by Jeremy Feigelson, Avi Gesser, Johanna Skrzypczyk, Michael Bloom, Michael R. Roberts, Tricia Reville, and Kate Saba
The Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”)—enshrined in the California Privacy Rights Act (“CPRA”)—take effect on January 1, 2023. In addition, the Colorado Privacy Act (“ColoPA”) takes effect on July 1, 2023. These developments have companies understandably concerned about complying with a patchwork of state laws.
How can companies prepare?
- Diligently Map and Track Data and Implement a Data Retention Schedule. One added complication to the timeline referenced above is that the CPRA includes a 12-month lookback period, which requires that businesses respond to consumer requests based on information collected during the preceding 12 months. This means that businesses must be prepared to respond to consumer requests based on information collected on or after January 1, 2022. Under the CPRA, upon the adoption of forthcoming regulations, consumer access requests may require that businesses disclose information beyond the 12-month lookback (but collected on or after January 1, 2022) “unless doing so proves impossible or would involve a disproportionate effort.” To comply with the CPRA’s scope and the lookback period, businesses will need to actively map and routinely track the data they collect in 2022 and beyond, including any information that they collect, use, or share.
In addition, beginning on January 1, 2023, at the point of collection, a business subject to the CCPA will need to disclose the length of time the business intends to retain each category of information it collects from a consumer. If this is not feasible, the business can disclose the criteria it uses to determine that period. In order to make such disclosures accurately—and to abide by them — businesses should consider drafting and implementing data retention (and destruction) schedules. The schedules should cover each category of personal information the business collects from consumers. This is all the more important as data minimization becomes further enshrined in U.S. laws and regulations.
-
Determine Whether Sensitive Data Is Being Processed. Several requirements under the VCDPA, ColoPA, and CPRA are based on whether the company processes “sensitive” data. Sensitive data can include personal information ranging from a person’s religious beliefs, ethnicity, and mental health status, to genetic or biometric data, to identity card numbers.
Under both the VCDPA and ColoPA, companies cannot process sensitive data without obtaining affirmative consent from the consumer. Under the CCPA, as amended by the CPRA, companies must provide a robust notice of their collection of sensitive data and an opportunity for consumers to opt out of the sale or sharing of that data.
To comply with these obligations, companies should assess whether they process sensitive data, determine the collection points, and implement means for consumers to affirmatively consent to (or in the case of CCPA, opt out of) processing.
-
Assess the Need to Complete Data Protection Impact Assessments. Beginning on January 1, 2023, if a company uses consumer data for sensitive or risky activities, such as targeted advertising, selling consumers’ personal data, and profiling, then the company must conduct a data protection assessment. This is a requirement under the VCDPA, ColoPA and, following rulemaking (PDF: 352 KB), the CPRA.
Under the VCDPA and ColoPA, the assessment must identify and weigh the benefits of data processing to the controller against the potential risks to consumers. Companies should first determine if they engage in any of the risky or sensitive data activities that require an assessment. If they do, companies should design a process to conduct and maintain the assessment. If a company uses consumer data for targeted advertising or AI activities, they will likely need to conduct an assessment. Designing a process may not be too much of a heavy lift: Data protection impact assessments are also required under the General Data Protection Regulation (“GDPR”), and many companies already conduct impact assessments to comply with state data security laws’ requirement that “reasonable safeguards” be in place. This means that some companies may only need to expand their current assessment protocol.
The new privacy laws differ with respect to when these assessments must be conducted and whether and how results must be submitted. Under the VCDPA and the ColoPA, the respective state attorneys general can request a copy of the assessment and evaluate it for compliance. Under the CPRA, companies will likely be required to submit their assessment to the California Privacy Protection Agency “on a regular basis.”
While the VCDPA does not indicate by when a business must conduct the assessment, the ColoPA requires that a business conduct an assessment before processing sensitive data. Interestingly, the VCDPA and the ColoPA are silent as to the frequency with which companies should conduct assessments, the form in which assessments should occur, and the time for which companies should save results.
-
Design an Appeals Process for Data Requests. A major innovation of the CCPA was the affirmative rights it gives to consumers with respect to their personal information. These rights include the rights to know and delete the personal information a business has collected. Under the CCPA, if the company cannot comply with a consumer’s request to know or to delete, then it must inform the consumer of any rights the consumer has to appeal the decision. The CPRA retains this requirement. Neither the CCPA nor the CPRA, however, requires that companies create an appeal mechanism.
The VCDPA and the ColoPA add some extra teeth to the rights enshrined by the statutes in the form of an appeals process. Both laws require (1) that companies establish an internal process for consumers to appeal any refusal to provide collected data; (2) that the appeals process be conspicuously available and easy to use; and (3) that the appeals process have fixed time periods within which the company must respond (VCDPA requires a reply within 60 days, ColoPA, within 45 days). The VCDPA mandates that companies provide consumers with a mechanism to contact the Virginia Attorney General in the event the company denies an appeal. The ColoPA only requires that companies inform consumers of their right to contact the Colorado Attorney General with concerns about the results of an appeal.
To comply with these requirements, companies should consider building on existing data subject access request policies to include this appellate process and ensure that their communications to consumers clearly and conspicuously convey to consumers their rights to appeal.
-
Add an Opt-out Option for Profiling and Targeted Advertising. Beginning in 2023, businesses will have to provide consumers with the rights to opt out of profiling and targeted advertising. The CCPA, VCDPA, and ColoPA all define profiling as “any form of automated processing” of personal data used to evaluate, analyze, or predict a person’s personal information, such as their economic status, health, personal preferences or interests, etc. The CCPA, VCDPA, and ColoPA define targeted advertising as displaying an advertisement to a consumer that is selected based on a consumer’s personal data obtained from a non-affiliated website.
Both the VCDPA and the ColoPA require companies to provide consumers with an opportunity to opt-out of the processing of their data for targeted advertising and profiling. The CPRA brings the sharing of personal information—including for “cross-context behavioral advertising”—within the ambit of the CCPA’s opt-out requirements. Forthcoming regulations under the CPRA will further cover opt-out rights concerning businesses’ use of automated decision-making technology, including “profiling and requiring businesses’ response to access requests-processes, as well as a description of the likely outcome of the process with respect to the consumer.” This opt-out right under the CPRA appears to apply to any profiling, even if a business uses such profiling strictly for internal purposes.
In light of these requirements, which are likely to be onerous to implement in practice, companies would be wise to assess the extent to which they engage in profiling or targeted advertising and the parties involved with those activities so that they can build an effective opt-out mechanism.
-
Review Contracts with Third Parties with Whom You Share Data. Under both the ColoPA and VCDPA, all data processing must be governed by a binding written contract that sets out:
-
- the instructions to which the processor is bound, including the nature and purpose of the processing;
- the types of personal data subject to the processing and the duration of the processing;
- the processor’s duty to delete or return all personal data at the end of the provision of services;
- the processor’s duty to provide all information to the controller necessary to demonstrate compliance with the ColoPA and VCDPA;
- the requirement that processors allow for and contribute to reasonable audits and inspections from the controller; and
- the processor’s duty to ensure each person processing the personal data is subject to a duty of confidentiality.
In addition, the ColoPA requires that the contract clearly allocate responsibility between the controller and the processor for implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the particular processing. Under the ColoPA, the contract should also provide for the controller’s right to object to the processing of data by any subcontractor.
The CPRA likewise imposes new contractual requirements for agreements between businesses, on the one hand, and the third parties, service providers, and contractors (each defined terms) to whom they provide data, on the other hand.
These requirements closely resemble those under GDPR, and, as a result, companies should be able to use their GDPR-compliant agreements as a starting point. Data controllers should review their standard agreements with data processors and contractors and amend them as needed to ensure that they comply with the requirements imposed by these privacy regimes.
While companies must ensure that they comply with each law, below we identify which provisions appear to be the strictest with respect to each requirement to help companies seeking to adopt a one-size-fits-all approach. This assessment is, of course, subject to changes after potential amendments that might emerge from the 2022 legislative sessions as well as the publication of any related regulations, including the forthcoming regulations in California and Colorado. -
Task | Jurisdictions | Highest-Common Denominator |
Data Retention Schedule | California | CCPA § 1798.100(a)(3) |
Sensitive Data Consents | California, Virginia, and Colorado | VCDPA and ColoPA’s affirmative consent requirement is more onerous than the CCPA’s related disclosure and opt-out requirements and complying with the affirmative consent requirement should satisfy the CCPA’s opt-out requirement. |
Data Protection Impact Assessments | California (following rulemaking), Virginia, and Colorado | Subject to forthcoming CA regulations, including guidance on the frequency with which assessments must be submitted; compliance with ColoPA should establish compliance with the VCDPA. |
Data Request Appeals | Virginia and Colorado | A hybrid approach to compliance is likely required. ColoPA requires a faster turnaround time for reply, but VCDPA includes the additional requirement that businesses provide a method for contacting the Virginia Attorney General. |
Opt-Out for Profiling and Targeted Advertising | California (following rulemaking), Virginia, and Colorado | Subject to forthcoming CA regulations; compliance with either VCDPA or ColoPA should establish compliance with the other. |
Third-Party Contracts | California, Virginia, and Colorado | A hybrid approach to compliance is likely required. Compliance with ColoPA should establish compliance with the VCDPA, though the CPRA has separate requirements that would need to be satisfied independently. |
Jeremy Feigelson and Avi Gesser are partners, Johanna Skrzypczyk is counsel, and Michael Bloom, Michael R. Roberts, Tricia Reville, and Kate Saba are associates, at Debevoise & Plimpton LLP. This post originally appeared on Debevoise’s Data Blog.
Disclaimer
The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.