Cybersecurity & Data Privacy

The new year is right around the corner, and with it, comes five new U.S. state privacy laws. On January 1, 2023, both the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) become effective. The Colorado Privacy Act (ColoPA) and Connecticut Data Privacy Act (CTPA) become effective later in the year on July 1, 2023 with the Utah Consumer Privacy Act (UCPA) following on December 1, 2023. Businesses should act now to ensure they are prepared and organized for the additional regulation that 2023 will bring, especially for the laws that will kick off the new year on January 1.

Generally, these state comprehensive privacy laws regulate businesses’ uses of personal data of their residents and provide increased consumer protections regarding such data. While these laws contain numerous nuances, below is a condensed list of particularly important activities each business subject to these laws will want to conduct in order to facilitate compliance before January 1, 2023.

• Audit and review all data-related operations to map out what personal data your business has, how you collect and use it, who has access to it, and where you store it.
• Review privacy policies and notices to ensure you disclose the proper information therein, including information about consumer rights, such as a consumer’s right to access, delete, and correct the consumer’s personal data and to opt out of certain information processing, as well as how to utilize those rights.
• Develop a sufficient method for obtaining consumer consent where required.
• Update data processing agreements with third-party contractors to include all necessary provisions and protections for your personal data.
• Evaluate technological and security controls to ensure adequate protection of your personal data.
• Implement procedures to handle consumer requests, including processes to receive and timely respond to requests and allow consumers to appeal your decisions, if required.
• Ensure adequate record keeping policies are in place to document compliance, including to ensure you purge personal data when you no longer need it.
• Conduct and document data protection assessments as necessary, such as to engage in targeted advertising or profiling.

There are additional considerations for businesses subject to these comprehensive privacy laws, and compliance can take substantial effort and time. Because there is significant overlap between these laws, it may be more cost-effective and efficient for your business to review and update its data privacy practices in accordance with all of the applicable laws at once. Lewis Rice’s Cybersecurity & Data Privacy group is well-versed in the compliance process and has developed resources to assist clients with reaching and maintaining compliance with these laws.

If you have any questions about complying with these laws or other data privacy laws, or need assistance reviewing your data privacy practices for 2023, please contact one of our Cybersecurity & Data Privacy attorneys. For more information, you can also check out the resources found on our U.S. State Privacy Laws page.