New State Privacy Laws: What Do My Business Teams Need to Know?
With three U.S. state comprehensive privacy bills coming into effect within the next two years, companies are wrestling to navigate the key provisions that should be top of mind to ensure compliance with Virginia’s VCDPA, California’s CPRA, and Colorado’s ColoPA.
Despite nuances among each piece of legislation (see our team’s deep dive into VCDPA, CPRA, and ColoPA), there are a handful of concepts that span all three privacy laws as they relate to Personal Information (“PI”). While the bulk of the burden likely will fall on legal and compliance teams, there are certain key concepts that will impact companies’ overall objectives and that business teams should be preparing for now.
1. Data Minimization and Retention
Companies must limit personal data collection and storage to what is reasonably necessary to achieve the related business purpose. This business purpose must be specifically disclosed to the individual at the time of collection.
Accordingly, current information collection practices may need to be modified – and certain data may need to be purged from existing databases. In addition, consider the following:
Compile a list of business objectives that require the collection and storage of PI;
Identify what information is necessary to achieve each business objective;
Determine the length of time PI needs to be stored as it relates to each individual business objective; and
Implement the appropriate controls for both the storage and eventual deletion of PI.
2. Targeted Advertising
Under the VCDPA, ColoPA, and CPRA, consumers will have the right to opt-out of targeted advertising. While all three states have a similar approach to regulating targeted advertising in that they cover advertisements designed and delivered using personal data about a consumer’s activities that a company obtains from third parties, the VCDPA and ColoPA take a more narrowed approach than the CPRA.
Under the VCDPA and ColoPA, a consumer’s right to opt-out of targeted advertising applies to information explicitly collected across nonaffiliate websites, rather than advertisements based on activities within a controller’s own websites or online applications.
More broadly, the CPRA’s right to opt-out of sharing (which is defined to mean sharing for the purpose of cross-context behavioral advertising) also gives consumers the right to limit sharing for the purpose of targeted advertising, whether or not for monetary consideration, based on the consumer’s activity across distinctly-branded websites, other than the business, distinctly branded website, application, or service with which the consumer intentionally interacts. Thus, the opt-out right under the CPRA appears to apply in some circumstances to information used by a business to generate advertisements that it receives from affiliated entities that do not share common branding with their parent company.
While many businesses may have previously addressed “do not share” requirements and opt-outs for targeted advertising as part of their existing CCPA compliance, consider the following:
Provide consumers with the ability to set their cookie preferences and turn off advertising cookies on web sites and applications related to your business;
Offer an opt-out for contact information and other non-cookie based PI as needed – and determine how to implement the opt-out across the business;
Update third-party contracts, as necessary, to ensure that the sharing of consumer PI is narrowly restricted (and require third parties to cooperate with the company in addressing consumer requests, as applicable); and
Consider whether certain sharing that may be within a corporate family will trigger additional obligations.
3. Sensitive Data
The concept of “sensitive” data has been introduced to the U.S. through each state’s legislation, although the definitions are not identical. California businesses may generally collect sensitive PI as they do now, but under these new laws, users will have the right to restrict the processing and use of such information.
Conversely, Virginia and Colorado’s legislation require businesses to have users specifically opt-in to the collection and ongoing processing and use of sensitive PI. Therefore, certain sensitive data may need to be deleted, or alternatively, the business should be prepared to ask for opt-in consent, at least for Virginia and Colorado residents.
In addition, your business teams should consider the following:
Segment data fields that may be defined as sensitive. While the scope of sensitive PI varies by legislation, the following list is consistent across all three states:
Racial or ethnic origin
Religious beliefs
Processing biometric information for the purpose of identifying a consumer
Sexual orientation
Health
California Specific: (1) SSN, driver’s license, state ID, or passport numbers, (2) login, financial account, debit/credit card number related to account information, (3) precise geolocation data, (4) philosophical beliefs, (5) union membership, (6) non-business-related contents of mail, email, text messages
Virginia Specific: (1) personal data collected from a known child, (2) precise geolocation data, (3) citizenship or immigration status
Colorado Specific: (1) personal data collected from a known child, (2) citizenship or immigration status
Make a business decision whether to treat data as sensitive if it is defined as such in any state, or whether to address compliance on a state-by-state basis;
Review the sensitive data that is important or necessary to continue to store and use;
Determine how to obtain the necessary consent and/or offer an ongoing opt-out for storage and use of sensitive data; and
Enhance and reinforce internal security measures for accessing sensitive PI.
4. Automated Decision Making
All three pieces of legislation outline the concept of automated processing of PI to analyze or predict (1) consumer interests, (2) behavior, (3) location, (4) economic situation, (5) reliability, (6) personal preferences, (7) health, and (8) movements. The CPRA also includes an individual’s performance at work in this list.
The CPRA provides consumers with the Right to Access Information about Automated Decision Making and the Right to Opt-out of Automated Decision Making. Similarly, both the VCDPA and ColoPA provide consumers with the Right to Opt-out of Profiling.
If your business uses PI to analyze or predict user behavior, typically in connection with online advertisement or employment, consider the following:
Whether your business engages in automated processing – particularly in the marketing or employment context;
How your business will provide the required opt-outs – and implement those opt-outs –from this automated processing; and
Whether there are certain business activities that should be limited in light of this change in regulation.
5. Data Processing Impact Assessments
The three states introduce the concept of Data Processing Impact Assessments (DPIA), a concept that GDPR-compliant businesses will be familiar with, but which is new in the U.S.
While specific DPIA regulations for the CPRA are forthcoming, at this time we know, under both the VCDPA and ColoPA, that DPIAs will be required for targeted advertisements, data sales, sensitive data, profiling, and other instances where there are heightened risks. Companies should note that these assessments may be disclosed to the Attorney General in the event of investigation or upon request. In addition, your teams should consider the following:
Determine which activities require DPIA’s under the legislation;
Create processes and templates for completing DPIA’s as required; and
Institute longer lead times internally to account for required assessments under these new statutes and DPIAs.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.