A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
June 21, 2022
2023 is shaping up to be a big year for US businesses. No fewer than five state privacy laws go into effect in the new year:
But compliance is a journey. It isn’t possible to wait for the last month of 2022, sprint through a checklist of activities, and suddenly be compliant forever. Compliance takes time, and it’s an on-going process.
To help businesses find the right path forward, we’ve begun a blog series counting down to 2023. Each post will lay out the appropriate steps to take during the given time frame. At the time of this writing, 2023 is roughly six months away; so, we’ll discuss the most time-consuming and foundational steps businesses need to take. (Looking for what to do with three months left? Check out our next blog in the installment here.)
Specifically, we’ll cover whether you need to worry about being subject to 2023’s data privacy laws at all, the primary foundational activity you should begin now, and additional key factors to keep in mind.
In short: probably. Even if your jurisdiction doesn’t have a state privacy law, 2023’s privacy regulations could impact your business if you have users or customers in a state that is covered.
There are minor variations between the five state privacy laws coming into effect in 2023, but they broadly align on what sorts of businesses will be covered. Generally speaking, your business is subject to the state privacy laws if:
It should come as no surprise that there are important details to keep in mind when it comes to who is and isn’t covered under the data privacy laws. We’ll highlight a few here, but your best bet is to consult with a legal or privacy professional for the full picture.
For one, California’s and Utah’s laws only apply if your business has an annual revenue of over $25 million.
Additionally, it’s important to note that many Californian businesses that were previously exempt to the CCPA will be subject to the CPRA. In the past, Californian businesses that merely shared personal information, rather than selling it, were exempt from the law. But the CPRA has amended that loophole.
Another notable exception is that Connecticut does not count data processed solely to facilitate a payment transaction — the idea being that restaurants, convenience stores, and the like shouldn’t be burdened with compliance when they’re not really relying on customer data for their business.
Even if you’re certain you don’t need to comply with these laws today, you’re still better off becoming compliant anyhow.
Maybe you don’t work with the personal information of 100,000 different consumers from these states — that could quickly change if you have a digital channel to your business.
Or, maybe you’re primarily based out of California and Utah but don’t reach the $25 million threshold. If you’re interested in growth, then laying the groundwork for compliance will make the future significantly simpler for you.
And even if you don’t operate in one of these states and don’t think that you’ll ever expand your business there, you’ll still want to get prepared for an inevitable federal privacy law.
The bottom line is that data privacy is coming to the US fast. Getting prepared today will save you a potentially expensive and drawn-out headache in the future.
Although the details vary from law to law, the foundation for compliance is the same for each: Developing a data inventory of what personal information you collect, why you collect it, how you use it, and with whom you share it.
Under the EU’s General Data Protection Regulation (GDPR), this activity is referred to as a record of processing activity, or RoPA. For consistency, we’ll use the same term here, even though RoPAs aren’t explicitly mentioned in the US data privacy regulations.
Developing your first RoPA can be time-consuming — which is why we recommend getting started straight away. Once you’ve developed your first RoPA, keeping it up to date will be less tedious, though you should update it anytime your procedures for processing information change. Data discovery tools can help make this process easier.
Start with a spreadsheet, and build it out so that you can include information on:
Build out one of these spreadsheets for each major business unit in your organization. Try to fill it out as much as you can yourself, and then send out a questionnaire to the different parts of your organization. Marketing, HR, finance, and any other department that touches personal information should supply answers to your questions.
Because this activity can feel like an interruption to your colleagues’ regular duties, we recommend getting buy-in from your leadership team in advance. Having the support of your company’s C-suite will help everybody understand the importance of compliance activities.
Once you’ve mapped out how the different parts of your business use personal information, you’ll have the foundation in place to meet the vast majority of different privacy requirements. That includes:
None of these requirements can be easily acted upon unless you know where your consumers’ personal information lives in your business, what’s being done with it, where it’s going, and so on. We’ll be covering ways you can prepare for these requirements in future installments of our Countdown to 2023 series, but the most important step will be completing a RoPA first.
There are three things that are important to know early on about the major changes coming in 2023.
First, businesses need to change their minds about data. It’s been a popular analogy to claim that data is the new oil. Only, oil companies have to purchase mineral rights to drill for oil, and businesses have simply been taking their users’ data without worrying about rights. All that is changing, and changing fast.
Businesses can no longer use bulk data collection practices and can no longer focus all of their efforts on collecting as much data as possible thinking they will just figure out what to do with it later. Data collection is going to be a purposeful and limited process in the future due to privacy laws’ data minimization requirements.
Second, businesses need to build a roadmap to compliance that extends to 2023 and beyond. We’ll provide as much actionable information as possible in this blog series, but a blog isn’t a substitute for a robust plan with deadlines and accountability baked in.
Third, don’t do it all yourself. Once you start building that roadmap and see the true scope of what is required to comply with all of these data privacy laws, it might be tempting to get your legal department and development teams straight to work building all of the processes and bespoke tools you’ll need to manage compliance at your organization — like data discovery and DSAR management.
Compliance takes work, and there are plenty of tasks that only your organization can carry out; there are also plenty of compliance problems that have been effectively solved. Rather than reinvent the wheel, your best bet is to seek out trusted third parties that are managing compliance for companies that are already subject to data privacy regulations.
Osano, for example, manages DSARs for over 14,000 different businesses, as well as cookie compliance and vendor management. While you wait for our next installment in this blog series, get an early start evaluating consent management solutions by booking a demo with us today.
In the meantime, keep an eye out for the ensuing articles in our Countdown to 2023 blog series!
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.