Posted In: Business Transactions & Corporate Counseling, Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
By Jarman J. Smith on July 12, 2022
Your organization must act now to become compliant with new state privacy regulations in the United States. With consumer privacy laws from California, Colorado, Virginia and now Connecticut and Utah set to take effect in 2023,1 there is little time for covered organizations to review their data processing activities and to implement the policies and procedures needed for compliance. Organizations that fail to become compliant with the new state privacy regulations by the 2023 deadlines may become ideal targets for cyberattacks, subject to data privacy lawsuits, and subject to regulatory fines and penalties. Moreover, although only a limited number of states have enacted comprehensive data privacy regulations to date, the effects of these laws reach beyond the states in which they were enacted and will surely impact organizations throughout the nation.
Most Companies Are Not Ready for Privacy Law Compliance
A new U.S. Data Privacy Law Compliance Survey (the “Survey”)2 reveals how companies are getting ready for the major changes needed in their data processing activities in light of the consumer privacy laws from California, Connecticut, Colorado, Utah and Virginia that go live next year. A majority of the executives who responded to the Survey expressed satisfaction with the state of their compliance efforts, with 59% saying their companies are very prepared to meet the more stringent guidelines, 31% reporting that they are moderately prepared, and 89% disclosing that they have increased their budgets to comply with the new privacy regulations.3 However, when asked about the concrete steps taken toward compliance with the new regulations, less than half of the executives said their companies have completed the critical tasks needed to ensure they meet the new regulatory obligations, including data mapping, performing data assessments, and establishing timelines to track compliance. Thus, the Survey reveals that company executives may be too quick to report their companies are ready for compliance with the upcoming privacy laws, when a deeper look into their compliance efforts will show a major deficit in actual preparation.
Privacy Law Requirements and 2023 Compliance Deadlines
Generally, the new privacy laws will require businesses to ensure that their consumers have more access to and control over how their personal information is handled. Although these laws share key similarities, such as granting consumers rights of access, correction, deletion and rights to opt out of the sale of their personal data, they also contain important nuances that may complicate compliance efforts. For example, the laws contain minor differences concerning consumer rights, responses to global opt-out signals, and how to handle sensitive personal information. Ideally, every organization should develop a cross-functional team that includes legal and data privacy compliance professionals, as well as tech and risk management leads to ensure things get done properly.
The deadlines to comply with the new U.S. privacy regulations are as follows:4
- CPRA - The California Privacy Rights Act, which strengthens the state’s landmark California Consumer Privacy Act, will take effect on Jan. 1, 2023.
- VCDPA - The Virginia Consumer Data Protection Act will take effect on Jan. 1, 2023.
- CPA - Colorado’s Privacy Act will take effect on July 1, 2023.
- CTDPA - Connecticut’s Data Protection Act will take effect on July 1, 2023.
- UCPA - The Utah Consumer Privacy Act will take effect on Dec. 31, 2023.
A Push for Federal Privacy Standard Could Ease Compliance Complications
A push by business and consumer advocacy groups to enact federal privacy legislation may be the best hope in offsetting the complications born from the expanding patchwork of state laws. One of the most promising efforts to date on this front comes from a bipartisan trio of congressional leaders who developed a proposal that would set a uniform national standard for how companies use, share and secure consumer information. The draft legislation would allow consumers to sue companies for alleged data processing violations and it would also preempt comprehensive state privacy laws while allowing more targeted state statutes to survive. Respondents to the Survey were overwhelmingly in favor of a national consumer privacy framework, with 88% of respondents indicating they would like to see a federal privacy standard that preempts individual state legislation.5
How Brouse Can Help
The requirements of the state privacy laws that take effect in 2023 affect so many aspects of how companies process data that it can be challenging for companies to make sure all the bases are covered for compliance. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to establish and implement the policies and procedures needed for compliance with the new state privacy laws and those to follow. Additionally, our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.