2022 is zipping by, and 2023 will be here before you know it — and with the new year comes new data privacy laws in the US. They are:
- The California Privacy Rights Act (CPRA; replacing the California Consumer Privacy Act, or CCPA)
- The Virginia Consumer Data Protection Act (VCDPA)
- The Utah Consumer Privacy Act (UCPA)
- The Connecticut Data Privacy Act (CTDPA)
- The Colorado Privacy Act (CPA)
Some of the new laws go live later into 2023, while others will be active on January 1. In either case, being prepared is the key to minimizing your risk and business disruption. That’s why we’re releasing this series of blog posts designed to provide guidance on what businesses should do to become compliant and when they should do it.
This is the second post in our countdown series. If you haven’t read our “6-month countdown to 2023’s state privacy laws,” we’d recommend giving it a quick review first. However, we’ll provide a quick recap of what we advised in the 6-month blog post below, followed by our advice on what compliance activities businesses should pursue now that 2023 is just 3 months away.
Quick recap: What businesses should do first to prepare for 2023’s data privacy laws
In our previous blog in this series, we advised businesses to conduct a data inventory by following the GDPR’s requirements for a record of processing activity, or RoPA. (Remember: while RoPAs are explicitly required by the GDPR and are not required under the US state laws listed above, they are an essential tool for compliance with virtually any data privacy regulation.)
The value of a RoPA is that it helps you understand critical aspects of personal information and your organization, including:
- What personal information is collected or processed
- The purposes behind such collection and processing
- With whom the personal information is shared (and why)
- Where it is stored,
- Whether it is transferred to another country
- Whether your organization is the controller or processor
- Whether automated decision-making occurs
- Whether the data is used for targeted advertising
This document serves as your guide for other compliance actions. You might also hear this kind of document referred to as a data map. While some people use the terms RoPA and data map interchangeably, we like the term RoPA because it conveys documenting more than just where the data is stored or used. If you want this document to be actionable, you’ll need to record this additional information.
If you haven’t started on your own RoPA yet, don’t panic. There is still plenty of time to create an inventory of where your data lives and how it flows throughout your organization. As the saying goes, “The best time to plant a tree was 20 years ago. The second best time is now.”
Moreover, RoPAs aren’t a one-and-done exercise. The way that you collect and process data will change over time; thus, you should regularly update your RoPA.
What businesses should do now to prepare for 2023’s data privacy laws
Since you have an accurate snapshot of your data processing activities with your RoPA, now you can tackle the next most time-consuming aspect of becoming compliant — updating your contracts.
Under many of 2023’s state data privacy laws, you need to have agreements in place with recipients of your consumers’ data that outline what their responsibilities are and how they should handle that data. Furthermore, if you have received personal information from another organization, you should understand what your responsibilities are to that other organization.
All of the 2023 US state privacy laws require specific contractual provisions to be in place if you share personal information with another organization. To be in compliance, you will need to review the contracts you have in place, determine whether you have these specific provisions in place or not, and update the agreements if needed.
We’ll focus on the CPRA’s requirements since they are arguably the most comprehensive and will impact the most companies. However, the different state laws have their own specific requirements, which you’ll want to review with your legal counsel.
The CPRA actually distinguishes between third parties, service providers, and contractors. But for the purposes of this article, we’ll focus on service providers and contractors since those are the entities with whom you need to have certain contractual provisions in place.
Under the CPRA, service providers process personal information for you, while contractors use personal information over the course of using services for you. So, a service provider could be a company that you allow to place a cookie on your website in order to deliver online advertising to your visitors. They process your visitors’ personal information to deliver advertising. In contrast, a contractor could be a company that uses the personal information you provide to complete invoices or billing processes. It’s important to classify each relationship you have since the contracting requirements will be slightly different.
Why this matters and why now
Under many of the new data privacy laws, you need to provide consumers a means of opting out of the sale or share of their personal data. However, data that is shared with service providers or contractors who have specific contractual provisions with you are exempt from these requirements. That means critical business functions won’t be interrupted should a consumer withdraw their consent.
You’ll find these specific contractual provisions in a company’s data processing addendum, although sometimes they’ll be located in terms of service or a standalone agreement instead of the data processing addendum.
Essentially, the addendum ensures that your service provider or contractor can only use your consumers’ data for a specific purpose, has to delete that data once that purpose has been met, must implement certain security measures, and so on.
Unfortunately, there is no prescribed format for a data processing addendum. So, you might approach one of your vendors to talk about updating your contract with language that your legal department cooked up, only for them to present their own addendum. Then, you’ll need to decide on using one version or the other, or craft a third version that meets both of your standards.
Furthermore, you need to do this for all of the third parties with whom you share personal information, whether you are the transferor or recipient. This can take quite some time, and that’s why we advise starting this process now.
What to include in your data processing addendums
Again, although the specific format of these addendums is up to you, there are certain requirements for you to include.
You’ll want to ensure that your data transfer addendum:
- Limits the use of the data to specific purposes of the business relationship
- Prohibits the third party from using or disclosing your consumers’ data unless its for the specific purpose described in the agreement and from sharing or selling the data to other parties outside of the agreement
- Requires the third party to provide the same level of protection as required by the CPRA
- Gives you the right to take reasonable steps to ensure your consumers’ data is protected by the third party, such as manual reviews, automated scans, or other auditing measures
- Requires the third party to notify you if they can’t meet their obligations
- Prohibits the third party from combining your consumers’ data with data they collect from their own interactions with consumers
- Requires the third party to establish their own contract that meets the CPRA requirements if they transfer your consumers’ data to a sub-processor, or if their sub-processor transfers your consumers’ data to another sub-processor, and so on
- Requires contractors to certify they understand the obligations and allows for the monitoring of the contractor to ensure compliance
This is not an exhaustive list. Rather, it’s just intended to give you a sense of the general requirements that a data transfer addendum needs to include under CPRA and an understanding of the scope of work involved. No matter how informative a blog is (and we like to think ours are pretty darn informative), it’s no replacement for legal counsel.
Use the CPRA as a starting point
While the above guidance is tailored to CPRA, it should go a long way toward ensuring compliance with the remaining state privacy laws in 2023. However, we do urge you to review the other state law requirements that apply to your organization.
If you’d like to dive deeper into the specific requirements the different state laws have for your business, you’ll benefit from reviewing our quick reference guide that compares the major characteristics of the different state privacy laws. You can download a copy here.
That’s it for this 2023 countdown blog! As a reminder, you can access our previous installment here. Our next installment will be in December, when 2023 is just one month away.