2022 is zipping by, and 2023 will be here before you know it — and with the new year comes new data privacy laws in the US. They are:
Some of the new laws go live later into 2023, while others will be active on January 1. In either case, being prepared is the key to minimizing your risk and business disruption. That’s why we’re releasing this series of blog posts designed to provide guidance on what businesses should do to become compliant and when they should do it.
This is the second post in our countdown series. If you haven’t read our “6-month countdown to 2023’s state privacy laws,” we’d recommend giving it a quick review first. However, we’ll provide a quick recap of what we advised in the 6-month blog post below, followed by our advice on what compliance activities businesses should pursue now that 2023 is just 3 months away.
In our previous blog in this series, we advised businesses to conduct a data inventory by following the GDPR’s requirements for a record of processing activity, or RoPA. (Remember: while RoPAs are explicitly required by the GDPR and are not required under the US state laws listed above, they are an essential tool for compliance with virtually any data privacy regulation.)
The value of a RoPA is that it helps you understand critical aspects of personal information and your organization, including:
This document serves as your guide for other compliance actions. You might also hear this kind of document referred to as a data map. While some people use the terms RoPA and data map interchangeably, we like the term RoPA because it conveys documenting more than just where the data is stored or used. If you want this document to be actionable, you’ll need to record this additional information.
If you haven’t started on your own RoPA yet, don’t panic. There is still plenty of time to create an inventory of where your data lives and how it flows throughout your organization. As the saying goes, “The best time to plant a tree was 20 years ago. The second best time is now.”
Moreover, RoPAs aren’t a one-and-done exercise. The way that you collect and process data will change over time; thus, you should regularly update your RoPA.
Since you have an accurate snapshot of your data processing activities with your RoPA, now you can tackle the next most time-consuming aspect of becoming compliant — updating your contracts.
Under many of 2023’s state data privacy laws, you need to have agreements in place with recipients of your consumers’ data that outline what their responsibilities are and how they should handle that data. Furthermore, if you have received personal information from another organization, you should understand what your responsibilities are to that other organization.
All of the 2023 US state privacy laws require specific contractual provisions to be in place if you share personal information with another organization. To be in compliance, you will need to review the contracts you have in place, determine whether you have these specific provisions in place or not, and update the agreements if needed.
We’ll focus on the CPRA’s requirements since they are arguably the most comprehensive and will impact the most companies. However, the different state laws have their own specific requirements, which you’ll want to review with your legal counsel.
The CPRA actually distinguishes between third parties, service providers, and contractors. But for the purposes of this article, we’ll focus on service providers and contractors since those are the entities with whom you need to have certain contractual provisions in place.
Under the CPRA, service providers process personal information for you, while contractors use personal information over the course of using services for you. So, a service provider could be a company that you allow to place a cookie on your website in order to deliver online advertising to your visitors. They process your visitors’ personal information to deliver advertising. In contrast, a contractor could be a company that uses the personal information you provide to complete invoices or billing processes. It’s important to classify each relationship you have since the contracting requirements will be slightly different.
Under many of the new data privacy laws, you need to provide consumers a means of opting out of the sale or share of their personal data. However, data that is shared with service providers or contractors who have specific contractual provisions with you are exempt from these requirements. That means critical business functions won’t be interrupted should a consumer withdraw their consent.
You’ll find these specific contractual provisions in a company’s data processing addendum, although sometimes they’ll be located in terms of service or a standalone agreement instead of the data processing addendum.
Essentially, the addendum ensures that your service provider or contractor can only use your consumers’ data for a specific purpose, has to delete that data once that purpose has been met, must implement certain security measures, and so on.
Unfortunately, there is no prescribed format for a data processing addendum. So, you might approach one of your vendors to talk about updating your contract with language that your legal department cooked up, only for them to present their own addendum. Then, you’ll need to decide on using one version or the other, or craft a third version that meets both of your standards.
Furthermore, you need to do this for all of the third parties with whom you share personal information, whether you are the transferor or recipient. This can take quite some time, and that’s why we advise starting this process now.
Again, although the specific format of these addendums is up to you, there are certain requirements for you to include.
You’ll want to ensure that your data transfer addendum:
This is not an exhaustive list. Rather, it’s just intended to give you a sense of the general requirements that a data transfer addendum needs to include under CPRA and an understanding of the scope of work involved. No matter how informative a blog is (and we like to think ours are pretty darn informative), it’s no replacement for legal counsel.
While the above guidance is tailored to CPRA, it should go a long way toward ensuring compliance with the remaining state privacy laws in 2023. However, we do urge you to review the other state law requirements that apply to your organization.
If you’d like to dive deeper into the specific requirements the different state laws have for your business, you’ll benefit from reviewing our quick reference guide that compares the major characteristics of the different state privacy laws. You can download a copy here.
That’s it for this 2023 countdown blog! As a reminder, you can access our previous installment here. Our next installment will be in December, when 2023 is just one month away.