As we ring in 2023, we may think about goals such as making more sales, organizing the garage, and spending more time with family.
One slightly less exciting but essential goal in 2023 will be compliance with the six new privacy laws going into effect this year.
Regarding privacy compliance requirements, it is important to know that privacy laws protect consumers and thus are not based on where your business is located.
In addition, privacy laws can impose very high penalties for violations as penalties are calculated per violation (meaning per website visitor whose privacy rights were infringed upon).
In this article, we will discuss the steps that you will need to take to prepare your business for the myriad of privacy compliance requirements that will go into effect in 2023.
Step 1: Determine What Privacy Laws Apply to You
The golden rule of compliance is first to figure out which privacy laws you need to comply with (as complying with laws that do not apply to you can increase costs, confusion, and liability).
Each new privacy law that is going into effect in 2023 has its own criteria for who needs to comply with that law:
1. California Privacy Rights Act (CPRA) (effective date: January 1, 2023):
The CPRA applies to businesses that collect the personal information of individuals residing in California, that do business in California, and that meet one or more of the following criteria:
- Have annual gross revenue of more than $25,000,000;
- Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers; or
- Annually buy, sell or share the personal information of 100,000 or more California consumers or households.
2. Virginia Consumer Data Protection Act (VCDPA) (effective date: January 1, 2023):
The VCDPA applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents and that meet one or more of the following criteria:
- During a calendar year, control or process the personal information of at least 100,000 Virginia residents; or
- Control or process the personal information of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal information.
3. Colorado Privacy Act (CPA) (effective date: July 1, 2023):
The CPA applies to anyone that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted toward residents of Colorado and that meet one or more of the following thresholds:
- Controls or processes the personal information of 100,000 or more Colorado consumers during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal information and processes or controls the personal information of 25,000 or more Colorado consumers.
4. Connecticut SB6 (effective date: July 1, 2023):
Applies to persons doing business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:
- Controlled or processed the personal information of 100,000 or more Connecticut residents;
- Controlled or processed the personal information of 25,000 or more Connecticut residents and derived more than 25% of their gross revenue from the sale of personal information.
5. Utah Consumer Privacy Act (UCPA) (effective date: December 31, 2023):
The UCPA applies to anyone collecting the personal information of Utah residents that does business in Utah or that produces a product or service that is targeted to individuals that are located in Utah and that meet one or more of the following thresholds:
- Has annual revenue of $25,000,000 or more; and
- Meets one of the following criteria:
- During a calendar year, controls or processes the personal information of 100,000 or more Utah residents; or
- Derives 50% or more of its annual gross revenue from the sale of personal information and controls or processes the personal information of 25,000 or more Utah consumers.
6. Quebec Bill 64 (effective date: September 1, 2023):
This applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise. “Enterprise” is defined as the carrying on by one or more persons of organized economic activity, whether or not it is commercial in nature, consisting of producing, administering, or alienating property or providing a service.
Compliance by contract: if, after looking through the criteria above, you or your attorney have determined that you do not need to comply with these laws because you do not meet the criteria, you may still have to comply with them by contract.
If you work as a vendor to large companies that send you the personal information of their customers, they may ask you to sign a contract that guarantees that you will process that personal information in compliance with the above privacy laws.
You should ensure that you read through your current contracts and any contract amendments, as these requirements would be included in those contracts if your clients want you to comply with these laws.
On the other hand, if you are required to comply with these laws because you meet the thresholds and you send customer information to a vendor for processing, you should ensure that your vendor has signed a contract that requires them to process that personal information in compliance with the laws that apply to you.
You should also audit these vendors regularly to ensure they comply with these laws.
Step 2: Be Ready for Consumer Privacy Rights Requests
The purpose of privacy laws is to provide consumers with greater control over their personal information by giving them certain privacy rights.
Below is a list of the privacy rights provided by these laws (please note that not all privacy laws may provide each privacy right):
- Right to correct the inaccurate or incomplete personal information;
- Right to confirm whether their personal information is being processed;
- Right to opt-out of the use and sharing of sensitive personal information;
- Right to receive a copy of the personal information in a portable and readily usable format;
- Right to transmit personal information to another entity;
- Right to delete personal information;
- Right to opt-out of the processing of personal information for the purposes of targeted advertising, the sale of personal information, profiling, and the collection of geolocation information.
As these privacy laws go into effect and consumers become more aware of their privacy rights, you will receive an increase in the number of requests to exercise privacy rights.
Each privacy law has a limit on the number of days that the business has to respond to these requests, and thus it is important to prepare to process these requests now so that you can respond in an appropriate time frame.
To prepare for these requests, you should:
- Draft response templates that staff can use to respond to requests;
- Perform a data inventory so that you know where data is housed and you can easily obtain a copy of that data or delete it;
- Draft procedures for exercising privacy rights so that staff can follow a series of steps to effectuate the privacy rights requests;
- Train staff on how to process and respond to privacy rights requests;
While each law is different, the following is a set of the combined disclosures that are required by these laws:
- What personal information is collected;
- Where the personal information is obtained from;
- How this personal information is used;
- A list of the privacy rights provided to consumers;
- How an individual can contact the business to exercise their privacy rights, including what information they will need to provide to confirm their identity and how to designate an authorized agent;
- How consumers can opt out of the sale of their personal information, the use of their personal information for targeted advertising, and the collection of their geolocation information;
- How an individual can appeal a decision that has been made in response to their privacy rights request;
- The possibility of transfers of personal information to different countries;
- The title and contact information of the person in charge of the personal information;
- How an individual can contact the business for questions.
Step 4: Meet Ancillary Requirements
While the above is the “meat and potatoes” of the compliance requirements of privacy laws, there are other ancillary requirements that you must also meet to ensure that you comply:
- Establish an appeals system: Certain privacy laws give consumers the right to appeal a decision made in response to a privacy rights request. For example, if individual contact a business to ask to delete their personal information and the business denies that request, an individual can appeal to the business to have that decision reviewed. To prepare for these laws, your business should have an appeals system in place where such appeals are forwarded to a staff member who can determine whether the initial decision was correct;
- Data protection assessments: Certain privacy laws require businesses to complete a data protection assessment before using personal information for targeted advertising, selling personal information, processing personal information for purposes of profiling, processing sensitive personal information, and any processing activities involving personal information that present a heightened risk of harm to consumers. If you engage in any such processing, you must identify and weigh the benefits of the processing against the potential risks to the rights provided to consumers, as mitigated by safeguards that can be employed to reduce such risks. It is important to conduct these assessments properly as they may be requested by the Attorney General of the state as part of an investigation.
These steps will provide you with a good starting point for compliance with the new privacy laws that go into effect in 2023. However, they are not a substitute for the advice of your attorney, and you must stay vigilant to ensure that you meet compliance requirements throughout the upcoming years.