With five state privacy laws coming into effect in 2023, there’s a lot of information that businesses need to internalize on short notice. To help keep the business community informed of what they need to do to achieve compliance with these new laws, we recently hosted a webinar, titled “Prepare for 2023's new privacy laws now,” that covered:
If you didn’t get a chance to attend, you can access the on-demand recording here. There was a lot to unpack!
So much so, in fact, that many attendees had important questions they didn’t get a chance to ask. So, we asked Osano’s General Counsel to answer some of the most frequently asked questions here. Whether you watched the webinar or not, we’re sure you’ll find the FAQ supplies actionable information on your journey to compliance with 2023’s state privacy laws.
A. Per violation incident.
A. This company is preparing for GDPR and CPRA because it feels they may be the most stringent, and its team is then adjusting for the other states. We agree with this approach — we feel it's a good way to get started and there are a few other companies doing the same thing.
A. There has been no guidance that we are aware of from US privacy regulators or State Attorneys General on how blockchain-based businesses can specifically approach these privacy laws. We recognize that many aspects of compliance will be very tough and, in some cases, impossible to achieve—particularly data subject requests. We urge blockchain-based companies to keep personal information off-chain if at all possible and try to beef up disclosures in privacy policies.
The question continues: What if an organization makes most of its revenue from selling personal information collected from California residents via surveys, lab results, clinical consults, and other, non-website channels?
A. The CCPA is not specific to website cookie data collection—you'll still be subject to data subject access requests, for example. Specifically, you'll be subject to the CPRA if your company, according to our breakdown in our article, California privacy law: CCPA, CPRA, and beyond:
IP addresses could be a way, however they could be changed via VPN. If a company does not process customers’ addresses, are there any other practical ways to determine this?
A. We'd say use the most reliable data at your disposal. If IP addresses are all you have, then use that to determine if you cross the threshold.
For example, Data Privacy Officers own the process for GDPR compliance in European organizations.
A. This is up to the individual organization (for now)—they might have a Chief Privacy Officer, Data Privacy/Protection Officer, or Head of Compliance own the process. We've also seen organizations give the task to General Counsel or Legal Managers. The challenge will be for smaller companies without those kinds of resources. In those cases, we are seeing that the responsibilities often are divided amongst marketing and IT Ops.
Is a single notice acceptable, or do we need supplemental privacy notices?
A. We are seeing a lot of companies have a GDPR/EU section, a California section, and a third "Other US Privacy Rights" (or similarly titled) section.
A. Companies will be required to describe the retention periods for the various categories of personal information collected. If it isn't possible to give a hard number or definitive length of time (e.g., the information will be deleted one year after collection), then companies are required to disclose the criteria that will be used to determine when the personal information will be deleted.
The question continues: For example, if a website offers a coupon for signing up for their newsletter, is that considered unfair treatment to users that haven’t shared their data?
A. If it's a relatively small incentive, then it probably doesn't qualify as unfair treatment, but if it's an ongoing program or more than a token of appreciation, then we'd recommend reviewing the financial incentive required disclosure under CCPA/CPRA.
A. It's helpful to include a clause in your privacy policy that lets users know it's subject to change, and you should include a section in your policy about how you'll let users know about those updates.
In our privacy policy, we've included guidelines on how we'll update people—depending on the extent of the change, we let them know to check the privacy policy periodically for updates, but if the change is significant enough, we'll let them know via a notice on our homepage. You can also send email notifications to your subscribers notifying them of the updates or incorporate a pop-up. Lastly, it's recommended to have a section at the beginning of the policy or above it that summarizes the most recent changes.
When working with new vendors that may handle our users' personally identifiable information, they most often volunteer that they are SOC 2-compliant, but are there better or more specific questions we can ask?
A. These aren't specific questions you can ask, but we have a couple of recommended tools that could help you vet: You can use something like Privacy Monitor to vet vendors based on their privacy score. We also have a vendor management system in our platform where we vet organizations based on 23 different categories, and we monitor whether they're involved in any privacy-related lawsuits.
For example, the GDPR requires certain contractual provisions, like the standard contractual clauses (SCCs) and, in some cases, the UK international data transfer agreement (IDTA).
A. Take a look at our 3-month countdown to 2023 blog. Here’s a relevant excerpt:
All of the 2023 US state privacy laws require specific contractual provisions to be in place if you share personal information with another organization. To be in compliance, you will need to review the contracts you have in place, determine whether you have these specific provisions in place or not, and update the agreements if needed.
If you are asking specifically about transfer-related agreements, then no, at this point we aren't expecting agreements similar to the SCCs at the US state level.
Especially when this requires both legal and marketing technology expertise?
A. It certainly can be tricky—we recommend focusing on who is making decisions over the personal information, clearly describing the business purpose that the personal information is to be used for in the agreements, and going a bit above the minimum contracting requirements.
This is the only way for EU companies to use US vendors since the European Court of Justice's Privacy Shield ruling.
A. Yes, it's going to be quite tricky. Companies will likely have a GDPR-based data processing agreement (DPA) and SCCs as well as an agreement or a separate DPA governing the US issues. Not ideal, we know.
You can enable this through your Osano CMP. Our support team can help you through it.
It’s clear that businesses are starting to dig into the nitty-gritty of the privacy laws they can expect to contend with in 2023. And they’re finding that there is a lot to figure out.
From privacy notices to contractual provisions, we’ve fielded a lot of questions from businesses anxious to start 2023 off on the right foot. The Osano team is eager to help. Many compliance activities can only be completed by your business, but the most time-consuming and complicated aspects of compliance—like consent management, DSAR management, and more—can be automated.
Schedule a demo today to see how Osano can support you so you can focus your energies where they’re needed most.