.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.png?width=148&height=200&name=Privacy%20Insider%20Book%20(mock%20w%20shadow).png)
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
With five data privacy laws coming online in 2023, businesses that operate within the U.S. have had to rapidly adapt to a regulatory environment that more closely resembles the EU. In the new year, the following laws will go into effect and change how affected businesses operate forever:
- The California Privacy Rights Act (CPRA; replacing the California Consumer Privacy Act, or CCPA)
- The Virginia Consumer Data Protection Act (VCDPA)
- The Utah Consumer Privacy Act (UCPA)
- The Connecticut Data Privacy Act (CTDPA)
- The Colorado Privacy Act (CPA)
While the new regulations will protect consumers and grow their trust in the businesses they frequent, it won’t be easy for businesses to get compliant. In our countdown series blog, we’ve been advising businesses on what tasks they need to do and when in order to become compliant in time for 2023’s new state privacy laws.
Quick recap: What we covered in our previous installments
Although data privacy is becoming an increasingly high profile subject, it can still be tempting to relegate it to the back burner. For those businesses that haven’t moved on data privacy initiatives until now or for those that simply need a reminder, here’s what we covered in our previous installments of our countdown series.
Our six-month blog covered the fundamentals. We talked about which businesses are subject to 2023’s data privacy laws and why compliance is likely in their future even if they aren’t subject to a law today. Most importantly, we talked about developing a data inventory, or record of processing activities (RoPA). This document serves as the foundation for all compliance activities in both the immediate and long term.
If you haven’t already, check out our 6-month countdown to 2023’s state privacy laws to learn all about building your data privacy foundation.
In our three-month blog, we discussed the need to update your vendor contracts with data processing addenda. The state privacy laws coming into effect in 2023 require that businesses that share their consumers’ data with other organizations—such as ad tech firms, payment processors, logistics companies, and more—must have special contractual provisions in place. Implementing these provisions across your contract portfolio can be time-consuming, in part because of the sheer number of vendors you might work with and in part because there is no standard format for these provisions.
If you want to learn more about this process, check out our 3-month countdown to 2023’s state privacy laws.
What to do if you’re just getting started
First; don’t panic.
Compliance is hard, and businesses won’t become compliant overnight. Authorities are likely (though not guaranteed) to go easy on businesses that can demonstrate progress toward compliance. Rather, the businesses that don’t try whatsoever, try to skirt around the law, or are large enough that they should know better will be the likely targets of enforcement.
Second; don’t rush.
There are no shortcuts to compliance—start at the beginning of Osano’s countdown series or with the other resources on our website, consult with legal and privacy professionals, and begin the process of building out your compliance program.
The Navy Seals have a saying that will be relevant to bear in mind: Slow is smooth, and smooth is fast. Cutting corners in the early stages of your compliance program will cause issues down the road.
But if you’ve followed the guidance in this series thus far, read on to review your next priorities.
3 things to do before 2023
In this installment of our countdown series, we advise you to carry out three crucial activities:
- Review your data inventory
- Update your privacy policy
- Start thinking about sustainability and scalability
1. Review your data inventory
Your data inventory should contain all relevant information about your data processing activities. That includes:
- The names and contact details of the individuals or organizations collecting the data
- The purpose of processing the data
- Categories of the data subjects and types of personal data
- Categories of data recipients, including those who have already received a user’s data and those who will receive a user’s data in the future
- Current time limits (if any) for the erasure of different categories of data
- A general description of technical and organizational security measures
- Whether or not you use automated decision-making with the data
- Whether or not you use the data for targeted advertising
If you established your data inventory months ago, now is a good time to review and see whether anything has changed. Generally, data inventories should be updated anytime your organization’s processing conditions change, such as when you collect new types of data or onboard new recipients of data. With several state laws coming online on January 1, 2023, it’s worth double checking, even if you believe your processing conditions have remained the same.
If they have changed, then you may have further updates to make beyond your data inventory. Do you have additional contracts that need to feature data processing addenda? Have new data collection practices rendered you subject to new obligations? If so, it’s best to become aware of that now rather than risk a notice from the Attorney General.
2. Update your privacy disclosures
If your data inventory is up to date and you’ve got the right provisions in place with the relevant third parties, then you’ll be in the perfect position to update your privacy policy.
Your privacy policy needs to convey much of the information in your data inventory to your users. That includes details like the categories of information you collect, how long you intend to keep said information, who you share information with, and more. There’s a lot that goes into developing a privacy policy; while different laws have different requirements, a great place to start is by working your way through our privacy policy checklist.
3. Start thinking about sustainability and scalability
Following the guidance in this countdown series is an excellent starting point for compliance. However, a simple three-part blog series can’t cover all of the myriad activities you need to undertake in order to become compliant, especially since compliance programs must be tailored to the individual organization. Furthermore, compliance isn’t a one-and-done activity; it’s an on-going process.
Once you’ve gotten the fundamentals in place, it’s time to plan for how you’ll keep your compliance program sustainable and scalable.
Here are a few things you’ll want to consider:
- What’s your process for handling data subject access requests (DSARs)?
- Do you have an automated way of discovering data across your organization?
- Is there a process in place to update your data inventory and privacy policy?
- Have you made a review of data privacy considerations a formal part of your vendor onboarding process?
A lot of what makes a compliance program sustainable is procedural. For instance, defining when and where a privacy professional needs to be involved in the different aspects of your operations goes a long way toward avoiding noncompliance.
Some of it is technological. For example, if you have to manually respond to each DSAR, you’ll quickly become swamped. You’ll want to identify a way to automatically discover data across your organization and a way to automatically act on different kinds of DSARs.
What’s more, you’ll want to document your process, policies, and activities. If you do get in hot water with data protection authorities, having documentation that shows you’ve been working toward compliance will reduce your risk.
Plan for the future of your data privacy compliance program
As alluded to above, this blog series is about setting up the foundation for compliance rather than “solving” your organization’s compliance needs for all time. Each law and each business has unique requirements and needs, so implementing the right compliance program for your organization will take careful planning and consideration.
Working with a compliance solution provider takes the most onerous compliance tasks out of your hands. That way, you can stay focused on your core business and the compliance tasks that only you can handle. For example, Osano customers gain the benefit of:
- A best-in-class consent management platform (CMP), that enables you to gather, record, and act upon website visitors’ consent preferences when it comes to data collection
- A DSAR solution that streamlines the workflow, data discovery, and execution of consumer DSARs
- A vendor database that helps you select and monitor privacy-conscious vendors who won’t raise your compliance risk when sharing your consumers’ personal information
- And much more
We hope you’ve found this countdown series informative and actionable in your efforts to comply with 2023’s data privacy laws. Keep up the momentum on your data privacy journey by scheduling a demo of Osano today.
Privacy Policy Checklist
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
