6-month countdown to 2023’s state privacy laws

2023 is shaping up to be a big year for US businesses. No fewer than five state privacy laws go into effect in the new year:

• The California Privacy Rights Act (CPRA; replacing the California Consumer Privacy Act, or CCPA)
• The Virginia Consumer Data Protection Act (VCDPA)
• The Utah Consumer Privacy Act (UCPA)
• The Connecticut Data Privacy Act (CTDPA)
• The Colorado Privacy Act (CPA)

But compliance is a journey. It isn’t possible to wait for the last month of 2022, sprint through a checklist of activities, and suddenly be compliant forever. Compliance takes time, and it’s an on-going process.

To help businesses find the right path forward, we’ve begun a blog series counting down to 2023. Each post will lay out the appropriate steps to take during the given time frame. At the time of this writing, 2023 is roughly six months away; so, we’ll discuss the most time-consuming and foundational steps businesses need to take. (Looking for what to do with three months left? Check out our next blog in the installment here.)

Specifically, we’ll cover whether you need to worry about being subject to 2023’s data privacy laws at all, the primary foundational activity you should begin now, and additional key factors to keep in mind.

Are you subject to data privacy laws?

In short: probably. Even if your jurisdiction doesn’t have a state privacy law, 2023’s privacy regulations could impact your business if you have users or customers in a state that is covered.

There are minor variations between the five state privacy laws coming into effect in 2023, but they broadly align on what sorts of businesses will be covered. Generally speaking, your business is subject to the state privacy laws if:

• You control or process the personal data of 100,000 state residents, or
• You derive a significant portion of your revenue from selling customer data (the specifics vary from state to state).

There are some exceptions…

It should come as no surprise that there are important details to keep in mind when it comes to who is and isn’t covered under the data privacy laws. We’ll highlight a few here, but your best bet is to consult with a legal or privacy professional for the full picture.

For one, California’s and Utah’s laws only apply if your business has an annual revenue of over $25 million.

Additionally, it’s important to note that many Californian businesses that were previously exempt to the CCPA will be subject to the CPRA. In the past, Californian businesses that merely shared personal information, rather than selling it, were exempt from the law. But the CPRA has amended that loophole.

Another notable exception is that Connecticut does not count data processed solely to facilitate a payment transaction — the idea being that restaurants, convenience stores, and the like shouldn’t be burdened with compliance when they’re not really relying on customer data for their business.

… But compliance is probably in your future anyway.

Even if you’re certain you don’t need to comply with these laws today, you’re still better off becoming compliant anyhow.

Maybe you don’t work with the personal information of 100,000 different consumers from these states — that could quickly change if you have a digital channel to your business.

Or, maybe you’re primarily based out of California and Utah but don’t reach the $25 million threshold. If you’re interested in growth, then laying the groundwork for compliance will make the future significantly simpler for you.

And even if you don’t operate in one of these states and don’t think that you’ll ever expand your business there, you’ll still want to get prepared for an inevitable federal privacy law.

The bottom line is that data privacy is coming to the US fast. Getting prepared today will save you a potentially expensive and drawn-out headache in the future.

Compliance with the new state privacy laws: Here’s where to start

Although the details vary from law to law, the foundation for compliance is the same for each: Developing a data inventory of what personal information you collect, why you collect it, how you use it, and with whom you share it.

Under the EU’s General Data Protection Regulation (GDPR), this activity is referred to as a record of processing activity, or RoPA. For consistency, we’ll use the same term here, even though RoPAs aren’t explicitly mentioned in the US data privacy regulations.

When you conduct a RoPA, you gain a snapshot of how you’re collecting data, where it lives, what you’re currently doing with it, and more. Creating this data map simplifies the bulk of your future compliance activities, things like crafting a privacy policy, identifying where you’re over-collecting data or holding onto it for too long, presenting records of your data collection activities when audited, and more. The first step is to get a sense of the state of your data collection practices.

How to conduct a RoPA

Developing your first RoPA can be time-consuming — which is why we recommend getting started straight away. Once you’ve developed your first RoPA, keeping it up to date will be less tedious, though you should update it anytime your procedures for processing information change. Data discovery tools can help make this process easier.

Start with a spreadsheet, and build it out so that you can include information on:

• Name and contact details of the individual or organization collecting the data
• The purpose of processing the data
• Categories of the data subjects and types of personal data
• Categories of data recipients, including those who have already received a user’s data and those who will receive a user’s data in the future
• Current time limits (if any) for the erasure of different categories of data
• A general description of technical and organizational security measures
• Whether or not you use automated decision-making with the data
• Whether or not you use the data for targeted advertising

Build out one of these spreadsheets for each major business unit in your organization. Try to fill it out as much as you can yourself, and then send out a questionnaire to the different parts of your organization. Marketing, HR, finance, and any other department that touches personal information should supply answers to your questions.

Because this activity can feel like an interruption to your colleagues’ regular duties, we recommend getting buy-in from your leadership team in advance. Having the support of your company’s C-suite will help everybody understand the importance of compliance activities.

What will the outcome of this exercise be?

Once you’ve mapped out how the different parts of your business use personal information, you’ll have the foundation in place to meet the vast majority of different privacy requirements. That includes:

• An accurate and informative privacy policy
• Managing and executing DSARs
• Managing and acting on users privacy choices (like cookie consent)
• And more

None of these requirements can be easily acted upon unless you know where your consumers’ personal information lives in your business, what’s being done with it, where it’s going, and so on. We’ll be covering ways you can prepare for these requirements in future installments of our Countdown to 2023 series, but the most important step will be completing a RoPA first.

What else do I need to know today about 2023’s state privacy laws?

There are three things that are important to know early on about the major changes coming in 2023.

First, businesses need to change their minds about data. It’s been a popular analogy to claim that data is the new oil. Only, oil companies have to purchase mineral rights to drill for oil, and businesses have simply been taking their users’ data without worrying about rights. All that is changing, and changing fast.

Businesses can no longer use bulk data collection practices and can no longer focus all of their efforts on collecting as much data as possible thinking they will just figure out what to do with it later. Data collection is going to be a purposeful and limited process in the future due to privacy laws’ data minimization requirements.

Second, businesses need to build a roadmap to compliance that extends to 2023 and beyond. We’ll provide as much actionable information as possible in this blog series, but a blog isn’t a substitute for a robust plan with deadlines and accountability baked in.

Third, don’t do it all yourself. Once you start building that roadmap and see the true scope of what is required to comply with all of these data privacy laws, it might be tempting to get your legal department and development teams straight to work building all of the processes and bespoke tools you’ll need to manage compliance at your organization — like data discovery and DSAR management.

Compliance takes work, and there are plenty of tasks that only your organization can carry out; there are also plenty of compliance problems that have been effectively solved. Rather than reinvent the wheel, your best bet is to seek out trusted third parties that are managing compliance for companies that are already subject to data privacy regulations.

Osano, for example, manages DSARs for over 14,000 different businesses, as well as cookie compliance and vendor management. While you wait for our next installment in this blog series, get an early start evaluating consent management solutions by booking a demo with us today.

In the meantime, keep an eye out for the ensuing articles in our Countdown to 2023 blog series!