While most of the country is just now breaking out of lockdown, state legislatures from coast to coast have been busy over the past 14+ months hammering out privacy laws. Here in the U.S., the CCPA has gained the lion’s share of industry and press attention, but since January 1st, 2020, other states have entered the data privacy arena. This quick overview provides a rundown of privacy legislation passed since CCPA first took effect, insight on other bills likely to go into effect, and some ideas on how to prepare.
The California Privacy Rights Act is an initiative passed by popular vote to update the CCPA. Like CCPA, CPRA will be the baseline that most marketers will use to guide their consumer notice and choice efforts. The CPRA, which goes into effect on Jan. 1, 2023, clarifies, and in some senses broadens, the existing standards, while also removing the 30-day window to correct errors without penalty.
The threshold for determining whether a business is covered under the act has been slightly raised. Data collection, use, retention, and sharing of personal information will be limited to what is “reasonably necessary” to achieve the specified purposes. Consumers will also have more rights to opt out of retargeting, the use of sensitive PII, automated decision-making or artificial intelligence, as well as the right to correct. Additionally, a new state level organization will be formed to oversee enforcement (funded partially by the fines collected), replacing the state Attorney General’s office.
Similarly, Virginia’s new privacy law Consumer Data Protection Act (CDPA), will go into effect on Jan. 1, 2023. Key differences from CPRA are that consumers will have specific rights based on the type of data about them, and marketers will be required to gain consumer opt-in for sensitive data. In June, Colorado became the third state to pass a broad privacy law, the Colorado Privacy Act. If signed by the Governor, which is expected, in would phase into effect between 2023 and 2025.
Although many states have proposed new privacy regulations that seem likely to pass, including Nevada, Maine, and Vermont, they are all fairly limited in scope. On the other hand, proposals from states such as New York, Connecticut, and Maryland have the potential to increase requirements over and above California’s requirements. Florida is also in the privacy mix, although a recent proposal was narrowly defeated.
Progress is also being made federally, with several bills proposed on Capitol Hill last year and one so far this year. Proposals came from both sides of the aisle with striking resemblances in key features, an indication of strong bipartisan support on the topic.
Proposed federal bills appear to have consensus on protections for PII, sensitive data, anti-discrimination and data minimization. Where they begin to differentiate is around federal pre-emption of state laws (which would simplify things for the entire data ecosystem), private right of action in contrast to FTC or state-based regulatory action, and definitions of sensitive data, and what you can do with it.
One of the easiest ways to stay acquainted with the latest regulatory changes is by signing up for content from sources like legal newsletters from law firms specializing in privacy services, trade organizations like ANA or IAB, and active participants like Alliant. Each of these can provide different points of view and help your teams avoid surprises.
No federal law or new state law is likely to usurp the primacy of CCPA or CPRA before they become effective in 2023. On the tactical front, brands should consider applying rights evenly across all U.S residents as prescribed by California and Virginia. The rules are sufficiently similar that steps can be taken to try to comply with both. Marketing teams should begin planning their approaches to new regulations, enhancing existing CCPA programs. Some initial steps can include creating a data map for sensitive data (like listing all common and unique “sensitive” PII), re-evaluating automated workflows, inferences and non-exempted data. Furthermore, plan compliance strategy for managing right to correct, data privacy audits, data minimization, and exceptions. Finally, monitor new developments and start triangulating what nuances each may present.
As brands evolve policies and procedures to adhere with legislation, or to integrate new identity solutions or cohort technology, your central focus should be clear and transparent communication with customers. Notice and choice are the foundation for effectively respecting privacy of consumers, managing customer relationships and collaborating with partners.
If you are responsible for, or a user of, data within your organization, start thinking about what permissions and disclosures you want to have in place well before 2023. This will limit missed opportunities and allow for new and exciting partnership opportunities.
The future will certainly look a bit different, but with the right strategies in place, brands will be able to fuel growth with effective data.