California, Colorado, Connecticut, Utah, Virginia, Oh My: An Enterprise Wide Data Privacy Solution to the State Privacy Law Problem
Authors
Myriah V. Jaworski , Paul F. Schmeltzer
Despite predictions otherwise, 2022 will not be the year that a federal data privacy law is enacted. While the bipartisan American Data Privacy Protection Act (ADPPA) proposal made it to the House Committee on Energy and Commerce, it was blocked from moving to the full house over concerns that the law would preempt existing and newly enacted state privacy laws with higher level of consumer protections, and otherwise negate work done at the state level to address data privacy.
With the continued absence of a comprehensive federal law, states have continued to take the lead -this year more than ever. Four states – Colorado, Connecticut, Utah, and Virginia – passed state privacy laws this year, joining California in regulating the data collection practices of businesses and employers in-state. In California, the California Privacy Protection Agency (CPPA), recently issued modified regulations under the California Privacy Rights Act (CPRA) – touching on everything from asymmetry in the presentation of choice to consumers via website banners to heightened verification procedures in response to data subject requests – and inaction by the California state legislature to extend a human resources exemption means that HR files and employee data will be now regulated under the CPRA as of January 1, 2023. Colorado’s Attorney General has also issued draft regulations under that state’s law.
Because variances between the state privacy laws exist, businesses may view the roll out of a fractured state-by-state compliance program as administratively problematic and burdensome. But a solution exists: the build out of an enterprise-wide data privacy program that accommodates the foundational requirements of the enacted state privacy laws, and allows for minor state-specific modifications as necessary.
Such a compliance program will necessarily include:
- Data Mapping: One of the fundamental purposes of all state privacy laws is to require businesses to understand the types of data they are collecting, in particular, what personally identifiable information (“PII”) of state residents, including in California, employees and job applicants, why and for how long they are collecting that data (purpose & retention periods), what consent(s) or authorizations they have in place to collect PII (consent management), what third parties the information is shared with, and how the businesses are protecting the data (reasonable security measures). Data mapping is intended to assist businesses in refining their data collection practices, and is fundamental to a business’s ability to respond to data subject requests concerning the collected data.
- Sensitive Personal Data: Under most state privacy laws, the collection of sensitive personal information now requires express consumer consent, and in California, businesses must self-restrict processing of sensitive PII or provide additional notices and opportunities to opt-out. Thus, a data mapping exercise should categorize and locate sensitive personal information pursuant to state law definitions.
- Employee/HR Data: In California, employee and job applicant information is now regulated by the CPRA, meaning employees share the same rights to access, correct, and delete information as in the consumer context. The collection of employee data for monitoring purposes should also be reexamined, under the CPRA and other state electronic monitoring laws.
Mapping internal data flows to include the collection of sensitive PII and employee/HR data is therefore necessary to achieve compliance with the law and substantive Data Subject Request (DSR) requirements.
-
- All state laws also require businesses to conduct some form of data processing or privacy risk or data protection assessments, to evaluate pre-collection, the purpose for collecting sensitive information or for conducting high-risk processing activities.
- Updates to External Policies & Consent Management Practices: State privacy laws require that businesses provide notice and in certain instances obtain consent from users prior to collecting their PII. Further, California regulations specify that consent practices disclosed through website banners should be “asymmetrical” -i.e., that the offer to reject is as prominent as the offer to accept cookies, and that “grey patterns” – the unequal burdens on consumer choice or deceptive and hidden information – be strictly avoided. Additionally, privacy policies must disclose the basis for collection, identify third parties with whom information is shared, the purpose of sharing information, retention periods and provide consumers with instructions on how to submit a data subject request concerning their information.
- Global Opt-Outs: In California and Colorado, businesses must honor consumer cookie preferences set through what is known as a Global Privacy Controls (GPC) browser setting. In these states, and as a best practice elsewhere, these settings should be honored as a an opt-out of the sale of consumer information (i.e., in lieu of clicking the “Do Not Sell My Personal Information” hyperlink) and of targeted advertising, and to prioritize the GPC signal over any conflicting user-stated preferences.
- Data Subjects Rights Procedures: Businesses must offer individuals (and in California, employees and job applicants) the right to access, delete, correct, port, and opt-out of the sale of their PII. Businesses must not discriminate against consumers for asserting a data subject right, and in some states, must offer consumers the right to appeal any DSR response. State laws require businesses to honor DSR requests within short 45-day timeframes, necessitating that businesses understand where consumer PII, sensitive PII, and regulated employee/HR data is stored, be able to access and account for that data, and respond substantively to requests for same. State privacy laws provide rights of appeal to consumers in certain instances.
- Update & Audit Service Provider Contracts: A businesses transfer of PII to a third party should be closely examined, and in certain instances, service provider agreements with provisions limiting sale and secondary use, requiring notification in certain instances, allowing the business to audit the service providers privacy practices, may be required.
- Employ Reasonable Security Measures: A business that collects a consumer’s personal information must implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized use or access. In California, where businesses’ processing of personal information “presents significant risk to consumers’ privacy or security”, those businesses are required to submit annual cybersecurity audits to the State’s new California Privacy Protection Agency.
- Conduct Employee Trainings: An enterprise- wide data privacy program will also include employee trainings on privacy law compliance, and trainings to those customer-facing employees on how to facilitate processing of data subject requests. This training should occur no less than annually. Annual table top trainings and cybersecurity trainings are also recommended as part of a businesses’ reasonable security measures.
The California Office of the Attorney General (OAG)’s August 2022 $1.2 million settlement with Sephora, Inc., the French beauty products retailer, is their most significant enforcement action to date. At the same time the California AG disclosed the topics of its notices of violations, to include not honoring consumer opt-outs, untimely responses, lack of verification, and failure to disclose DSR procedures in privacy policies. Companies can anticipate additional investigations by the California OAG as it continues to respond to consumer complaints and monitor business compliance with the CCPA/CPRA. All other enacted state laws also allow for State Attorney General enforcement, with fine and penalty authorizations.
While the patchwork of state privacy laws may present certain operational challenges, working to roll out an enterprise-wide data privacy program that includes the components identified above is key to a compliance strategy that addresses enacted and pending state privacy laws:
State | Effective Date | Regulations Status | Safe Harbor |
California Consumer Privacy Act, as amended by California Privacy Rights Act (CCPA/CPRA) | Jan. 1, 2023 | Issued, modified regulations pending. | None. |
Colorado Privacy Act (CPA) | July 1, 2023 | Pending; public comments accepted until Feb. 1, 2023. | 60-day cure period, expires Jan. 1, 2025. |
Connecticut Act Concerning Personal Data & Online Monitoring (CT Act). | July 1, 2023 | Not yet issued. | 60-day cure period. Expires Jan. 1, 2025. |
Utah Consumer Privacy Act (UCPA) | Dec. 31, 2023 | Not yet issued. | 30-day cure period. |
Virginia Consumer Data Protection Act (VCDPA) | Jan. 1, 2023 | Not yet issued. | 30-day cure period. |
Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.