Considering 2022 is just days old, it certainly feels early to start planning for 2023. However, at least three U.S. state privacy laws are set to come into effect in 2023 (California Privacy Rights Act of 2020, Colorado Privacy Act and the Virginia Consumer Data Protection Act), and there is the distinct possibility more laws (both in the U.S. and globally) will follow this year. And this is while companies also work to address new or anticipated privacy laws across the globe (Brazil, China, India and Saudi Arabia, along with major changes in Europe). There just is not time to delay planning for 2023. 

Preparation and an organized strategic approach are always key elements to successfully navigating this changing landscape. Every organization’s privacy needs will be impacted by a variety of factors, including type of business, global footprint, other applicable regulatory regimes and requirements, and general approach to compliance and risk. Nevertheless, the steps set out below will help companies get organized and head into 2022 with a meaningful strategy for 2023 and whatever else the privacy world throws our way.

  1. Take stock of your current program

Even without facing new and updated privacy laws, every organization should evaluate its privacy program at least once a year. The best way to conduct this review will vary, but one useful way to proceed is to develop a questionnaire or checklist to help identify where updates to the privacy program may be needed. Regardless of approach, the review needs to address significant changes in data flows (e.g., the addition by a traditionally business-to-business company of a consumer-facing line of business or entity), geographical footprint, technology transformations, size — either from an employee number or revenue standpoint — and other issues that significantly impact the privacy profile of the organization. Companies also need to understand their role with regard to personal data (e.g., processor or controller) to properly address the obligations of applicable law.

This information is key to identifying updates or changes needed for the underlying privacy program and documentation. Such updates will often impact records of processing/data maps, online or internal privacy policies or notices, privacy terms with service providers or business partners, as well as technical updates to facilitate updated or new data subject rights (e.g., the new Do Not Share right under the CPRA). Depending on the jurisdictions involved, more significant changes may also require the completion of legitimate impact assessments, data protection impact assessments, the appointment or approval of a data protection officer and the amendment or implementation of intracompany data transfer agreements.  

  1. Confirm what laws apply to your organization

In addition to understanding the current state of your organization’s privacy program, it is important to understand what and how new or updated privacy laws might apply. For example, each of the U.S. state privacy laws has a certain threshold that must be triggered before an organization is subject to the law.

In California, covered entities are those with a gross annual revenue over $25 million; entities that buy, receive or sell the personal information of 50,000 or more California residents, households or devices (the CPRA increases this threshold to 100,000 and removes  devices that are not identifiable to consumers or households from the scope of the threshold calculation); or entities which derive 50% or more of their annual revenue from selling California residents’ personal information. Colorado’s Privacy Act applies to entities that control or process personal information of at least 100,000 Colorado residents per year, or control or process personal data of at least 25,000 Colorado consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data. Virginia’s law takes a similar approach to Colorado’s threshold requirements and applies to entities that control or process personal data of at least 100,000 Virginia consumers per year, or control or process personal data of at least 25,000 Virginia consumers and derive over 50% of their gross revenue from the sale of personal data.

Also, the scope of information covered by the law varies. For example, the CPRA broadens the current scope of the California Consumer Privacy Act to include HR data as well as B2B data, while both the new Colorado and Virginia laws expressly exclude this type of data. Organizations should also consider their practical risk when assessing these laws. For example, a company with significant U.S. data collections and limited European data collections will likely need to prioritize its efforts to address the new U.S. privacy laws before trying to build a comprehensive General Data Protection Regulation privacy program. 

  1. Be flexible and anticipate further changes

With the barrage of changes in privacy laws, companies must focus on building a privacy program that allows for the inclusion of new privacy requirements as part of a consolidated program rather than an approach that just tacks on country or state-specific requirements. While having separate GDPR or California sections to privacy made sense for many organizations as an initial approach, it will almost certainly be more feasible for companies to consider transitioning to a more geographic- (or at least country or region) neutral program that meets the requirements of new state laws and does not necessarily distinguish between residents of different states. With exceptions where required, this may mean providing privacy disclosures that meet high water mark disclosure requirements (i.e., provide more information than is required in certain states or jurisdictions) or offering a consolidated set of data subject/consumer rights even if some or all of these rights are not mandated by law in a particular place. This is not an easy undertaking, however, and companies that do move toward this consolidated approach will need to be sure they can and will meet any privacy promise they make to individuals even if such promises are not mandated by law.

  1. Connect early and often with key stakeholders

As companies learned with the GDPR and CCPA, privacy teams cannot address new privacy laws in a vacuum without crucial assistance from many other stakeholders across the organization (IT, HR, legal, marketing, etc.).  Like many privacy teams themselves, these different business teams are often stretched thin — both from a resource and budget standpoint — and may be frustrated with continued requests for assistance after the heavy lifts required by the GDPR and CCPA. Therefore, privacy teams really must plan ahead to identify key stakeholders for coming updates and engage with them early to understand what competing priorities might be on the horizon and whether there are any key deadlines that must be considered (e.g., a deadline on making technical system changes close to the end of the year or a transition to a new website provider that will foreclose changes to the website during a particular period of time). 

  1. Pay particular attention to cookies and adtech strategy

Few issues are creating more uncertainty right now than those related to the use of cookies and similar technologies, particularly for online behavioral advertising or similar types of consumer tracking and profiling. Companies have struggled to implement meaningful technical solutions (e.g., a cookies manager) to address EU opt-in requirements, and there has been significant confusion under the CCPA regarding what of these online activities constitute a “sale.” Similarly, under California and Colorado law, organizations are required to honor Global Privacy Controls, but regulators have yet to provide meaningful guidance on how this can actually be accomplished. Hopefully, pending regulations will provide specific, actionable guidance in the coming months. In the meantime, though, companies must start with understanding what they have actually deployed on their websites and mobile applications and kick off the process of determining how they will provide consumers with required control over such technologies (e.g., a universal opt-out via a Do-Not-Share button, an opt-in to certain or all non-essential cookies or a potential limiting of the use of cookies to help decrease compliance obligations). Starting the process now will significantly ease the burden of next steps once the actual path to compliance is clearer.

  1. Develop approach for contractual updates

Many organizations engaged in time and labor-intensive updates to their agreements in order to meet the obligations of the GDPR and then the CCPA. While comprehensive privacy and security terms should generally address the requirements of pending privacy laws, it will be important to revisit templates to make additional required adjustments so they are broad enough to cover new states or countries. Privacy teams should work with their procurement and other teams to make sure any updated templates are included in the contracting process and they are connecting with key service providers early to understand how and when they will be adapting their own terms (as many larger providers require customers use their privacy terms with limited or no changes). Organizations acting as service providers should similarly identify any additional updates and communicate early with customers to smooth any updates and avoid a deluge of last-minute demands.

Conclusion

There is no “right” way for a company to prepare for new state and global privacy laws. Nevertheless, the steps set out above are intended to help companies shape the approach that is right for them. In the long run, taking the time to get organized and really work towards building a privacy program that anticipates change will pave the way for a more mature and effective effort overall.

Photo by Rohan on Unsplash