FB pixel

New state privacy laws will force companies to rethink data collection practices

New state privacy laws will force companies to rethink data collection practices

By Michael Young and Nick Schmidt of Morris, Manning & Martin, LLP

New state privacy laws in California, Virginia, and Colorado are harbingers of things to come in data collection and consumer privacy. Omnibus privacy laws will go into effect in California and Virginia on January 1, 2023, with Colorado following on July 1, 2023. Utah may not be far behind; at the time of this writing, Utah appears poised to enact its own comprehensive privacy law that would take effect on December 31, 2023.

The three laws that have passed so far are largely similar and take some cues from European privacy laws. They each include strong protections and use limitations around sensitive categories of data, including biometric data, as well as new requirements for privacy notices and data subject rights requests. For the first time, companies doing business in these states will have to provide an appeal process to allow consumers to correct their personal information.

Additionally, California, Virginia, and Colorado’s laws will give more power to state privacy regulators. California’s updated law will create the California Privacy Protection Agency, a new regulatory body with full enforcement and rule-making authority — making it arguably the first European-style consumer privacy watchdog agency in the United States.

With these three laws going into effect in rapid succession, it’s a signal to businesses across the country to start updating their data collection systems and creating plans to comply with new regulations. The recent laws will almost certainly trigger similar lawmaking in other states (as they already seem to have done in Utah), and any company that does business nationally will come up against new state privacy laws sooner than later. Privacy changes are coming, and companies should consider these key areas in the coming months.

Review the client data in your company’s possession

Under the new privacy laws, the use and collection of customers’ sensitive personal information will be subject to more scrutiny. This includes biometric data, demographic information, data used in targeted advertising, and personally identifying information. Even if your company takes great care to protect customer data, your efforts may not meet the new standard created by the coming laws. If your company engages in biometric data collection, it’s possible that you’re holding on to more data than necessary — which could trigger an increased risk of regulatory scrutiny.

It is crucial that businesses start to review their data retention schedules, their data controls, and the personal information in their possession as soon as possible. The less data you have — and the more you restrict processing and disclosure of the data you do have — the easier it likely will be to comply with new laws in 2023.

Update your privacy policies

Under the new laws, privacy policies must include disclosures related to sensitive personal information. Your notices may need to be updated to:

  1. Reflect new rights given to data subjects, including rights to access, correct, delete, and restrict processing of information.
  2. Expand disclosures about collecting and sharing information, including information shared with third parties.
  3. Identify retention periods for data storage.
  4. Include information regarding the use of de-personalized data.

Don’t expose your company to legal risk by failing to update your privacy policies. Before new laws go into effect, carefully review the language in your privacy notices and update them as needed.

Prepare for expanded data subject rights

Come 2023, citizens of Virginia, California and Colorado will have a variety of new privacy rights, including the right to correct inaccuracies in their personal data and the right to opt out of their personal information being used for targeted advertising. In some cases, businesses will also have to offer an appeal process for consumers to dispute denials of their rights’ requests.

Most companies do not have an existing data request appeal process robust enough to meet the new standard created by the patchwork of upcoming privacy laws. If your company doesn’t have the infrastructure to respond to data complaints and requests, it’s time to invest in new processes to ensure that you will be in compliance in January 2023. Many companies will need to make changes to their existing practices to ensure compliance and help avoid regulatory enforcement. The sooner you can identify the changes that must be made, the better.

About the authors

Partner Michael Young with Morris, Manning & Martin, LLP is the Chair of the Cybersecurity & Privacy Practice and focuses his practice on data privacy advising. His primary areas of concentration include managing complex technologies and sensitive, confidential, or personal data.

Nicholas Schmidt is an associate with Morris, Manning & Martin, LLP assisting clients in navigating data privacy regulations and cybersecurity incidents in ways that minimize business disruption and maximize data privacy and protection.

DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

 |   |   |   |   |   |   |   |   |   | 

Latest Biometrics News


Asian banks deploy biometrics and digital ID for security, additional services

As digital identity gains prominence in a financial industry beset by fraud, nations in Asia are enabling banks to lead…


Mobile ID combats fraud, gives holder control of personal data: USPF report

The U.S. Payments Forum (USPF) has published a new white paper entitled “The Role of Mobile IDs in Payments.” Authored…


Wyoming plots mobile driver’s license launch for 2025

Wyoming is moving towards the issuance of digital ID in the form of an optional mobile driver’s license, but it…


EU publishes rollout schedule for AI Act

The European Union has published the final text of the Artificial Intelligence Act, outlining the most important deadlines for complying…


World Bank identifies priority actions for DPI in Equatorial Guinea

A World Bank team has identified immediate actions which the government of Equatorial Guinea should undertake in ramping up its…


Some sort of ID could be ‘inevitable’ for UK: lawmakers

The UK is still debating national identity documents and digital identities, with lawmakers and experts arguing that the creation of…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events