Chatter regarding comprehensive U.S. state privacy law picked up steam once again as the calendar turned to 2023. State legislative sessions are ready to commence and questions are swirling about which states could make a run at, or ultimately pass, legislation.
However, the story of 2023 might be more about handling previously passed state laws. A compliance extravaganza kicked off Jan. 1, as the California Privacy Rights Act and the Virginia Consumer Data Protection Act took force. Laws in Colorado, Connecticut and Utah will also
At a high level, states lumping together effective dates appears to favor companies and privacy professionals. Compliance efforts can be done in one shot, under one deadline. That's easier said than done when each law amends the existing California Consumer Privacy Act and hands enforcement power to the California Privacy Protection Agency. Changes to the original statute include a higher threshold for covered entities, a new category for sensitive personal information, enhanced children's privacy provisions and expanded notification requirements. Notably, CPRA regulations are incorporates CPRA principles, including language for data subject rights, contract requirements and privacy policy obligations. Red Clover Advisors founder and CEO Jodi Daniels, CIPP/US, indicated the shared provisions do allow for some streamlined compliance planning.
"Ensuring vendor contracts are updated and vendor due diligence has been performed is also important for both California and Virginia, as are performing privacy impact assessments," Daniels said. "Companies are then trying to figure out, once the baseline is created, how they maintain it all and keep the data inventories updated, while also catching new activities that need impact assessments."
The differences between the two laws are "significant" in terms of privacy compliance, according to WilmerHale Senior Associate Ali Jessani.
"California requires certain contractual provisions between businesses and 'third parties' — entities that are not service providers or processors in relation to a business — while Virginia does not." Jessani said. "Virginia, meanwhile, requires consent for the processing of sensitive data, while California only provides residents the right to 'limit' the use of their sensitive personal information for specific purposes."
The Virginia General Assembly has already begun tinkering with the statute further, using the 2022 legislative session to
"I think everyone, including businesses, privacy professionals and even the California Privacy Protection Agency, are in a difficult position," Stauss said. "The agency worked hard to get regulations as far along as possible, but the timeframe was impossible. If we could just go into the CPRA and move all of the deadlines back by a year, everyone involved in the process would be better off."
Stauss added some businesses may have paused compliance programs until CPRA rulemaking is complete to ensure all potential compliance gaps are filled.
On the other hand, Jessani indicated some companies might be hyper-focused on CPRA compliance — with or without final regulations — given the tweaks or additions to the CCPA. He said such increased attention brings unintended consequences with efforts to comply with Virginia's complexities.
"Companies may be more focused on California compared to Virginia because of California’s history with the CCPA and because it will have a dedicated privacy regulator," Jessani said. "To the extent that companies have focused on Virginia, it has been part of a broader effort to comply with all of the state privacy laws going into effect in 2023."
