GDPR Compliance in the U.S.: What to Know
In 1992, Singapore banned the sale of all chewing gum. But if you...Read Now
The simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline the DSAR workflow
Ensure your customers’ data is in good hands
Gain insights with privacy assessment templates and workflow management
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Don’t let data privacy compliance get in the way of growth
Preserve your competitive edge
Manage data privacy at scale
Expert insights on all things privacy
Subscribe and become a Privacy Insider
Research the most essential privacy topics
We'll scan your website for privacy risk at no cost
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
No fines, no penalties
Add Osano data privacy ratings and recommendations to your application
Fresh duds for data privacy fans
December 5, 2022
With five data privacy laws coming online in 2023, businesses that operate within the U.S. have had to rapidly adapt to a regulatory environment that more closely resembles the EU. In the new year, the following laws will go into effect and change how affected businesses operate forever:
While the new regulations will protect consumers and grow their trust in the businesses they frequent, it won’t be easy for businesses to get compliant. In our countdown series blog, we’ve been advising businesses on what tasks they need to do and when in order to become compliant in time for 2023’s new state privacy laws.
Although data privacy is becoming an increasingly high profile subject, it can still be tempting to relegate it to the back burner. For those businesses that haven’t moved on data privacy initiatives until now or for those that simply need a reminder, here’s what we covered in our previous installments of our countdown series.
Our six-month blog covered the fundamentals. We talked about which businesses are subject to 2023’s data privacy laws and why compliance is likely in their future even if they aren’t subject to a law today. Most importantly, we talked about developing a data inventory, or record of processing activities (RoPA). This document serves as the foundation for all compliance activities in both the immediate and long term.
If you haven’t already, check out our 6-month countdown to 2023’s state privacy laws to learn all about building your data privacy foundation.
In our three-month blog, we discussed the need to update your vendor contracts with data processing addenda. The state privacy laws coming into effect in 2023 require that businesses that share their consumers’ data with other organizations—such as ad tech firms, payment processors, logistics companies, and more—must have special contractual provisions in place. Implementing these provisions across your contract portfolio can be time-consuming, in part because of the sheer number of vendors you might work with and in part because there is no standard format for these provisions.
If you want to learn more about this process, check out our 3-month countdown to 2023’s state privacy laws.
First; don’t panic.
Compliance is hard, and businesses won’t become compliant overnight. Authorities are likely (though not guaranteed) to go easy on businesses that can demonstrate progress toward compliance. Rather, the businesses that don’t try whatsoever, try to skirt around the law, or are large enough that they should know better will be the likely targets of enforcement.
Second; don’t rush.
There are no shortcuts to compliance—start at the beginning of Osano’s countdown series or with the other resources on our website, consult with legal and privacy professionals, and begin the process of building out your compliance program.
The Navy Seals have a saying that will be relevant to bear in mind: Slow is smooth, and smooth is fast. Cutting corners in the early stages of your compliance program will cause issues down the road.
But if you’ve followed the guidance in this series thus far, read on to review your next priorities.
In this installment of our countdown series, we advise you to carry out three crucial activities:
Your data inventory should contain all relevant information about your data processing activities. That includes:
If you established your data inventory months ago, now is a good time to review and see whether anything has changed. Generally, data inventories should be updated anytime your organization’s processing conditions change, such as when you collect new types of data or onboard new recipients of data. With several state laws coming online on January 1, 2023, it’s worth double checking, even if you believe your processing conditions have remained the same.
If they have changed, then you may have further updates to make beyond your data inventory. Do you have additional contracts that need to feature data processing addenda? Have new data collection practices rendered you subject to new obligations? If so, it’s best to become aware of that now rather than risk a notice from the Attorney General.
Following the guidance in this countdown series is an excellent starting point for compliance. However, a simple three-part blog series can’t cover all of the myriad activities you need to undertake in order to become compliant, especially since compliance programs must be tailored to the individual organization. Furthermore, compliance isn’t a one-and-done activity; it’s an on-going process.
Once you’ve gotten the fundamentals in place, it’s time to plan for how you’ll keep your compliance program sustainable and scalable.
Here are a few things you’ll want to consider:
A lot of what makes a compliance program sustainable is procedural. For instance, defining when and where a privacy professional needs to be involved in the different aspects of your operations goes a long way toward avoiding noncompliance.
Some of it is technological. For example, if you have to manually respond to each DSAR, you’ll quickly become swamped. You’ll want to identify a way to automatically discover data across your organization and a way to automatically act on different kinds of DSARs.
What’s more, you’ll want to document your process, policies, and activities. If you do get in hot water with data protection authorities, having documentation that shows you’ve been working toward compliance will reduce your risk.
As alluded to above, this blog series is about setting up the foundation for compliance rather than “solving” your organization’s compliance needs for all time. Each law and each business has unique requirements and needs, so implementing the right compliance program for your organization will take careful planning and consideration.
Working with a compliance solution provider takes the most onerous compliance tasks out of your hands. That way, you can stay focused on your core business and the compliance tasks that only you can handle. For example, Osano customers gain the benefit of:
We hope you’ve found this countdown series informative and actionable in your efforts to comply with 2023’s data privacy laws. Keep up the momentum on your data privacy journey by scheduling a demo of Osano today.
Writer at Osano
Writer at Osano
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
Osano makes it easy. Ready to get serious about data privacy? Choose your plan and get started. All plans come with a 30-day FREE trial!