New U.S. State Privacy Laws: 10 Ways Companies Should Prepare

September.15.2022

Organizations should be mindful of the 2023 effective dates of several new state privacy laws in the U.S. Companies should review the new laws to evaluate their applicability and identify potential enhancements to compliance programs. Upcoming effective dates include:

California Privacy Rights Act (CPRA): January 1, 2023
Virginia Consumer Data Protection Act (VCDPA): January 1, 2023
Colorado Privacy Act (CPA): July 1, 2023
Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA): July 1, 2023
Utah Consumer Privacy Act (UCPA): December 31, 2023

Here are 10 steps companies should consider taking to prepare for the new state privacy laws:

Update data inventories (e.g., identify any sensitive personal information processing and/or the use of profiling, capture all business-to-business data processing to account for the expiration of the California Consumer Privacy Act’s (CCPA) business-to-business exemptions).
Once finalized, use the output of the data inventories to determine the scope and applicability of new state privacy laws.
Leverage updated data inventories to revise privacy notices before January 1, 2023, along with vendor contracts, as needed, to address any new role designations and contracting requirements.
Implement a process to conduct diligence and a risk assessment on vendors with access to sensitive personal information.
Determine if the rights granted to individuals will be based on jurisdictional legal requirements or apply to all individuals, regardless of state of residence.
Develop consent and opt-out mechanisms for revised and new consumer rights (e.g., Profiling, Do Not “Sell,” Do Not “Share,” Do Not Use “Sensitive PI,” Do Not Use “Automated Decision-Making”) and make applicable changes to websites, apps, and related online properties to address these new obligations.
Update internal policies to address the revised and new consumer rights; train staff accordingly.
To the extent deidentified data is used, implement reasonable measures to ensure the information cannot be associated with a consumer (or household), publicly commit to maintain and use the information in deidentified form and do not attempt to reidentify the information, and contractually obligate recipients of deidentified data to comply with these restrictions.
Review the organization’s security posture, identify potential security enhancements and prepare for cybersecurity audit and risk assessment requirements.
Because the CPRA will eliminate the thirty-day cure period originally permitted under the CCPA, implement written policies and procedures, and document ongoing privacy program activities and tracking metrics to be able to demonstrate compliance with state privacy laws and regulations.

If you need help updating your compliance program to address the state privacy laws, contact a member of Orrick’s Cyber, Privacy and Data Innovation Group or see our U.S. State Consumer Privacy Guide. To receive updates on the State Privacy Laws, and other global privacy and cybersecurity developments, please sign up here.

Authors

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Sulina Gabale Partner, Cyber, Privacy & Data Innovation, Internet of Things

Washington, D.C.

See my bio

D:+1 202 339 8420
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Sulina Gabale Partner

Washington, D.C.

As innovation pushes the limits of technology, those ideas challenge the boundaries of what is considered “personally identifiable information.” Sulina answers the question - how can we create tomorrow’s technology with yesterday’s privacy and consumer protection laws? Sulina works closely with innovators at all levels of a business – executives, engineers, marketing and product, HR and customer service teams – to gain a true understanding of their goals and the data they’re collecting, using and sharing. She places herself in her client’s shoes as well as in consumers’ mindset to devise creative privacy-by-design solutions, ensuring her client’s business and data innovation strategies withstand multi-national rules, government regulations, industry standards and consumer scrutiny.

With experience in both data privacy and consumer protection, Sulina utilizes a comprehensive approach to counsel clients on a myriad of issues affecting consumers and businesses. She routinely guides companies of all sizes through the existing patchwork of laws, self-regulatory standards and industry practice impacting data privacy and security. She advises clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including:

California Online Privacy Protection Act (CalOPPA)
Children’s Online Privacy Protection Act (COPPA)
Family Educational Rights and Privacy Act (FERPA) and related state student data privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Section 5 of the Federal Trade Commission Act (FTC Act)
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Sulina advises companies of all sizes on the development and deployment of cutting-edge technologies and services, including ad-tech, AI and machine learning, biometric tools, social media, robotics and IoT devices, marketing and promotions and more. Sulina began her legal career focusing on consumer protection. She continues to counsel clients on marketing and promotional issues, including interest-based ads; sweepstakes and promotions; automatic renewal and subscriptions; advertising substantiation; influencer programs and social media; SMS text messaging and telemarketing (including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA)); and other state and federal consumer protection laws.

Sulina’s practice is industry-agnostic. She has represented clients ranging from start-ups to Fortune 500s, non-profits, academic institutions and city governments across a range of industries from fashion and ecommerce, financial services, retail, food and beverage and technology services. Prior to law school, Sulina worked in the highly interactive fields of journalism, entertainment and digital media. This well-rounded background helps her connect with clients on a personal level, and ensure her advice integrates legal solutions with business practicality.

Before joining Orrick, Sulina was a member of the Privacy & Data Security Group; Entertainment & Media Group; and IP, Information & Innovation Group at Reed Smith, LLP in New York and Washington, D.C.

Kathryn Boyle Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Boston

See my bio

D:+1 617 880 1800
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kathryn Boyle Managing Associate

Boston

Katy assists clients in their data breach investigations and cybersecurity incident response, including advising clients on data breach notification responsibilities and providing strategic advice on how to manage cybersecurity risks. She advises on enhancing existing privacy and information security policies and procedures, such as online privacy notices.

Her work includes counseling on compliance with the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) for day-to-day business operations and the development of new products.

Katy graduated from Boston College Law School. During that time, she externed in the Data Privacy & Security Unit at the Massachusetts Attorney General’s Office where she supported consumer protection enforcement actions. She also interned with The Future of Privacy Forum and in-house with a leading cloud-based software company.

New U.S. State Privacy Laws: 10 Ways Companies Should Prepare

Also of Interest

U.S. State Consumer Privacy Guide

New U.S. State Privacy Laws Zero in on Artificial Intelligence

U.S. Privacy Regulation: What’s Next for Financial Institutions?