It’s a new year. This means new opportunities, new beginnings, and if you’re reading this blog – new events affecting privacy. At 12:01 am this morning the States of California and Virginia had their respective data privacy laws become effective. These laws bestow new rights to the residents of their respective states, and place businesses dealing with said residents under new obligations.
Let’s look at a very high level of what these changes are.
In California numerous changes affect the law and it’s related regulations such as:
- Expanding the definition of ‘sale of data’
- New rules around user experience requirements related to consent banners
- New rules around support for the Global Privacy Control preference signal
- Contract changes affecting who qualifies as a service provider
- New rules around “Cross-Context Behavioral Advertising” , which should be of particular concern to businesses using Remarking in their marketing strategy
Enforcement has changed from the California Attorney General, to the new California Privacy Protection Agency, which will handle investigation and enforcement going forward. Notably on the enforcement issue, California no longer must issue a Notice to Cure prior to filing for Trial.
We know California is proactive in enforcement from their recent fines against Sephora and their updated list of enforcement actions. I would expect this trend to continue even with the new agency now taking over these actions.
But aren’t we still missing final regulations?
Yes, yes we are. As the IAPP (International Association of Privacy Professionals) reported on December 19th, final regulations aren’t expected before April, but the existing regulations will be used for enforcement until the new ones are ready.
Covered businesses could (and likely should) proceed with compliance to the latest draft of the regulations, acknowledging the risk that the Office of Administrative Law may reject the proposed final draft, and accepting that the current regulations may be modified further.
Given the complexity of the changes and the expected timeline to operationalize those changes in existing business processes and teams starting sooner rather than later is recommended. Time is not on your side at this point.
Meanwhile, over in Virginia we have a net new law which has its own specifics which differ from California. At a high level some of the highlights are:
- Require explict consent for the collection of sensitive personal information
- Have a appeal process for denials of Data Subject Access Requests
- Execute Data Protection Assessments for high risk activities such as Targeted Advertising
- Contractual requirements for data processing
- Data minimization and technical safeguard requirements.
Enforcement falls to the Virginia Attorney General, which must allow businesses 30 days to correct the issue upon being presented a Notice to Cure, before enforcement proceeds.
Unlikely California, Virginia did not grant the Attorney General rulemaking powers. so the law is enforceable as it stands after the last round of amendments. While it remains to be seen how proactive the AG office will be, some of the requirements listed in the law will take considerable time to implement, and so waiting for a Notice to Cure before attempting compliance is not recommended. We could see enforcement action proceed to Trial as early as Feburary.
Six Month Warning
The next two State laws are only six months away. Beginning in July, the States of Colorado and Connecticut have privacy laws that will become effective and are different in key respects from the existing laws put into place by California and Virginia. While both laws have cure provisions similar to Virginia described above, the requirements for compliance are closer to California in complexity than they are Virginia, and it is strongly advised to begin compliance efforts sooner rather than later – as some of the provisions could easily eat months of time – in particular if the business does not have experience with data privacy laws in other contexts and are needing to build all the required systems and processes from scratch.
Further Reading: