As we head into fall, it’s a good time to take stock of privacy projects to wrap up before the end of the year. Even without final California Privacy Protection Agency rulemaking on the California Consumer Privacy Act or a national privacy law, we know the end of 2022 has some important privacy law changes:

  • New requirements with California Privacy Rights Act amendments to CCPA take effect and there is no longer a right to cure CCPA violations before facing a regulatory fine or penalty.
  • The CCPA will apply fully to employee data and business-to-business data.
  • New York City’s law on the use of automated decision tools in employment and hiring takes effect.
  • Virginia's comprehensive privacy law, the Virginia Consumer Data Protection Act, takes effect.
  • Use of EU standard contractual clause versions from pre-2021 are no longer lawful for cross-border data access or transfers, including with the U.S.

What should you do to get ready? Here’s a to-do list to help your company address these new privacy requirements:

  • Address new individual privacy rights and processes.
    • Revise data subject rights processes to address new rights under the CCPA and Virginia’s privacy law, including for correcting personal information, opt-out of “sharing” and behavioral advertising, opting out of “profiling,” and limiting use of sensitive personal information.
    • Establish processes to pass correction and deletion requests to third parties, service providers, and others your company has shared personal information with as required by the CCPA.
  • Document privacy assessments. Moving forward, have and maintain processes to conduct and document, including as required for attorney general requests, data protection assessments for targeted advertising, “selling” personal data, profiling, processing sensitive data, or processing personal data when there is a heightened risk of harm, all where required under Virginia's privacy law. Do not assume that information security assessments will address these requirements.
  • Finalize contract amendments and template updates.
    • Confirm contract templates and key contracts have been updated with new CCPA and other state law requirements for “service providers” and “contractors.” Alternatively, confirm that personal information sharing with such entities complies with applicable “do not sell/share” requirements.
    • CCPA will also now require written agreements with “third parties,” so confirm contract templates and key contracts have been updated with these new CCPA requirements.
    • Where your company relies on standard contractual clauses for cross-border transfers of personal data from the EU to countries like the U.S., update the contracts to include the updated EU standard contractual clauses by Dec. 27, 2022.
  • Update consumer privacy notices and policies. Make sure they cover new requirements under Virginia's privacy law and the CPRA, including personal information retention practices, and new and updated data subject rights. Where presenting a notice of privacy practices at the point of data collection, make sure that you are complying with new requirements to link directly to specific sections of your privacy policy.
  • Address new employee privacy requirements. Update employee and business contact privacy policies, identify where additional notices might be necessary, and develop processes for California applicants, employees, former employees, and dependents and spouses, to submit individual rights requests, including for rights to know, correct, delete, and opt out of “sales” and “sharing.”
  • Get sensitive data consents. Adapt data collection processes including on applications and websites to obtain consent before processing sensitive personal information where required under CCPA or Virginia’s privacy law.
  • One last chance in California. Before the “right to cure” CCPA violations expires at the end of the year:
    • Validate that your data subject rights processes comply with the detailed requirements in the current CCPA regulations.
    • Make sure your websites are honoring the Global Privacy Control signal and “Do Not Sell” requests, or that you have CCPA-compliant service provider contracts in place with every cookie, tag and tracking technology provider on your website (see our suggestions here).
    • Review the summaries of enforcement actions the California attorney general has released, and make sure none of them justify your company changing current decisions or approaches to the CCPA.