kept other than stating they should be stored for a reasonable period. Colorado generally requires retention for three years, so this is probably a good standard to use.
The details of data protection assessments have not yet been addressed under the CCPA as revised by the CPRA which calls for details to be determined in rulemaking. The California Privacy Protection Agency is currently seeking preliminary public input on this topic. At the moment, it is considering basing its data protection assessment rules on the European Data Protection Board’s (“EDPB”) guidelines and incorporating CPA requirements. Accordingly, it would be sensible for businesses subject to the CCPA to be prepared to abide by the more extensive CPA requirements set out above.
Preparing for the privacy patchwork
There are another seven comprehensive state privacy laws making their way through the legislative process hot on the heels of the four discussed here. The Utah Consumer Privacy Act is next up, becoming effective on December 31st, 2023.
The patchwork of state legislation is not making things easy for businesses operating in multiple states across the US, and it is only going to get more difficult as the other bills come into force. We expect to see businesses do a detailed assessment of the similarities and differences in each state and the most sensible approach will be to align policies and procedures to the strictest requirements in each state unless there is a significant commercial reason not to do so.
Building towards the future - together
Before making any investments or overarching modifications to your technology stack or partner network, it is imperative to have all business stakeholders work from the same playbook.
It is critical that organizations implement technology that will empower their marketing teams with the confidence to continue utilizing data to power their advertising campaigns while adhering to all privacy regulations and guaranteeing the security of the data itself. In Europe since the arrival of the GDPR, we saw that lead to the rapid adoption of data clean room technology, something we are now seeing sweep the US as well. This data collaboration technology enables privacy-centric businesses to use their customers’ data to drive commercial growth while remaining compliant with an ever-shifting privacy landscape.
These decisions were not made lightly or in silos. Those businesses that have been the most successful in transforming investment in privacy-enhancing technologies or data clean room infrastructure into an immediate return on investment have done so as a unified organization. Including legal and privacy early on during the consideration and procurement phases has not only accelerated the infosec and contractual process but reduced business risk while maximizing campaign performance. InfoSum is actively working with our clients and partners to best navigate this shifting landscape to provide a clear and sustainable path forward.