The new year will mark numerous significant developments in data privacy law. In addition to several new regulatory schemes across multiple states, affected businesses will have to navigate substantial changes in the country’s most comprehensive data privacy regulation to date, the California Consumer Privacy Act (CCPA).In this post, we will briefly outline the new state regulations coming into effect, summarize some of the changes to California’s data privacy scheme, and share a few thoughts about what to expect in the data privacy landscape as we head into the new year.
New State Regulations
While 2022 saw limited progress toward an overarching federal regulatory scheme for data privacy, at least four states have passed new, comprehensive data privacy regulations that go into effect throughout 2023:
- The Virginia Consumer Data Protection Act (VCDPA), will take effect January 1, 2023. The VCDPA includes consumer rights and notice requirements that should be familiar to businesses who have dealt with CCPA compliance, as well as some newer requirements for opt-outs, security, and other aspects of consumer data processing.
- The Colorado Privacy Act (CPA), will take effect July 1, 2023. Like Virginia’s law, the CPA includes a number of requirements similar to those under the CCPA, but diverges in key areas, especially related to targeted advertising, data processing restrictions, and enforcement.
- The Connecticut Data Privacy Act (CDPA), will take effect July 1, 2023. It tracks fairly closely with the other 2023 regulations, but businesses should be aware of small differences that will impact their processing practices for Connecticut consumers.
- The Utah Consumer Privacy Act (UCPA), will take effect December 31, 2023. Again, businesses will notice significant similarities between the UCPA and the new state regulatory schemes in Virginia and Colorado; however, the UCPA is arguably less onerous than its counterparts in many respects.
Each of these states also have different thresholds for applicability, generally based on factors like volume of personal data processed by the business and the value of that data to the business, so businesses should carefully evaluate these thresholds to determine whether they are subject to these regulations and, if so, their obligations across their organizations.
Changes to California’s Regulatory Scheme.
Since it went into effect on January 1, 2020, the CCPA has undergone significant changes, whether through multi-version regulations or myriad amendments. With the passing of the California Privacy Rights Act (CPRA), for better or for worse, businesses should once again plan to re-evaluate their California data privacy compliance efforts.
Changes under the CPRA touch on nearly every facet of its predecessor, including the following concepts and provisions:
- New Enforcement Agency. In another U.S. data privacy first, the CPRA creates a designated state agency to interpret and enforce the CPRA.
- Applicability. The CPRA modifies the definition of “business,” which in turn changes the thresholds for applicability.
- Classifications of Personal Information. The CPRA introduces a new category of personal information, called “sensitive personal information.” Certain rights under the CPRA, including the new right to correction, apply specifically to sensitive personal information.
- Employee and B2B Information. The exemptions for employee and B2B data that existed under the CCPA will expire when the CPRA goes into effect, making businesses responsible for satisfying their CPRA requirements as to all employee and B2B information, in addition to the prototypical “consumer” information. [For more information on Employee Information, see our blog post.]
- Requirements for Subprocessors. The CPRA also strengthens the requirements concerning downstream data processing, creating additional contractual requirements for service provider and contractor processing of personal information.
- Additional Operational Requirements. Under the CPRA, businesses will have increased internal obligations related to personal information, including specific record retention and cyber/privacy risk assessment requirements.
This is neither a complete nor exhaustive list of the changes coming to California’s data privacy laws, and businesses that may be subject to the CPRA should conduct compliance reviews to determine whether and how their current practices need to adapt in order to stay compliant.
While the CPRA goes into effect on January 1, 2023, businesses should be aware that it includes a one-year “look back” provision that makes data collected in 2022 subject to the terms of the CPRA.
Changes on the Horizon
While businesses already have plenty to contend with in 2023, the data privacy landscape is continuously changing. Nearly every other state in the U.S. is considering, or has considered, implementing its own comprehensive data privacy law, and we can expect to see more movement in the coming months.
In order to stay on top of this increasingly fast-paced area of the law, businesses should keep an eye on new developments at the state and federal level, and be prepared to make serious commitments to their data privacy compliance efforts ahead of—and into—the new year.