New state privacy laws will force companies to rethink data collection practices
By Michael Young and Nick Schmidt of Morris, Manning & Martin, LLP
New state privacy laws in California, Virginia, and Colorado are harbingers of things to come in data collection and consumer privacy. Omnibus privacy laws will go into effect in California and Virginia on January 1, 2023, with Colorado following on July 1, 2023. Utah may not be far behind; at the time of this writing, Utah appears poised to enact its own comprehensive privacy law that would take effect on December 31, 2023.
The three laws that have passed so far are largely similar and take some cues from European privacy laws. They each include strong protections and use limitations around sensitive categories of data, including biometric data, as well as new requirements for privacy notices and data subject rights requests. For the first time, companies doing business in these states will have to provide an appeal process to allow consumers to correct their personal information.
Additionally, California, Virginia, and Colorado’s laws will give more power to state privacy regulators. California’s updated law will create the California Privacy Protection Agency, a new regulatory body with full enforcement and rule-making authority — making it arguably the first European-style consumer privacy watchdog agency in the United States.
With these three laws going into effect in rapid succession, it’s a signal to businesses across the country to start updating their data collection systems and creating plans to comply with new regulations. The recent laws will almost certainly trigger similar lawmaking in other states (as they already seem to have done in Utah), and any company that does business nationally will come up against new state privacy laws sooner than later. Privacy changes are coming, and companies should consider these key areas in the coming months.
Review the client data in your company’s possession
Under the new privacy laws, the use and collection of customers’ sensitive personal information will be subject to more scrutiny. This includes biometric data, demographic information, data used in targeted advertising, and personally identifying information. Even if your company takes great care to protect customer data, your efforts may not meet the new standard created by the coming laws. If your company engages in biometric data collection, it’s possible that you’re holding on to more data than necessary — which could trigger an increased risk of regulatory scrutiny.
It is crucial that businesses start to review their data retention schedules, their data controls, and the personal information in their possession as soon as possible. The less data you have — and the more you restrict processing and disclosure of the data you do have — the easier it likely will be to comply with new laws in 2023.
Update your privacy policies
Under the new laws, privacy policies must include disclosures related to sensitive personal information. Your notices may need to be updated to:
- Reflect new rights given to data subjects, including rights to access, correct, delete, and restrict processing of information.
- Expand disclosures about collecting and sharing information, including information shared with third parties.
- Identify retention periods for data storage.
- Include information regarding the use of de-personalized data.
Don’t expose your company to legal risk by failing to update your privacy policies. Before new laws go into effect, carefully review the language in your privacy notices and update them as needed.
Prepare for expanded data subject rights
Come 2023, citizens of Virginia, California and Colorado will have a variety of new privacy rights, including the right to correct inaccuracies in their personal data and the right to opt out of their personal information being used for targeted advertising. In some cases, businesses will also have to offer an appeal process for consumers to dispute denials of their rights’ requests.
Most companies do not have an existing data request appeal process robust enough to meet the new standard created by the patchwork of upcoming privacy laws. If your company doesn’t have the infrastructure to respond to data complaints and requests, it’s time to invest in new processes to ensure that you will be in compliance in January 2023. Many companies will need to make changes to their existing practices to ensure compliance and help avoid regulatory enforcement. The sooner you can identify the changes that must be made, the better.
About the authors
Partner Michael Young with Morris, Manning & Martin, LLP is the Chair of the Cybersecurity & Privacy Practice and focuses his practice on data privacy advising. His primary areas of concentration include managing complex technologies and sensitive, confidential, or personal data.
Nicholas Schmidt is an associate with Morris, Manning & Martin, LLP assisting clients in navigating data privacy regulations and cybersecurity incidents in ways that minimize business disruption and maximize data privacy and protection.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.