2023 State Data Privacy Laws Overview

2022 was a big year for data privacy in the U.S., with many states passing or considering data privacy legislation and the American Data Privacy and Protection Act (ADPPA) nearly passing both chambers of Congress. Had it been successfully passed, it would have been the U.S.’s first national data privacy act, superseding the many state-level provisions. With 2022 in the rearview mirror, it’s time to look ahead to what awaits us for data privacy in 2023.  Five new laws at the state level are coming into effect this year, including CPRA that will supersede CCPA. Over the coming days, we’ll take a look at each one and review how they affect the data privacy landscape.

Many of the core tenets are shared by each state-level data privacy law coming into effect in 2023 and also should be comparable to the European Union’s General Data Protection Regulation (GDPR) in many regards. Though the language varies from statute to statute, each law requires certain consumer rights regarding data privacy to be honored by businesses and data controllers in these states. These rights include the right to access their personal data, the right to correct inaccuracies in their personal data (excluding the Utah Consumer Privacy Act), the right to delete their personal data, the right to a copy of their data, the right to opt-out of the sale of their personal data, and the right to opt-out of targeted advertising. 

Additionally, data controllers subject to these statutes will be required to provide consumers a privacy notice detailing how they handle personal data. In all of the 2023 laws, UCPA data controllers will be required to detail their data retention schedules along with their purpose for retaining such data. All of the 2023 data privacy statutes will also require data controllers to implement and maintain reasonable security controls to protect consumers personal data. Again, these will vary from statute to statute, but their inclusion will help to protect consumers’ sensitive personal data.

Our 2023 State Data Privacy Laws series will look at the requirements in each statute,  along with how each statute varies from another. The similar, familiar core to these data privacy laws should make general compliance manageable. However, there are some tedious edge cases that will only get more complicated as new data privacy laws pass across the nation. Sooner or later, there will be a need for a simplified nation-wide data privacy law like we almost saw passed in 2022. While we don’t know whether 2023 will build on what the ADPPA started, states certainly won’t wait for Congress to act on data privacy.

read more

What is a Privacy Impact Assessment? Does My Business Need One?

Privacy is progressing across the US and it stops for no one – so what does it take to keep up? Well, as an increasing number of privacy regulations following the example of GDPR and CPRA arise, it naturally follows that more companies than ever are going to be newly bound to rigorous sets of privacy standards. In the interest of meeting those standards it’s crucial to have some standardized form of data system assessment to weed out privacy risks, which is exactly the role Privacy Impact Assessments (PIAs) fill. These assessments are thus primed to become an invaluable asset for organizations newly assessing privacy risk at the behest of legislation, as well as existing privacy-conscious organizations aiming to maintain their privacy posture – so it’s a great time to take a look at what a PIA is, whether or not you need one, and what one entails.

What it is

Essentially, a PIA is a tool that enables organizations to identify, categorize, and ultimately remediate privacy risks present in their data systems in accordance with relevant legislative standards. The objectives of these assessments are a few: to verify the data system’s privacy conformity with organizational and legal requirements, to determine the privacy risks present in the data system, and to evaluate solutions to mitigate identified risks. 

Who Needs it

Understanding what constitutes a PIA and its goals, a natural follow-up question would be who needs one. The necessity of one largely depends on the requirements of whatever regulations your business must abide by – different frameworks require these assessments at different stages of data handling. Odds are, however, that if you are bound to privacy legislation and handle customer Personally Identifiable Information (PII) you will at minimum be required to conduct a PIA when said data is newly processed or sold. Additionally, whenever significant changes/additions are made to the data system’s structure or its processes, then a PIA is typically highly-advised, if not required outright. 

Even past the explicitly-required cases, most any organization that handles PII should heavily consider conducting these assessments at least every three years. Remember that these assessments aren’t just a box to tick for compliance’s sake – they exist to help protect consumer information from undue exposure and thus protect the company who would be held liable. At its core, a PIA is a tool to mitigate risk and should be considered as such.

How it Works

So – if you decide upon conducting a PIA, what exactly does it involve? Generally, the assessment takes the form of both an analysis process and a report document. The process itself will vary again depending on the regulatory requirements an organization faces, but will typically include steps like the following:

  • An identification of the scope of the assessment along with the staff and stakeholders associated with in-scope systems
  • A categorization of data should take place, categorizing them according to their sensitivity 
  • A technical mapping of where and how information flows throughout its system: from acquisition to storage to transfer to use to disposal
  • An analysis and cataloging of privacy risks based on the data system’s state – take note to consider non-technical privacy impacts as well, an example being how easily communicable an otherwise safe process is to concerned consumers
  • A determination of whether or not the risk of holding different types of PII is proportional and reasonable to its business purpose
  • A consideration of mitigatory measures that could be taken to further protect the data system’s privacy as well as potential future data gathered

At the conclusion of the above steps a PIA report should be prepared documenting the results. The report should be easily interpreted and comprehensive of the steps and considerations taken – aid to this end can be found from online templates and/or privacy consultants. After the report’s completion, ensure that it’s published and sent where necessary by regulation. Ultimately, the PIA report is a living document. Ongoing reviews of the report should take place where there is any progress toward implementing the identified PIA recommendations or if any changes to the system are documented. 

With the PIA’s goals, use-case, and process in mind, hopefully you’re left with a clearer picture of these assessments going forward. Like many system assessments, the process can seem daunting at first, but with some practice it will become a tremendously helpful tool in your GRC toolbox, helping you adapt and thrive in our privacy-conscious future.

Need some help conducting your Privacy Impact Assessment? Let CyberData Pros carry one out for you, from scoping to publication. Contact us now for a free consultation and to learn more about our services.

read more

What the CPRA Means for Marketers

Customer data compliance is like traversing murky waters at the best of times – it requires water-tight policies, and often new threats approach. The next looming beast is titled CPRA (California Privacy Rights Act), which is an extension of the already-established CCPA (California Consumer Privacy Act) that comes into full effect January 1, 2023. At that point, the regulatory standards CPRA establishes will be imposed on data gathered since a year prior – January 1, 2022. Clearly there’s little time to waste in becoming compliant with the act, so we won’t waste any more in unnecessary detail – here’s a quick breakdown of what this means for marketers.

First: Who Does CPRA Apply To?

CPRA holds businesses, service providers, third parties, and (extending CCPA) contractors accountable for different sets of obligations. For the concern of marketing companies, let’s focus on business requirements, as they have evolved from CCPA:

A “business” under CPRA is classified as a for-profit legal entity that collects consumer data, takes a role in determining the processing of said data, conducts business in California, and meets at least one of the following criteria:

  • Possess annual gross revenues of at least $25 million
  • Annually handles data of at least 100 thousand consumers/households/devices
  • Derives at least 50% of annual revenue from selling or sharing consumer data

While it’s true that these qualifications leave many small to midsize businesses and nonprofits exempt for now, marketers should pay special attention to those bulleted criteria – this will catch most marketing agencies, especially as they grow. 

Second: What does CPRA compliance mean?

Given that CPRA is an extension of CCPA, it’s important that we understand both in order to be fully compliant. In that interest, here are the rights established for California consumers under the acts:

  • The Right to Know what, how, and why their data was collected along with what was done with it
  • The Right to Delete data collected on them
  • The Right to Opt-Out of their data’s sale
  • The Right to Opt-In to their data’s sale (if consumer is under 16)
  • The Right to Correct inaccurate data collected
  • The Right to Limit Use and Disclosure of “sensitive” personal information
  • The Right to Initiate a Private Cause of Action following their data’s breach
  • The Right to Non-Discrimination or unfair treatment for exercising their rights

Past guaranteeing these rights, there are a few other big-hitter standards to be aware of for CPRA compliance:

  • Sensitive Data Use: Some data is now classified as “sensitive”, defined essentially as data that would personally identify a consumer (think ID cards, genetic info, or SSN). This data will need to have its use disclosed and consumers should have the right to opt out of said use.
  • Data Minimization: Data collected and its storage should be proportionate to the purpose of the data.
  • Risk Assessments: Certain cases of collection and use of data will mandate risk assessments to be conducted beforehand (this requirement is likely to expand, too)
  • Data Deletion: Businesses should not only delete requested data on their end but also notify related third parties to do the same.
  • Contracts: Businesses must form CPRA-compliant contracts with third parties before dealing data with them.
  • Cross-Context Ads: This type of advertising, where behavioral tracking of users is conducted for tracking across contexts, is specifically targeted in CPRA – customers reserve the right to opt out of its use like any other type of advertising.
  • Opting-Out: Businesses should present a “do not share my personal info” link in addition to a “limit the use of my personal info” link, and they should be made reasonably easy to understand and interact with.

Third: How can marketers adapt?

Even broken down, all that compliance criteria is often intimidating. Let’s walk through a few quick steps you can take to get ready:

  • Find Your Data: Take an inventory of where all your data lies and through where it flows. Make sure this process is thorough – to secure data you need to know where it lives.
  • Review Your Security: Take a sober look at the areas identified in your inventory – can you effectively prevent leaks there and quickly access/delete data where necessary? If not, take some time to bolster your data security.
  • Review Your Vendors: Many of the compliance measures require you to hold your vendors accountable for their use of data. Revisit your contracts and make sure vendors are living up to compliance standards, and not putting you at risk through association.
  • Manage Requests: If customers request their data to be removed, how will you know? Establish a process by which customer data access or deletion requests can be quickly received and remediated.
  • Revisit Your Privacy Policy: As requirements change policy needs to adapt to maintain relevance. Take another look at your privacy policy and ensure that it reflects your provisions for compliance so it can protect you when needed.
  • Reconsider Data Collection Strategies: Under standards like minimization among others, it’s worth reevaluating what data needs to be collected and how. Ensure that only business-necessary data is collected, and consider more opt-in oriented approaches to collection: think website interaction, newsletter/email subscriptions, or voluntary polls.
  • Consider Getting Outside Help: CPRA compliance is an endeavor, no doubt. If this process seems daunting, consider hiring a consulting service or other solution to aid. Ensuring compliance is done right pays for itself in fines and reputation.

Need help trying to understand CPRA compliance for your business? Let CyberData Pros help you assess your risk and design secure organizational and compliance measures. Contact us now for a free consultation and to learn more about our services.

read more

Virtual Chief Privacy Officer Services That Make Sense for Your Business

Let’s face it; privacy can be a pain for businesses. It can feel like a burden on your company’s time and resources, and be overwhelming to manage with mountains of governmental oversight and regulation to navigate. As the digital age continues forward, it has become more and more obvious that these are not just growing pains that will simply go away. If you own or manage a small to medium sized business, this fact is likely something that has more than just crossed your mind over recent years as you continued to grow. You may be asking yourself; “Am I prepared to handle this data?”, “What kind of risks am I currently accepting?”, “How do I know if my business is handling compliance in a proper way?”.

Enter the Chief Privacy Officer or CPO. The CPO role is designed to answer all these questions, as well as alleviate the burden of data privacy and security compliance. This includes an ever-growing list of international and domestic privacy regulations such as GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), CPRA (California Privacy Rights Act), CPPA (Canadian Consumer Privacy Protection Act), VCDPA (Virginia Consumer Data Privacy Act). A CPO possesses the expertise to build and guide a business through these arduous security and privacy processes. This encompasses simpler things such as a privacy policy, all the way to the not-so-simple things like international consumer data laws and security compliance for the company’s entire network and data infrastructure.

As you might imagine, a role like this is not filled easily, nor cheaply. CPO’s often have decades of experience with paychecks to match, and are in increasingly high demand with the exponential growth of digital and international market spaces. So how is a small to medium business expected to acquire one? Can your business support another C-level paycheck? How about another big, expensive office space? What about supporting staff and equipment? You can see how quickly hiring and implementing a CPO can become a struggle in its own right, especially when you may already be stretched thin in a period of rapid growth, ie, when you might need one the most. Well, there’s a solution for that as well.

Modern problems require modern solutions, which is exactly what a vCPO, or virtual Chief Privacy Officer is meant to be. A vCPO, sometimes referred to as CPO-as-a-Service, can offer experience, knowledge, and expertise in the data privacy and security field that so many quickly growing businesses need, without the daunting costs, resource drain, and complexity associated with building what amounts to an entire new division of the company. The vCPO can offer any and all solutions a traditional CPO can. This includes understanding and implementing both international and domestic privacy regulations, company data ethics and practices such as handling PII (Personally Identifiable Information), as well as incident response planning and documentation. So what allows a vCPO to do all this and still save money? The answer is scalability. A vCPO solution can grow, shrink, and customize itself to the exact needs and challenges of your business as it stands, and as it changes. It brings its own support and resources to you in a neat and tidy package, giving you the ability to focus on growth, and getting privacy and security out the way!

If you feel have additional questions or need a virtual Chief Privacy Officer, contact CyberData Pros and we can help. Let us help put together a plan and keep your business in full compliance.

read more