As 2022 comes to a close, many of us are thinking about the changes we want to make in the new year. But whether you’re adopting a healthier lifestyle, kicking a bad habit, spending more time with family, or taking up a new hobby, your New Year’s resolutions aren’t the only changes happening in 2023.
There are also a number of significant changes to privacy laws coming up in the next year.
This includes changes and additions to U.S.-based legislation, new directives from the European Union (EU), and a new privacy regulation in China. With new laws on the horizon, many organizations outside of historically regulated industries (like healthcare or finance) do not have the infrastructure in place to meet privacy or information security requirements.
Implementing and operationalizing privacy is a significant endeavor, and it doesn’t happen overnight.
Regardless of the maturity of your organization’s data governance or privacy programs, you should review the changes coming in 2023 to ensure that you can meet new or evolving requirements and maintain compliance. Let’s start by examining what’s on the horizon.
Changes ahead in the U.S.
If your organization is located, operating in, or serving consumers in a location that has privacy protection laws in place (namely California), you’re probably familiar with the current requirements. However, there are important changes coming.
With the continued absence of a comprehensive federal law, four states have followed California’s lead. These states are Colorado, Connecticut, Utah, and Virginia, all of which passed privacy laws this year that will take effect in 2023. California is also facing important updates in 2023.
Keep in mind that the effective dates and enforcement dates for these state laws vary, as do the “cure periods.” These cure periods give parties (in this case, organizations covered by a privacy law) the legal right to remedy their faults and take steps to ensure compliance. While some states have indefinite cure periods, there are a couple of exceptions.
Let’s look at a summary of the key dates for upcoming changes and new requirements:
California Privacy Rights Act (CPRA)
CPRA amends and expands the California Consumer Privacy Act (CCPA), and will become effective on January 1, 2023. However, only as of July 1 will it be enforced—this includes creating new requirements, consumer privacy rights, and enforcement mechanisms for applicable organizations.
What you need to know about CPRA
Among the changes that CPRA will bring about include:
- Adding special categories of information such as personal identifiers that include data such as social security or drivers license numbers, precise geolocation information, racial or ethnic origins, genetic data, biometric data, and more
- New requirements for data belonging to minors and implementing automatic fines for violations involving data belonging to minors
- Establishing limits on data collection and storage
- Expanding individual rights to include the right to correct inaccurate information companies have on them and the right to limit the use and disclosure of sensitive information to CCPA’s list of rights
- Implementing enforcement mechanisms, including the newly-created California Privacy Protection Agency
- And more
Read more about steps to take to prepare for CPRA
It also expands to include how business to businesses (B2B) must handle personal information and creates new rights for employees and their data.
Workplaces and B2B businesses will now be subject to the same rigorous California privacy regulations as consumer personal information. This means—among other things—that employees of an organization must be provided notice of their rights under the CPRA and be able to advise the employer of their exercise of these rights. The employer also has limited time to respond to a request and must properly document all responses, much like they are required to do for consumers.
Virginia Consumer Data Protection Act (VCDPA)
VCDPA passed, the effective and enforcement date is January 1, 2023. There are many similarities to California’s CPRA, as well as areas that are inspired by the EU’s General Data Privacy Regulation (GDPR). This state law, however, is sufficiently different from the GDPR to require a tailored compliance strategy.
Colorado Privacy Act (CPA)
CPA take effect in 2023. This law is largely modeled after Virginia’s law, but it also overlaps with California’s CCPA and CPRA. The effective date for the CPA is July 1, 2023, rather than January 1.
What you need to know about CPA
The Colorado Privacy Act (CPA) doesn’t add or expand on notable new requirements that aren’t addressed in other state privacy laws. The CPA will apply to for-profit and nonprofit entities that conduct business in Colorado or deliver commercial products or services targeted to Colorado residents.
Additionally, to be covered by CPA, the organization must also surpass either of the following thresholds:
- Process the personal data of more than 100,000 consumers within any calendar year
- Gain revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more consumers
Service providers, contractors, and vendors that manage, maintain, or provide services relating to the data on behalf of these companies are also subject to the new law.
One distinction it holds is that it has the longest right-to-cure period, which clocks in at 60 days. That provision expires on January 1, 2025. During the cure period, the Attorney General must give notice and an opportunity to cure any violation before taking enforcement action—but keep in mind that they may act without such notice from January 1, 2025, onward.
Utah Consumer Privacy Act (UCPA)
UCPA is the late bloomer of the group, with an effective and enforcement date of December 31, 2023. The UCPA is largely modeled after the VCDPA, but also overlaps with the CCPA/CPRA. It also uses categories like “controller” and “processor,” similar to the GDPR and VCDPA. Lastly, the UCPA, like the CPA, does not have an indefinite cure period—its cure period will expire on December 31, 2024.
What you need to know about UCPA
Unlike other states, Utah has included a minimum revenue threshold, and additional thresholds which must apply for an organization to be covered by UCPA. The UCPA applies to for-profit entities that conduct business in Utah or target products and services to Utah residents, have annual revenues of at least $25 million, and meet either additional threshold requirements.
Those two thresholds include:
- Annually control or process the personal data of 100,000 or more Utah residents.
- Make over 50 percent of their gross revenue from the “sale” of personal data, and control or process personal data of 25,000 or more consumers.
Note that UCPA exempts certain types of data, including publicly available data, or data subject to other regulations such as the Health Insurance Portability and Accountability Act (HIPAA). It also exempts certain entities, such as those organizations covered by the Fair Credit Reporting Act or Gramm-Leach-Bliley Act.
Connecticut Data Protection Act (CTDPA)
CTDPA be effective and enforced as of July 1, 2023. It’s also modeled after the CPA, VCDPA, and UCPA. There are some similarities to the CPRA, such as the express prohibition of “dark patterns,” which are deceptive design practices used on websites and apps that make a user take actions that they don’t intend to take, such as buying or signing up for something.
What you need to know about CTDPA
CTDPA allows for joint enforcement between California and Colorado. This is a great example of how in the absence of a federal privacy standard, states have begun to not only create legislation but also work together to coordinate enforceable privacy laws.
Another difference between CTDPA and newer regulations like VCPDA and CPA is its stance on the protection of children’s data. The Act states that organizations cannot process personal data for purposes of targeted advertising, or sell personal data without consent, under circumstances where an organization has actual knowledge that the data belongs to a consumer that is between the ages of thirteen and sixteen.
What’s happening in the EU?
Across the pond, the EU Data Governance Act (DGA) was passed this year to facilitate data access and sharing with the public sector.
This is just another aspect of the forward momentum in Europe, which is aimed at building a data economy while respecting the rights, privacy, and freedom of data subjects. Following a 15-month grace period, this law will be effective in September of 2023. While the DGA isn’t exclusively concerned with personal data, it will have a significant impact on the General Data Protection Regulation (GDPR).
Because the definition of data under the DGA also includes personal data as defined in the GDPR, both regulations may apply at the same time.
14 privacy boxes to check for 2023
It’s a lot to take in, but don’t fret. With the following steps—and the help of an experienced privacy consultant—you can be well on your way to data privacy compliance in 2023. Want even more details? Download our 15+ page Privacy Compliance Checklist to find out everything you need to do for a sustainable privacy program in 2023.
1. Establish privacy governance
Thanks to existing and emerging data privacy laws, maintaining compliance continues to be a complex undertaking. To meet compliance requirements, organizations should enhance their privacy governance activities by implementing governance processes and activities that support:
- Risk management
Confirm that your organization has appropriate resources, policies, and standards to maintain compliance amidst evolving privacy laws.
2. Maintain a data inventory
To ensure the accuracy, completeness, and timeliness of personal data information inventories, establish and maintain a detailed personal data inventory. This will ensure that your organization fully understands the sources of personal data collected and how it is used.
3. Identify sensitive personal data
Depending on the data privacy law, sensitive personal data may be subject to different treatment compared to other types of personal data. For example, you may need to:
- Disclose the collection of sensitive personal data
- Limit its use
- Allow users to opt-in or opt-out
Implement procedures to limit the use of sensitive personal data, along with obtaining and tracking consent for use.
4. Conduct PIAs or DPIAs
Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) should be conducted any time:
- Your organization begins a new project that could put personal data at risk
- There are significant changes to existing programs or activities that involve personal data
Implement consistent processes for your PIAs and DPIAs, and train staff accordingly.
5. Obtain consent for processing the personal data of minors
When selling, sharing, or processing the personal data of minors, you must obtain appropriate consent. Make sure your privacy notices are written in clear, age-appropriate language, and that you have heightened security measures in place to protect minors’ sensitive data.
6. Disclose the sharing of data to third parties
If you sell or share data to third parties for the purpose of targeted advertising, certain jurisdictions may require your organization to disclose this information. Allow individuals to opt-in/opt-out to the collection, processing, selling, or sharing of personal data, and give a clear notice that the information is not being sold.
7. Update your privacy notices
Any and all of your privacy notices must be:
- Easy to read
- Available in languages your organization conducts business
- Accessible to those with disabilities according to general industry standards
- Compliant with applicable data privacy laws
Every so often, review your privacy notices to ensure that they’re readable, accessible, and up-to-date—and inform your employees of the updates, too.
8. Ensure your data minimization and retention policy passes muster
How much data do you really need? According to privacy best practices, the answer is simple: only what is necessary. All US privacy regulations, along with GDPR, require that you limit the amount of data you collect to what is “reasonably necessary” to achieve the stated purposes of collection.
9. Thoroughly assess vendors
Your business relies on vendors to do its work, but in the process of building those relationships, you may be providing access to consumer information. It’s vital to ensure that your contracts with vendors establish a clear understanding of how that information may be used so you can maintain compliance with privacy laws.
10. Manage individual rights requests (DSARs)
Are your customers aware of the rights they are entitled to with regard to their personal information? This information, including potential actions they may take, should be clearly detailed in your privacy notice. You should also:
- Establish appropriate internal procedures to handle Individual Rights Requests, including timelines and appeals processes
- Obtain and maintain consents according to applicable regulations
- Record and track DSAR records
- And more
11. Get your cookie banners and Do Not Sell links in place
Cookie banners—they’re more complicated than you might expect. Cookie banner requirements vary by region, so it’s vital to deploy yours accordingly. And as far as Do Not Sell links? Make sure yours complies with changes brought about by CPRA.
12. Train your team on privacy awareness
You can have the best privacy policies and procedures on the planet, but if your team doesn’t know how to use them or why they’re important, they won’t be much use. In 2023, implement robust (and ongoing) privacy training for all staff. Ensure that training is specific to departments and different levels of responsibility for managing personal information.
13. Validate security practices
Security and privacy programs benefit when they work closely together towards organizational goals. Make it a priority to implement and document comprehensive security processes, procedures, and policies to support safeguarding personal information.
14. Make compliance sustainable
Privacy compliance isn’t a one-and-done activity. To truly achieve an effective privacy program that can weather a changing landscape, you need to identify strategies to make it sustainable. This should involve steps such as:
- Aligning privacy with your organization’s mission
- Establishing a clear privacy framework
- Dedicating appropriate resources to privacy
- And more
Data governance is a journey, not a destination
The new laws and updates we covered here are not comprehensive—and that may seem overwhelming! But by taking a look at what’s on the horizon, you’ve already taken the first step toward compliance. That is something to be proud of.
Data governance is not a journey you have to take alone. The experts at Red Clover Advisors can help your organization, whether you’re just starting out on the path to compliance or are facing changes along the way. Knowing is half the battle, so why not have a data privacy expert on your side as you navigate a complex and evolving regulatory environment?
Schedule a call today to see what we can do for you.