As we head into fall, it’s a good time to take stock of privacy projects to wrap up before the end of the year. Even without final California Privacy Protection Agency rulemaking on the California Consumer Privacy Act or a national privacy law, we know the end of 2022 has some important privacy law changes:
- New requirements with California Privacy Rights Act amendments to CCPA take effect and there is no longer a right to cure CCPA violations before facing a regulatory fine or penalty.
- The CCPA will apply fully to employee data and business-to-business data.
- New York City’s law on the use of automated decision tools in employment and hiring takes effect.
- Virginia's comprehensive privacy law, the Virginia Consumer Data Protection Act, takes effect.
- Use of EU standard contractual clause versions from pre-2021 are no longer lawful for cross-border data access or transfers, including with the U.S.
What should you do to get ready? Here’s a to-do list to help your company address these new privacy requirements:
- Address new individual privacy rights and processes.
- Revise data subject rights processes to address new rights under the CCPA and Virginia’s privacy law, including for correcting personal information, opt-out of “sharing” and behavioral advertising, opting out of “profiling,” and limiting use of sensitive personal information.
- Establish processes to pass correction and deletion requests to third parties, service providers, and others your company has shared personal information with as required by the CCPA.
- Document privacy assessments. Moving forward, have and maintain processes to conduct and document, including as required for attorney general requests, data protection assessments for targeted advertising, “selling” personal data, profiling, processing sensitive data, or processing personal data when there is a heightened risk of harm, all where required under Virginia's privacy law. Do not assume that information security assessments will address these requirements.
- Finalize contract amendments and template updates.
- Confirm contract templates and key contracts have been updated with new CCPA and other state law requirements for “service providers” and “contractors.” Alternatively, confirm that personal information sharing with such entities complies with applicable “do not sell/share” requirements.
- CCPA will also now require written agreements with “third parties,” so confirm contract templates and key contracts have been updated with these new CCPA requirements.
- Where your company relies on standard contractual clauses for cross-border transfers of personal data from the EU to countries like the U.S., update the contracts to include the updated EU standard contractual clauses by Dec. 27, 2022.
- Address new employee privacy requirements. Update employee and business contact privacy policies, identify where additional notices might be necessary, and develop processes for California applicants, employees, former employees, and dependents and spouses, to submit individual rights requests, including for rights to know, correct, delete, and opt out of “sales” and “sharing.”
- Get sensitive data consents. Adapt data collection processes including on applications and websites to obtain consent before processing sensitive personal information where required under CCPA or Virginia’s privacy law.
- One last chance in California. Before the “right to cure” CCPA violations expires at the end of the year:
- Validate that your data subject rights processes comply with the detailed requirements in the current CCPA regulations.
- Make sure your websites are honoring the Global Privacy Control signal and “Do Not Sell” requests, or that you have CCPA-compliant service provider contracts in place with every cookie, tag and tracking technology provider on your website (see our suggestions here).
- Review the summaries of enforcement actions the California attorney general has released, and make sure none of them justify your company changing current decisions or approaches to the CCPA.
This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the California Consumer Privacy Act.
There are bills pending in the California Legislature that would amend the CCPA and/or the CPRA or otherwise impact how organizations understand or approach each law, as noted in the IAPP’s “CCPA-/CPRA- Related Legislation Tracker.”
If you want to comment on this post, you need to login.