With three new omnibus privacy laws set to take effect in 2023, 2022 is sure to be a busy one for privacy and cybersecurity departments in companies of all kinds. New laws will take effect in Virginia on January 1, 2023, and Colorado on July 1, 2023, and an expanded law will replace the California Consumer Privacy Act in California on January 1, 2023. Each of these laws includes strong protections and use limitations around sensitive categories of data, expansions and more rigorous requirements for data subject rights requests and privacy notices, and increased regulator powers.
In addition, international data transfers are becoming more and more challenging. The European Court of Justice’s Schrems II decision invalidated the US-EU Privacy Shield, and this summer saw the adoption of new, more restrictive Standard Contractual Clauses by the European Commission.
To address these issues, companies should consider the following critical tasks:
Update your privacy notices to comply with these new requirements.
All three new U.S. privacy laws require new disclosures in corporate privacy notices, particularly with respect to sensitive personal information and data subject requests. Noncompliant privacy policies bring increased regulatory risk as they are one of the most overt indicators of non-compliant practices. With the California law’s introduction of a European-style data protection agency, including full enforcement and rule-making authority, the stakes for privacy compliance in the United States are only increasing.
Review the personal information in your company’s possession, your associated retention schedules, and other data controls to ensure that you are only keeping what you really need, particularly with respect to sensitive personal information and information used for targeted advertising.
The new U.S. laws all contain restrictions on the use of certain sensitive personal information, namely a person’s demographic information (such as race or sexual orientation) and certain personally identifying information (such as Social Security numbers). Additionally, these laws now grant data subjects the ability to opt out of the processing of personal information for data processing purposes. The more you can minimize your data footprint and focus your data use, the easier compliance with the new U.S. laws will be next January.
Review the major international data transfers your company undertakes and the contractual requirements or other corporate rule regimes they are conducted under, as the requirements in this area changed markedly in the latter months of 2021.
In the wake the of Schrems II decision’s invalidation of the US-EU Privacy Shield, the European Commission upped the ante further by adopting a new set of mandatory standard contractual clauses that generally must accompany all data transfers into or out of the European Union to an inadequate jurisdiction, including the United States. As a result, companies have been scrambling to update their contractual forms and/or prepare amendments containing the standard contractual clauses to help comply with the constantly-shifting post-Schrems II GDPR environment.
Review and Revise your Data Subject Request Process.
The new U.S. laws all include new data subject rights. Namely, citizens in these states have all of the familiar California privacy rights plus additional rights to have inaccuracies in their personal information corrected, to opt out of the use of their personal information for targeted advertising or profiling which has “legal or similarly significant effects” (quoting Virginia’s law). Additionally, the new laws require the creation of an appeal process for addressing an initial denial of the consumer’s request to exercise their data subject rights requests. Companies will need to develop procedures to fulfill these requirements, particularly a procedure to verify the accuracy of the information a data subject wants corrected and to ensure an independent and fair appeal process that can pass regulatory muster.