Chatter regarding comprehensive U.S. state privacy law picked up steam once again as the calendar turned to 2023. State legislative sessions are ready to commence and questions are swirling about which states could make a run at, or ultimately pass, legislation.
However, the story of 2023 might be more about handling previously passed state laws. A compliance extravaganza kicked off Jan. 1, as the California Privacy Rights Act and the Virginia Consumer Data Protection Act took force. Laws in Colorado, Connecticut and Utah will also go live at different points in 2023.
"Jan. 1 was an important date for a number of reasons. But in many respects, we are only at the start of this process in the U.S.," Husch Blackwell Partner David Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS, said. "As a privacy community, we need to agree to no longer have privacy laws go into effect on January 1. It just hurts. We'd all be better off with a date like Feb. 28."
At a high level, states lumping together effective dates appears to favor companies and privacy professionals. Compliance efforts can be done in one shot, under one deadline. That's easier said than done when each law carries its own nuances, which is the case with California and Virginia.
Convergence and divergence
The CPRA amends the existing California Consumer Privacy Act and hands enforcement power to the California Privacy Protection Agency. Changes to the original statute include a higher threshold for covered entities, a new category for sensitive personal information, enhanced children's privacy provisions and expanded notification requirements. Notably, CPRA regulations are pending final approval ahead of July 1 enforcement.
Virginia's law incorporates CPRA principles, including language for data subject rights, contract requirements and privacy policy obligations. Red Clover Advisors founder and CEO Jodi Daniels, CIPP/US, indicated the shared provisions do allow for some streamlined compliance planning.
"Ensuring vendor contracts are updated and vendor due diligence has been performed is also important for both California and Virginia, as are performing privacy impact assessments," Daniels said. "Companies are then trying to figure out, once the baseline is created, how they maintain it all and keep the data inventories updated, while also catching new activities that need impact assessments."
The differences between the two laws are "significant" in terms of privacy compliance, according to WilmerHale Senior Associate Ali Jessani.
"California requires certain contractual provisions between businesses and 'third parties' — entities that are not service providers or processors in relation to a business — while Virginia does not." Jessani said. "Virginia, meanwhile, requires consent for the processing of sensitive data, while California only provides residents the right to 'limit' the use of their sensitive personal information for specific purposes."
The Virginia General Assembly has already begun tinkering with the statute further, using the 2022 legislative session to pass amendments to the law before it took effect.
CPRA rulemaking looms large
Another key difference weighing on privacy professionals is the promulgation of additional rules, which the CPRA provides for but Virginia's law does not. Daniels said businesses are "really concerned" about whether the CPPA will arrive at "any surprises" once the CPRA regulations are finalized.
It's been almost a year since CPPA Executive Director Ashkan Soltani announced a likely delay on CPRA final regulations. In February 2022 Soltani said finalized regulations were likely to land sometime in the third or fourth quarters of the year, past the original July 1, 2022 deadline. The estimated end-of-year deadline also passed without a finalization, which Soltani recently said is now expected later in January, with the law going into effect in April.
"I think everyone, including businesses, privacy professionals and even the California Privacy Protection Agency, are in a difficult position," Stauss said. "The agency worked hard to get regulations as far along as possible, but the timeframe was impossible. If we could just go into the CPRA and move all of the deadlines back by a year, everyone involved in the process would be better off."
Stauss added some businesses may have paused compliance programs until CPRA rulemaking is complete to ensure all potential compliance gaps are filled.
On the other hand, Jessani indicated some companies might be hyper-focused on CPRA compliance — with or without final regulations — given the tweaks or additions to the CCPA. He said such increased attention brings unintended consequences with efforts to comply with Virginia's complexities.
"Companies may be more focused on California compared to Virginia because of California’s history with the CCPA and because it will have a dedicated privacy regulator," Jessani said. "To the extent that companies have focused on Virginia, it has been part of a broader effort to comply with all of the state privacy laws going into effect in 2023."