January 7, 2022
6 Steps to Compliance with US State Privacy Laws
8 Min Read
The California Consumer Privacy Act (CCPA) was a landmark moment for US privacy legislation. It was the first comprehensive state privacy law to be passed and introduced many new requirements for organizations to contend with. Fast forward two years and the California Privacy Rights Act (CPRA) was passed, amending and strengthening the privacy protections that the CCPA set out.
Compliance with the CCPA and the CPRA would be seen as enough of a challenge for many organizations, but in the first half of 2021, two more US states followed in the footsteps of California and passed their own comprehensive data privacy laws. Virginia introduced the Consumer Data Protection Act (CDPA) in March, while Colorado introduced the Colorado Privacy Act (CPA) in June. If remembering the initialisms of the CCPA, CPRA, CDPA, and CPA – not forgetting the California Privacy Protection Agency (CPPA) – wasn’t difficult enough, wading your way through their varying compliance requirements might be.
For example, the CDPA and the CPA require individuals to opt-in to the use of sensitive personal information, whereas the CPRA works on an opt-out basis. As such, organizations should have the ability to maintain accurate records of consumers’ preferences relating to each applicable law. Organizations should also take note of the nuances between the laws’ scope, application threshold, and legal definitions of concepts such as ‘business’ and ‘service provider’. With the CPRA, CDPA, and CPA coming into force in 2023, covered entities should be preparing with the help of this six-step roadmap to help ensure compliance with each US state privacy law.
The 6 Step Roadmap for Compliance with US State Data Privacy Laws
1. Discover and Map Personal Data
Discovering and documenting the processing of personal and sensitive personal information gives you a greater understanding of what data your organization holds, who it belongs to, and what regulations it is subject to. It is a foundational and fundamental element of any privacy program and by the implementation of these essential practices, you can track the purpose for processing and flag potential risks and policy violations.
An accurate and comprehensive data map can help organizations understand gaps in their compliance efforts, visualize data flows and implement compliance strategies where necessary. Further automating the data map aids in not only maintaining an up-to-date data map but also gives the ability to extract and implement appropriate policies and controls to comply with specific regulatory requirements. Additionally, a well-maintained data map can assist privacy teams when it comes to performing privacy audits and understanding what personal information falls under sectoral and online privacy law exemptions such as information covered by the Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), or the Fair Credit Reporting Act (FCRA).
2. Conduct Privacy Impact Assessments
Assessing data processing activities to flag and mitigate privacy risks is not only crucial in understanding how covered entities can better protect personal information, but it is also an essential requirement under the CPRA, CDPA, and CPA. Although each of these state privacy laws requires organizations to perform Privacy Impact Assessments (PIAs), each has different thresholds for doing so. For example, under the CPA, businesses cannot conduct processing activities that pose a high risk to individuals “without conducting and documenting a data protection assessment of each of its processing activities.” However, the CDPA outlines more specific criteria, stating that an assessment must be conducted for the following processing activities:
- The processing of personal data for targeted advertising
- The sale of personal data
- The processing of personal data for profiling
- The processing of sensitive data
- Processing activities involving personal data that present a heightened risk of harm to consumers
In addition to different thresholds for performing PIAs, the different laws have requirements for submitting assessments to supervisory authorities. Notably, the CPRA outlines that covered businesses must document risk assessments for submission to the CPPA. Additional information relating to CPRA risk assessments is expected to be published by the CPPA in future regulations.
3. Respond to Privacy Rights Requests
Some of the most common complaints that supervisory authorities receive are violations of data subjects’ rights. Fully automating the fulfillment of consumer rights requests can help to manage the requirements relating to the different rights that are provided to data subjects under the different state laws.
The automated rights request fulfillment process should include ID verification and redaction to verify that the requestor is who they say they are and to remove information relating to individuals other than the requestor.
It is also worth noting that the CPRA extends consumer rights to employees. As such, organizations should consider the wider scope of data that these requests will include as well as the CPRA’s lookback period which will include personal information collected from January 1, 2022.
4. Respect Opt-Out of Sale & Share
The CPRA, CDPA, and CPA all include the right for individuals to opt-out of targeted advertising, the sale of their information, and profiling. However, there are varying procedures for individuals exercising this right. For example, the CPA requires data controllers to provide consumers with a universal opt-out option that enables them to exercise all opt-out rights through a single click. Whereas the CPRA requires a data controller to provide notice to consumers that they have the right to opt-out of the sale of their personal information. This includes sharing personal information with third parties. The business’s website must post a “Do Not Sell or Share My Personal Information” link that takes consumers to a web page where they can exercise the right to opt out of the sale of their personal information.
In preparation for the CPRA, CDPA, and CPA taking effect, organizations should ensure that they are providing consumers with the proper intake methods for opt-out requests and automating the documentation of consumers’ preferences. These preferences also need to be communicated downstream to vendors, processors, and other third parties to avoid unauthorized disclosure of personal information.
5. Manage Sensitive Personal Information
The CPRA amends the CCPA to cover sensitive personal information. This includes such data as health information, biometric information, and racial or ethnic origin and requires businesses to include “a clear and conspicuous” Limit the Use of My Sensitive Personal Information link on company websites. In both Colorado and Virginia, the CPA and the CDPA require businesses to obtain opt-in consent for the processing of sensitive information. In both cases, consent should be affirmative, informed, and clear/unambiguous.
Organizations should therefore ensure that they are providing appropriate mechanisms for obtaining consent as well as developing policies to clearly inform consumers about the consent that they are providing. Additionally, businesses must track the use of sensitive personal information to remain compliant with each law’s requirements. This includes documenting opt-in consent in Virginia and Colorado, limiting processing upon request for California, and ensuring that preferences are being properly respected.
6. Enable Privacy Governance
Businesses should develop and implement effective privacy governance programs to manage personal information in line with multiple state laws and their varying requirements. Integrating privacy governance workflows into compliance efforts for US state laws can assist with mapping data flows and applying the relevant rules based on specific provisions of the state-level consumer data privacy laws in California, Virginia, and Colorado.
Organizations with strong governance processes in place can easily highlight gaps in compliance efforts and flag violations. They also have the ability to enforce policies such as data retention, deletion, and minimization, which have different requirements per state. For example, the CCPA does not explicitly provide for the data minimization principle however, this is provided for by both the CPA and CDPA. Privacy governance programs also help organizations take a proactive approach to managing incidents, monitoring risks, and mitigating potential violations of state-specific data breach notification requirements.
How OneTrust Helps
OneTrust offers a complete suite of technology solutions to help enable organizations to operationalize and automate CCPA, CPRA, CDPA, and CPA requirements.
With OneTrust, organizations can maintain an accurate and up-to-date view of the sensitive data processed across the business, automate the rights request lifecycle from intake to fulfillment, enable do not sell or share, opt-in, and opt-out across web and mobile applications, and comply with incident and breach notification requirements.
Further resources on compliance with US state laws:
- Download the eBook: CCPA vs. CPRA: Next Steps
- Watch the webinar: US Privacy Series: Establishing a Foundation for Compliance
- Read the blog: From CCPA to CPRA: 6 Steps to Compliance
- Keep up to date: Colorado Privacy Act (CPA) Signed Into Law
- Read the news: Virginia’s Consumer Data Protection Act Signed into Law