Unless you’ve been completely disconnected from the internet for the past year, you’ve undoubtedly read about the passage of a number of state and international laws addressing privacy and cybersecurity. Does this mean that you will likely need to amend business practices and revise privacy policies? Yes, however, depending on the size and nature of your business and where you operate, you may want to start setting timelines but hold off on implementation.
California
The California Privacy Rights Act (CPRA) goes into effect on January 1, 2023. It amends the California Consumer Privacy Act (CCPA) in a few key ways, including which businesses fall under the law; clarifying that “sale” was meant to include buying, selling and sharing; enhanced transparency on how consumers can exercise their rights; purpose limitation of a business’s collection and use of personal information; and new requirements for the relationship between a business and its vendors. Currently, the CPRA eliminates exemptions that were in the CCPA for employees and commercial credit reporting agencies; however, bills are pending to keep those exemptions in the CPRA.
The new enforcement agency created by the CPRA, the California Privacy Protection Agency, was supposed to enact regulations by July 1, 2022 and start enforcing the CPRA on July 1, 2023. However, the Agency already announced that rulemaking will probably not be completed until Q3 or Q4 of 2022. For more information about the rulemaking process, visit the State of California's CPPA website.
Virginia
The Consumer Data Protection Act (CDPA) also goes into effect on January 1, 2023. It grants consumers the rights to access (know), to correct, to delete, to opt-out of the sale of certain personal information, and of portability (transfer). Businesses have certain responsibilities under the CDPA, including purpose limitation; implementing reasonable administrative, technical and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy policies; conducting data protection impact assessments; and entering into certain contractual provisions with vendors. After three recent amendments, the CDPA appears to be in its final form and businesses can start planning now.
Colorado
The Colorado Privacy Act (CPA) goes into effect on July 1, 2023. It grants consumers the rights to access, to correct, to delete, to opt-out, and of portability. Beginning July 1, 2024, the CPA will require businesses to accept a universal opt-out mechanism. Businesses have certain responsibilities under the CPA, including purpose limitation; implementing reasonable administrative, technical and physical safeguards; obtaining consent to process sensitive data; disclosing certain information in privacy policies; conducting data protection impact assessments; and entering into certain contractual provisions with vendors.
The Colorado Attorney General will adopt rules by July 1, 2023. More information about the rulemaking process can be found on the Colorado Attorney General website.
Utah
The Utah Consumer Privacy Act (UCPA) goes into effect on December 31, 2023. It grants consumers the rights to access (know), to delete, to opt-out, and of portability. The UCPA appears to be in its final form and businesses can start planning now.
Connecticut
Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) goes into effect on July 1, 2023. It grants consumers the rights to access, to correct, to delete, to opt-out, and of portability. The CTDPA will require businesses to accept a universal opt-out mechanism. Businesses have certain responsibilities under the CTDPA, including purpose limitation; implementing reasonable administrative, technical and physical safeguards; obtaining consent to process sensitive data; making it as easy to withdraw consent as provide consent; disclosing certain information in privacy policies; conducting data protection assessments in certain circumstances; and entering into certain contractual provisions with vendors.
Cyber Incident Reporting for Critical Infrastructure Act of 2022
This Act aims to educate critical infrastructure sectors about potential cyber threats and encourage timely sharing of relevant information. The Cybersecurity and Infrastructure Security Agency (CISA) will be implementing rules over the next few years. More information about this Act is available in this Foster Garvey Legal Alert.
China
The Personal Information Protection Law (PIPL) went into effect on November 1, 2021. It grants consumers the rights to information, to access, to correct, to delete, to object, and of portability. Businesses have certain responsibilities around the collection, use, and processing of personal information, including obtaining consent; entering into certain contractual provisions; disclosing certain information in privacy policies; conducting data protection impact assessments and compliance audits; and having a designated contact located in China.
European Union
A number of new regulations are being considered in the European Union, including the Data Governance Act, the Data Act, the Digital Services Act, and the Digital Markets Act. While they’re all working their way through the approval process, none have made it all the way through yet.
Also, to enable simpler GDPR compliance for data transfers from the European Union to the United States, the United States and the European Commission are working on a new Trans-Atlantic Data Privacy Framework to replace Privacy Shield. Although an announcement made in March 2022 indicated that there was an agreement in principal, specific language capturing the framework has not yet been released.
Additionally, since March 21, 2022, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses can be used for data transfers from the United Kingdom to the United States. Any old contracts that are still using the 2010 EU Standard Contractual Clauses for transfers from the United Kingdom to the United States must be replaced before March 21, 2024.
This is not a comprehensive list of new privacy and cybersecurity laws or amendments to existing privacy and cybersecurity laws. Please consult an attorney or other privacy professional for more specific information about these laws and whether your business meets the threshold requirements to be subject to these laws. If you need assistance reviewing your company’s compliance with privacy obligations, contact our Privacy, Cybersecurity & Data Protection team.
