Privacy landscape updates in the USA, and how to practically comply
U.S. privacy briefing - key regulations, and updates
The U.S. privacy landscape has seen significant developments in 2022, both at the state and federal levels. This article will explain what’s coming up in 2023, how to effectively approach compliance, and the benefits of investing in a risk based approach.
Legislative efforts in Connecticut and Utah have resulted in new state privacy laws, the Utah Consumer Privacy Law (UCPA) and the Connecticut’s Personal Data Privacy and Online Monitoring Act (CTDPA). Together with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA), these five laws represent the main compliance objectives until consensus is reached at the federal level.
On the state wide front, the American Data Privacy and Protection Act (ADPPA) is a proposed federal privacy bill that enjoys some bipartisan support and has moved out of the U.S. House Energy and Commerce Committee with a 53-2 margin. However, the bill is currently stuck in the full House due to several objections to the ADPPA’s preemption of state privacy laws, such as the CCPA. The ADPPA would be rather similar to the CCPA, but it is still unclear which one will be stricter.
The intersection of privacy and data security frameworks
All these privacy laws require businesses to design, implement, and manage a plethora of privacy controls, which can prove to be a particularly difficult endeavor. What smart businesses do is take advantage of the areas of overlap between privacy and data security and determine when existing security frameworks can be leveraged as a foundation for an effective privacy framework and risk based approach.
For example, ISO 27001 and 27002 are recognized as the gold standards of data security certification. Together they include the requirements of an Information Security Management System (ISMS) and a framework of security controls that can be used to select the appropriate controls in an ISMS. ISO 27701 is an extension of these standards, specifying the requirements of a Privacy Information Management System (PIMS) implemented on top of the ISMS, and supplementing the framework of security controls with privacy-specific ones.
Similarly, the U.S. National Institute of Standards and Technology (NIST) developed the NIST Cybersecurity Framework as a collection of best practices in identifying, assessing, managing and communicating security risks. The NIST Privacy Framework was then developed to help organizations understand how their activities can impact the individuals’ privacy and how to efficiently integrate privacy practices into their organizational processes, while remaining aligned with the Cybersecurity Framework. Both frameworks are tied together by NIST SP 800-53, a comprehensive catalog of security and privacy controls.
CCPA/CPRA in focus
The California Consumer Privacy Act (CCPA) has established new privacy rights for Californians; it was signed into law in 2018 and came into effect from the start of 2020. The California Privacy Rights Act (CPRA, also known as ‘Proposition 24’, as a ballot proposition) was passed in late 2020, has since amended the CCPA and augmented privacy protections for consumers and established a California Privacy Protection Agency (CPPA). The amended CCPA now applies to covered businesses that process Californians’ personal information, that do business in California, and that meet at least one of the following thresholds:
Have annual gross revenues in excess of $25,000,000;
Alone or in combination, annually buy, sell, or share the personal information of 100,000 or more Californian consumers or households; or
Derive 50% or more of their annual revenues from selling or sharing Californians’ personal information.
The CCPA empowers Californian consumers with the right to access, to delete, to opt out of sale, and the right to data portability. It also imposes various obligations on covered businesses, including:
purpose limitation, which means that personal information collected for one purpose shall not be processed for any other incompatible purposes without first informing the consumers
the implementation of reasonable security procedures
opt-out methods for ‘data subjects’ (i.e. Californian consumers), which allow them to easily inform a business that they no longer wish to have their personal information sold to third parties
transparency: the need to provide privacy notices
the requirement for disclosures to service providers to be governed by a contract that prevents them from using that personal information for any other purpose.
The CPRA expands the existing rights afforded to consumers and introduces new ones, such as the right to correct, to opt out of sharing, and the right to limit the use or disclosure of sensitive personal information (which is a new category of personal information requiring more stringent protections). It also imposes stricter requirements on what the contracts with service providers should stipulate and it introduces new principles to be followed when processing personal information: data minimization and storage limitation. Finally, covered businesses will have to conduct annual cybersecurity audits and regular risk assessments, similar to DPIAs under the GDPR, when processing sensitive personal information or when the processing activity poses significant risks to the consumers’ privacy.
How to practically comply with the CPRA
Covered businesses have to refresh their data inventories and identify whether they are processing sensitive personal information. The data retention policy will then have to include the concepts of data minimization and storage limitation alongside the retention period for each category of personal information. Subject to the upcoming regulations from the California Privacy Protection Agency (CPPA), risk assessments will be performed for riskier processing activities. The most time-consuming action might be the assessment and amendment of all contracts with service providers that process personal information on the behalf of the business. Covered businesses will then have to amend their privacy notices to include the new consumer rights and a link on their websites enabling opt out, titled:
“Do Not Sell or Share My Personal Information” (previously, consumers were only able to opt-out of the sale); and
“Limit the Use of My Sensitive Personal Information” (previously, consumers could not request this).
Businesses should also ensure that a minimum of two opt-out request methods are offered to consumers.
The many benefits of compliance
The purpose of complying with the applicable privacy laws is not solely for the avoidance of fines from regulators. Of course, the fines (such as the recent Sephora $1.2 million settlement) and the associated costs of dealing with an investigation are usually higher than the resources needed to comply in the first place, but such costs are usually finite and clearly defined and there is much more at stake: trust. A loss of trust, regardless if in a B2C or B2B context, can have severe repercussions on the growth of a business. It takes time and tremendous effort to cure such a loss of trust, and depending on the severity of the incident, a brand may be stained for decades to come. In other words, compliance mitigates both legal and reputational risks.
Compliance with privacy laws can also act as a source of opportunities. As more and more people become aware of the importance of privacy amid various scandals, respecting users’ privacy becomes a competitive advantage. Although not all businesses will be willing or able to pursue privacy as a differentiator, a growing noncompliant business will eventually hit a point when customers, vendors, or partners will start demanding compliance simply because of the assurances it affords them and the fact that its competitors are already complying. And when this barrier is reached, the business will discover in horror that becoming compliant takes longer than a week or a month.
Predictions and trends for 2023 in the U.S.
As previously mentioned, new state privacy laws will become effective in 2023. Here are some key dates:
VCDPA – effective January 1, 2023. There won’t be any implementing regulations.
CPRA – fully operative January 1, 2023. There is one exception: the right to access will apply to consumers’ personal information collected on or after January 1, 2022. Enforcement will only begin on July 1, 2023, subject to delays as suggested by the recent public meetings of the CPPA. The Agency has yet to finalize the CPRA Regulations and recognizes that this delay could impact the businesses’ ability to become compliant by July 2023. These regulations are likely to be finished by March 2023.
CPA – effective July 1, 2023. As for the implementing regulations, they are likely to be finalized around the same time as the CPRA ones.
CTDPA – effective July 1, 2023. There won’t be any implementing regulations.
UCPA – effective December 31, 2023. There won’t be any implementing regulations.
In 2023, the U.S. and the EU are also going to reach an agreement regarding the Trans-Atlantic Data Privacy Framework, which should allow data to flow freely from EU to U.S. companies. The White House has already published an executive order in this regard, and now it’s the EU’s turn to assess whether the order’s safeguards and guarantees are sufficient. An agreement will not be reached earlier than March 2023.
The elephant in the room is the ADPPA. It remains to be seen how the new 118th Congress will deal with it. Regardless if the preemption of state privacy laws is a legitimate concern or a mere wedge issue, we predict that the ADPPA will remain in limbo for at least a few more months. Then, some compromises might be made in order to push its effective date after the 2024 elections.
How Trace can help
In the light of all of these developments, it can be difficult for an organization to understand what to prepare for and even when to start preparing. Organizations not only have to remain up-to-date with such external developments, but also with internal ones. There isn’t a better solution than going through a global privacy audit that precisely identifies areas of improvement before such external developments come to fruition.
Trace conducts such global privacy audits in a focused, holistic, and action-oriented manner, which results in a baseline and a roadmap to help our clients’ to pragmatically tackle gaps and mitigate risks. Don’t hesitate to get in touch for an informal discussion of your needs and to hear more about what we’ve helped our consultancy clients achieve to comply with regulations such as the GDPR and CCPA/CPRA and build trusted frameworks for data.
This article was authored by Trace privacy consultant Bogdan Barburas , CIPP/E, CIPT, CIPM.