2023 State Privacy Laws Q&A

With five state privacy laws coming into effect in 2023, there’s a lot of information that businesses need to internalize on short notice. To help keep the business community informed of what they need to do to achieve compliance with these new laws, we recently hosted a webinar, titled “Prepare for 2023's new privacy laws now,” that covered:

• The essential characteristics of 2023's laws
• The biggest impact these laws make on businesses
• What organizations need to do right now to prepare

If you didn’t get a chance to attend, you can access the on-demand recording here. There was a lot to unpack!

So much so, in fact, that many attendees had important questions they didn’t get a chance to ask. So, we asked Osano’s General Counsel to answer some of the most frequently asked questions here. Whether you watched the webinar or not, we’re sure you’ll find the FAQ supplies actionable information on your journey to compliance with 2023’s state privacy laws.

Frequently asked questions about 2023’s state data privacy laws

Q. Are penalties for these data privacy laws issued per violation incident or per person affected?

A. Per violation incident. 

Q. Are you aware of whether companies are taking the approach to focus on the most stringent regulations first?

A. This company is preparing for GDPR and CPRA because it feels they may be the most stringent, and its team is then adjusting for the other states. We agree with this approach — we feel it's a good way to get started and there are a few other companies doing the same thing. 

Q. Do you have guidance on how these new data privacy regulations deal with decentralized entities, such as blockchain-based businesses?

A. There has been no guidance that we are aware of from US privacy regulators or State Attorneys General on how blockchain-based businesses can specifically approach these privacy laws. We recognize that many aspects of compliance will be very tough and, in some cases, impossible to achieve—particularly data subject requests. We urge blockchain-based companies to keep personal information off-chain if at all possible and try to beef up disclosures in privacy policies.

Q. Is the CCPA specific to websites’ cookie data collection?

The question continues: What if an organization makes most of its revenue from selling personal information collected from California residents via surveys, lab results, clinical consults, and other, non-website channels?

A. The CCPA is not specific to website cookie data collection—you'll still be subject to data subject access requests, for example. Specifically, you'll be subject to the CPRA if your company, according to our breakdown in our article, California privacy law: CCPA, CPRA, and beyond:

• "Buys, sells, or shares the personal information of 100,000 people or households. The “shares” part was added with the CPRA, and the number of people was doubled.
• Creates 50% or more of your revenue through the sale or sharing of personal information.
• Had $25 million in gross revenue in the preceding calendar year (so January 1, 2022, to December 31, 2023, to start, and then from Jan. 1 to Jan. 1 after that). The “preceding calendar year” part was added with the CPRA to make it clear what they meant by $25 million in annual gross revenues."

Q. What measures should international web companies use to determine whether they have 100k customers from California?

IP addresses could be a way, however they could be changed via VPN. If a company does not process customers’ addresses, are there any other practical ways to determine this?

A. We'd say use the most reliable data at your disposal. If IP addresses are all you have, then use that to determine if you cross the threshold.

Q. In an organization subject to CPRA (or Colorado, Utah etc), who will typically own compliance?

For example, Data Privacy Officers own the process for GDPR compliance in European organizations.

A. This is up to the individual organization (for now)—they might have a Chief Privacy Officer, Data Privacy/Protection Officer, or Head of Compliance own the process. We've also seen organizations give the task to General Counsel or Legal Managers. The challenge will be for smaller companies without those kinds of resources. In those cases, we are seeing that the responsibilities often are divided amongst marketing and IT Ops.

Q. Regarding the new data privacy laws, what are the different privacy notices that we need?

Is a single notice acceptable, or do we need supplemental privacy notices?

A. We are seeing a lot of companies have a GDPR/EU section, a California section, and a third "Other US Privacy Rights" (or similarly titled) section.

Q. Can you say more about the retention disclosure requirement in updated privacy policies?

A. Companies will be required to describe the retention periods for the various categories of personal information collected. If it isn't possible to give a hard number or definitive length of time (e.g., the information will be deleted one year after collection), then companies are required to disclose the criteria that will be used to determine when the personal information will be deleted.

Q. What constitutes unfair treatment?

The question continues: For example, if a website offers a coupon for signing up for their newsletter, is that considered unfair treatment to users that haven’t shared their data?

A. If it's a relatively small incentive, then it probably doesn't qualify as unfair treatment, but if it's an ongoing program or more than a token of appreciation, then we'd recommend reviewing the financial incentive required disclosure under CCPA/CPRA.

Q. Do you have a recommendation for how to notify customers about privacy policy updates?

A. It's helpful to include a clause in your privacy policy that lets users know it's subject to change, and you should include a section in your policy about how you'll let users know about those updates. 

In our privacy policy, we've included guidelines on how we'll update people—depending on the extent of the change, we let them know to check the privacy policy periodically for updates, but if the change is significant enough, we'll let them know via a notice on our homepage. You can also send email notifications to your subscribers notifying them of the updates or incorporate a pop-up. Lastly, it's recommended to have a section at the beginning of the policy or above it that summarizes the most recent changes.

Q. What are some specific questions we can ask organizations about their compliance when vetting vendors/partners?

When working with new vendors that may handle our users' personally identifiable information, they most often volunteer that they are SOC 2-compliant, but are there better or more specific questions we can ask?

A. These aren't specific questions you can ask, but we have a couple of recommended tools that could help you vet: You can use something like Privacy Monitor to vet vendors based on their privacy score. We also have a vendor management system in our platform where we vet organizations based on 23 different categories, and we monitor whether they're involved in any privacy-related lawsuits.

Q. Will any of the states’ rules require specific clauses with processors?

For example, the GDPR requires certain contractual provisions, like the standard contractual clauses (SCCs) and, in some cases, the UK international data transfer agreement (IDTA).

A. Take a look at our 3-month countdown to 2023 blog. Here’s a relevant excerpt: 

All of the 2023 US state privacy laws require specific contractual provisions to be in place if you share personal information with another organization. To be in compliance, you will need to review the contracts you have in place, determine whether you have these specific provisions in place or not, and update the agreements if needed. 

If you are asking specifically about transfer-related agreements, then no, at this point we aren't expecting agreements similar to the SCCs at the US state level.

Q. Do you have any recommendations for businesses trying to really understand if their marketing partners are service providers, controllers under GDPR, etc.?

Especially when this requires both legal and marketing technology expertise?

A. It certainly can be tricky—we recommend focusing on who is making decisions over the personal information, clearly describing the business purpose that the personal information is to be used for in the agreements, and going a bit above the minimum contracting requirements.

Q. Regarding regulations around third-party agreements, are vendors in these five states still willing and able to sign EU SCCs, plus additional contractual provisions?

This is the only way for EU companies to use US vendors since the European Court of Justice's Privacy Shield ruling.

A. Yes, it's going to be quite tricky. Companies will likely have a GDPR-based data processing agreement (DPA) and SCCs as well as an agreement or a separate DPA governing the US issues. Not ideal, we know.

Q. How do you set up/use Global Privacy Controls (GPC) to be able to comply with it?

You can enable this through your Osano CMP. Our support team can help you through it.

Don’t try to do it all yourself

It’s clear that businesses are starting to dig into the nitty-gritty of the privacy laws they can expect to contend with in 2023. And they’re finding that there is a lot to figure out.

From privacy notices to contractual provisions, we’ve fielded a lot of questions from businesses anxious to start 2023 off on the right foot. The Osano team is eager to help. Many compliance activities can only be completed by your business, but the most time-consuming and complicated aspects of compliance—like consent management, DSAR management, and more—can be automated. 

Schedule a demo today to see how Osano can support you so you can focus your energies where they’re needed most.