Search Weight Loss Topics:




Oct 4

2023: The Year of the Privacy and Security Compliance Program CBIA – CBIA

State legislatures throughout the country were busy in 2022 introducing comprehensive data privacy bills.

Despite the widespread legislative activity, Connecticut and Utah were the only two states to successfully enact privacy laws this year.

In doing so, they joined California, Colorado, and Virginia, adding to a complex patchwork of state privacy laws enacted over the past few years, and with which companies will be busy complying throughout 2023.

Depending upon which of these state privacy laws apply to your business, your time between now and the end of next year could be spent assessing and implementing information governance controls in order to comply with the California Privacy Rights Act or the Virginia Consumer Data Protection Act by Jan.1, 2023; Connecticuts Act Concerning Personal Data Privacy and Online Monitoring or the Colorado Privacy Act by July 1, 2023; and the Utah Consumer Privacy Act by Dec 31.

This update will discuss some of the core provisions in common among the five states privacy laws, and provide advice for navigating through them.

In general, each state law applies to for-profit entities, generally referred to as controllers, conducting business or offering products or services targeted to residents of the particular state and meeting certain thresholds with respect to revenue and/or the volume of consumer data within their control.

The CPRA, for example, amends the California Consumer Protection Act, which went into effect on Jan. 1, 2020, to apply to entities that collect personal data from California residents and either: (1) have at least $25M in gross annual revenue; (2) buy, sell or share personal data of 100,000 or more state residents or households; or (3) derive 50% or more of annual revenue from selling or sharing California personal data.

In Connecticut, the CTDPA applies to certain for-profit entities that either: (1) control or process personal data of at least 100,000 consumers; or control or process personal data of at least 25,000 consumers and derive more than 25% gross revenue from the sale of personal data.

Connecticuts new privacy law applies to certain for-profit entities that control or process consumer data.

In addition to the types of entity-level applicability provisions described above, certain data categories may also be exempt.

All five states currently exclude certain data that are already protected by other state or federal laws, such as health information protected by the Health Insurance Portability and Accountability Act.

Employee human resource data and business-to-business contact data will become subject to protection in California beginning on Jan. 1, when the CPRA takes effect, but is exempt or effectively exempt from each of the other states laws.

Each state law, in varying degrees, requires a controller to honor certain consumer rights with respect to their personal data.

These rights include the right to: access their personal data and confirm whether it is being processed; correct inaccuracies in their personal data; delete personal data; obtain a copy of their personal data in a transmittable format; and to opt-out of targeted advertising and the sale of their personal data.

Controllers subject to one or more state privacy laws must ensure they have procedures in place to fulfill their obligations to consumers on or before the applicable 2023 effective date.

In addition to consumer rights, state privacy laws obligate controllers to, among other things, provide a privacy notice to consumers, implement administrative, technical, and physical data security practices to protect personal data, implement certain contracting requirements with vendors responsible for processing personal data on their behalf, and conduct data security assessments.

While there is variation among each states requirements in these areas, they are similar in their fundamentals and should be familiar in concept to any organization that has already been subject to the vanguard General Data Protection Regulation that came into force in the European Union in 2018.

In Connecticut consumers must be given a privacy notice describing the categories of personal data processed.

In Connecticut, for example, controllers must provide consumers with a privacy notice describing the categories of personal data processed, the purposes for which each category of data are processed, how a consumer may exercise a right, the categories of personal data shared with third parties and the categories of those third parties, and how the consumer may contact the controller.

The CTDPA also requires controllers to enter into written contracts with third parties to govern their processing of personal data, and to conduct and document data protection assessments for each of its activities presenting a heightened risk of harm to a consumer, including targeted advertising, sale of personal data, and the processing of sensitive data.

Depending on your existing information governance infrastructure, implementing the operational processes required to comply with the various state privacy laws coming into effect next year may require anywhere from a full compliance program build to a series of policy and procedure modifications or enhancements.

Regardless, it is important not only to start the process as soon as possible, but to begin to incorporate the principles of privacy, cybersecurity, and good information governance into your corporate culture at all levels.

As a preliminary step, consult with an attorney in order to determine which state law(s) apply to your business.

This will then help to assess whether it is most effective and efficient to take a universal approach to compliance, whereby compliance with the most stringent applicable requirement is built into a standardized process, or jurisdictional approach, in which processes may vary depending on the applicable rules.

During the period leading up to the first applicable effective date in 2023, focus on the following:

The privacy law landscape will continue to evolve in 2023, with the potential for federal rulemaking and a federal law.

As the compliance deadline approaches:

Finally, keep in mind that any effective compliance program is always a work in progress.

The privacy law landscape will likely continue to evolve in 2023, with potential for rulemaking by the Federal Trade Commission and for a federal data privacy law (the American Data Privacy and Protection Act) to gain additional momentum in Congress for passage or amendment after the mid-term elections.

It is a best practice to revisit your policies and procedures on a regular basis in order to update them in response to legislative developments, andmore importantlyyour own lessons learned.

About the authors: Marc Lombardi and Damian Privitera are lawyers at Shipman & Goodwin LLP, both practicing in the firms Privacy, Cybersecurity and Data Innovation practice. Lombardi and Privitera, along with Shipmans team of privacy and cybersecurity lawyers, regularly assist manufacturers and other businesses with privacy and cybersecurity issues.For more information about Shipmans manufacturing practice, please contact Alfredo Fernndez (860).251.5353; afernandez@goodwin.com).

Read more:
2023: The Year of the Privacy and Security Compliance Program CBIA - CBIA

Related Post

    Your Full Name
    Your Email
    Your Phone Number
    Select your age (30+ only)
    Select Your US State
    Program Choice
    Confirm over 30 years old Yes
    Confirm that you resident in USA Yes
    This is a Serious Inquiry Yes
    Message: