In 2023, numerous privacy laws will become effective and will have a drastic impact on businesses.
At present, privacy laws in the United States include a patchwork of various state laws as well as some industry or issue-specific federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) for protected health information and the Gramm-Leach-Bliley Act (GLBA) for the financial services industry. There isn’t any comprehensive federal privacy law in effect in the United States currently. The EU and Canada also aim to implement a few more privacy policies other than the existing GDPR and CPPA.
The below mentioned new Laws will be effective in 2023 in the US, EU & Canada:
- The Virginia Consumer Data Protection Act (“VCDPA”)
- Amendments to the California Consumer Privacy Act (“CCPA”) take effect on January 1, 2023.
- The Colorado Privacy Act (“CPA”) takes effect on July 1, 2023.
- Both Connecticut & Utah have also passed privacy laws that are set to take effect on July 1, 2023, and December 31, 2023, respectively.
- Digital services act, Data act, Digital marketing act, AI act in the EU.
- Bill c-67 & Quebec 64 in Canada
How can companies align themselves with the new laws?
1. Map and Track Data and Implement a Data Retention Schedule:
The CPRA includes a 12-month lookback period, which requires that businesses respond to consumer requests based on information collected during the preceding 12 months.
Beginning on January 1, 2023, a business subject to the CCPA will need to disclose the length of time the business intends to retain each category of information it collects from a consumer or can disclose the criteria it uses to determine that period. This is critical with respect to data minimization.
2. Determine Whether Sensitive Data Is Being Processed:
Several requirements under the VCDPA, CPA, and CPRA are based on whether the company processes “sensitive” data.
Under both the VCDPA and CPA, companies cannot process sensitive data without obtaining affirmative consent from the consumer. Under the CCPA, companies must provide a notice of their collection of sensitive data and an opportunity for consumers to opt out of the sale or sharing of that data.
3. Assess the Need to Complete Data Protection Impact Assessments:
Beginning on January 1, 2023, if a company uses consumer data for sensitive or risky activities, such as targeted advertising, selling consumers’ personal data, and profiling, then the company must conduct a data protection assessment. This is a requirement under the VCDPA, CPA and, following rulemaking, the CPRA.
4. Design an Appeals Process for Data Requests:
A major innovation of the CCPA was the affirmative rights it gives to consumers with respect to their personal information. These rights include the rights to know and delete the personal information a business has collected. Under the CCPA, if the company cannot comply with a consumer’s request to know or to delete, then it must inform the consumer of any rights the consumer has to appeal the decision.
The VCDPA and the CPA require (1) that companies establish an internal process for consumers to appeal any refusal to provide collected data; (2) that the appeals process be conspicuously available and easy to use; and (3) that the appeals process have fixed time periods within which the company must respond (VCDPA requires a reply within 60 days, CPA, within 45 days).
5. Add an Opt-out Option for Profiling and Targeted Advertising:
Businesses will have to provide consumers with the rights to opt out of profiling and targeted advertising.
6. Review Contracts with Third Parties with Whom You Share Data:
In case of both CPA and VCDPA, all data processing must be governed by a binding written contract that sets out:
(a) the processor’s duty to delete or return all personal data at the end of the provision of services.
(b) the types of personal data subject to the processing and the duration of the processing.
© the instructions to which the processor is bound, including the nature and purpose of the processing.
(d) the processor’s duty to provide all information to the controller necessary to demonstrate compliance with the CPA and VCDPA.
(e) the requirement that processors allow for and contribute to reasonable audits and inspections from the controller.
7. The Digital Services Act (DSA) is a new set of regulations that would force major internet platforms like Facebook, YouTube, and others to do more to tackle the spread of illegal content and other societal risks on their services in the EU. Together with its sister legislation, the Digital Markets Act, it establishes a single set of rules that will apply across the whole EU.
Clear rules for dealing with illegal content.
New rights for users to challenge content moderation decisions.
More transparency on recommender systems and online advertising.
Limited restrictions on targeted advertising and deceptive designs.
General transparency and reporting requirements.
Obligations for the largest platforms to rein in “systemic risks”.
Legally mandated data access for external scrutiny.
New competencies and enforcement powers for the European Commission and national authorities.
8. The first set of requirements in the Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, comes into force in Québec. The pending requirements will come into force in increments, in September 2023 and in September 2024.
Privacy officers: By default, the person with the highest authority within a company (e.g., the CEO) will be considered as the “person in charge of the protection of personal information,” a new required role under the amended Act. Companies may delegate this role (essentially a privacy officer) to a member of personnel in the organization or to an external third party, provided the delegation is made in writing.
Mandatory breach reporting.
Exceptions to the consent requirement: Amend template agreements to reflect the necessary provisions to allow the organization to proceed with a commercial transaction without having to obtain consent.
Registration for biometric information systems
Few other considerations for companies to begin their analysis of compliance with the new state laws:
Cyber insurance with a sufficient policy limit for potential data breach costs should be procured.
A data privacy incident response plan should be developed, and staff should be trained accordingly.
Cross off any laws that include revenue thresholds, which do not apply to your company.
Utilize data mapping to the organization’s advantage and understand the process of gathering and use of data.
Consider limitations of service providers’ use of data.
A retention policy should be created and make sure to train the employees on it, conduct annual audits, and delete any stale data in accordance with applicable law(s) and retention policies.