According to CPO magazine, it’s never too early to start thinking about the impact of new privacy regulation that goes in to effect in 3 states in 2023. Since one of those is my home state of Virginia, here is some helpful advice from their recent article as we all prepare for the new regulations.
New omnibus privacy laws will go into effect in California and Virginia on January 1, 2023, creating a slew of updated regulatory requirements for businesses. Colorado won’t be far behind, with the state’s own version of the law going into effect on July 1, 2023. This new patchwork of state privacy laws—which will almost certainly trigger similar lawmaking in other states in the future—means it’s time for businesses across the country to start creating plans to comply with new regulations.
The three laws are similar and will put a variety of new items into law, including:
- New privacy notice disclosure requirements
- Restrictions on the use of certain sensitive personal information
- New rights for consumers, including the ability to opt-out of data processing
- The creation of an appeal process for consumers to correct their personal information
- Increased regulatory authority
Additionally, California’s updated law will create a European-style data protection agency, known as the California Privacy Protection Agency, with full enforcement and rule-making authority. This will be the first watchdog agency in the United States devoted solely to consumer data privacy—a significant development that will have ramifications across the U.S.
To get ready for the privacy changes coming in 2023, businesses should put these crucial tasks on their to-do lists in the coming months.
1. Update your privacy notices
Privacy policies are one of the most obvious indicators that a company is noncompliant with privacy laws. As a result, regulators tend to monitor policies closely. Even if you are compliant in all other respects, a non-compliant privacy notice may trigger regulatory interest.
All three new laws require new privacy notice disclosures related to sensitive personal information and data subject requests. Notices may need to be updated to: (1) reflect new data subject rights; (2) expand disclosures about the collection and sharing of information (including identifying how each category of personal information may be shared with categories of third parties); (3) identify retention periods for data storage; and (4) include statements regarding the use of de-identified data.
2. Review the personal information your company is storing
The new laws create restrictions on the use of certain sensitive personal information, including demographic information (such as race or sexual orientation) and certain personally-identifying information (such as Social Security numbers), as well as information used in targeted advertising. If your company has any personal information in its possession, it’s time to review what you have and determine whether you really need it. If you haven’t done so already, 2022 is the year to get data retention schedules and controls in place. The more you minimize your data footprint and streamline your data use, the easier compliance with new laws will be next January.
3. Get your data subject request process in order
Significantly, all three laws provide for new data subject rights. Citizens of Virginia, California and Colorado now have the right to correct inaccuracies in their personal information and to opt-out of the use of their personal information for targeted advertising or profiling. Additionally, the new laws call for the creation of an appeal process for consumers to dispute denials of their data requests.
To comply with new laws, companies will have to update their processes (or perhaps build processes from scratch) to ensure that:
- Data subjects are provided with their personal information in a readily usable format upon request;
- They can verify the accuracy of any information a consumer wants corrected or deleted;
- They respond to data subject requests within 45 days; and
- Consumers have access to an independent and fair appeal process that can pass regulatory muster.
Meeting these requirements is no small feat, especially if your company doesn’t have any existing infrastructure to address consumer data complaints and requests. It’s crucial that you begin nailing down the details of your company’s response to the new rules now, so you aren’t blindsided next January.