?Despite predictions otherwise, 2022 will not be the year that a federal data privacy law is enacted. While the bipartisan American Data Privacy Protection Act (ADPPA) proposal made it to the House Committee on Energy and Commerce, it was blocked from moving to the full House over concerns that the law would preempt existing and newly enacted state privacy laws with higher level of consumer protections, and otherwise negate work done at the state level to address data privacy.
With the absence of a comprehensive federal law, states have taken the lead this year more than ever. Four states (Colorado, Connecticut, Utah and Virginia) passed state privacy laws this year, joining California in regulating the data collection practices of businesses and employers in-state.
The California Privacy Protection Agency (CPPA) recently issued modified regulations under the California Privacy Rights Act (CPRA), touching on everything from asymmetry in the presentation of choice to consumers via website banners to heightened verification procedures in response to data subject requests. Inaction by the California state legislature to extend a human resources exemption means that HR files and employee data will be now regulated under the CPRA as of Jan. 1, 2023. Colorado’s Attorney General also has issued draft regulations under that state’s law.
Because variances between the state privacy laws exist, businesses may view the roll out of a fractured state-by-state compliance program as administratively problematic and burdensome. But a solution exists: build out an enterprise-wide data privacy program that accommodates the foundational requirements of the enacted state privacy laws and allows for minor state-specific modifications as necessary.
Such a compliance program will necessarily include:
- Data-Mapping: One of the fundamental purposes of all state privacy laws is to require businesses to understand the types of data they are collecting, why and for how long they are collecting that data, what consent or authorizations they have in place, what third parties the information is shared with, and how the businesses are protecting the data. Data mapping is intended to assist businesses in refining their data-collection practices and is fundamental to a business’s ability to respond to data subject requests.
- Sensitive Personal Data: Under most state privacy laws, the collection of sensitive personal information now requires express consumer consent, and in California, businesses must restrict processing of sensitive personally identifiable information or provide additional notices and opportunities to opt-out. Thus, a data-mapping exercise should categorize and locate sensitive personal information pursuant to state law definitions.
- Employee/HR Data: In California, employee and job applicant information is now regulated by the CPRA, meaning employees share the same rights to access, correct, and delete information as consumers. The collection of employee data for monitoring purposes should also be reexamined under the CPRA and other state electronic monitoring laws Mapping internal data flows for sensitive data and employee/HR data is necessary to achieve compliance with the law and requirements for data subject requests.
- Consent Management: All state laws require businesses to conduct assessments to evaluate the purpose for collecting sensitive information or for conducting high-risk processing activities. State privacy laws may require that businesses provide notice and obtain consent from users prior to collecting their personally identifiable information. California regulations specify that consent practices disclosed through website banners should be asymmetrical (meaning the offer to reject is as prominent as the offer to accept cookies, and “grey patterns” – the unequal burdens on consumer choice or deceptive and hidden information – be strictly avoided). Additionally, privacy policies must disclose the basis for collection, identify third parties with whom information is shared, the purpose of sharing information, retention periods and instructions on how to submit a data subject request.
- Global Opt-Outs: In California and Colorado, businesses must honor consumer cookie preferences set through browser settings. In these states, and as a best practice elsewhere, these settings should be honored as an opt-out of targeted advertising and the sale of consumer information.
- Data Subject Rights Procedures: Businesses must offer individuals (and in California, employees and job applicants) the right to access, delete, correct, port, and opt-out of the sale of their personally identifiable information. Businesses must not discriminate against consumers for asserting a data subject request, and in some states, they must offer consumers the right to appeal any response. State laws require businesses to honor requests within 45 days. Businesses must understand where consumer data, sensitive data, and regulated employee/HR data is stored; be able to access and account for that data; and respond substantively to requests for the data. State privacy laws provide rights of appeal to consumers in certain instances.
- Update and Audit Service Provider Contracts: A business transfer of personally identifiable information to a third party should be closely examined. In certain instances, employers must have service provider agreements with provisions limiting sale and secondary use, requiring notification in certain instances, and allowing the business to audit the service providers’ privacy practices.
- Reasonable Security Measures: A business that collects a consumer’s personal information must implement reasonable security procedures and practices to protect the personal information from unauthorized use or access. In California, businesses may be required to submit annual cybersecurity audits to the California Privacy Protection Agency.
- Employee Trainings: Provide employee trainings on privacy law compliance, as well as trainings for customer-facing employees on how to facilitate processing of data subject requests. This training should occur no less than annually. Annual table-top trainings and cybersecurity trainings are also recommended as part of a businesses’ reasonable security measures.
The California Office of the Attorney General (OAG)’s $1.2 million settlement with Sephora, the French beauty products retailer, is their most significant enforcement action to date. At the same time, the California AG disclosed the topics of its notices of violations to include not honoring consumer opt-outs, untimely responses, lack of verification, and failure to disclose data service request procedures in privacy policies.
Companies can anticipate additional investigations by the California OAG as it continues to respond to consumer complaints and monitor business compliance with the CCPA/CPRA. All other state laws also allow for state Attorney General enforcement, with fine and penalty authorizations.
Myriah V. Jaworski is an attorney with Clark Hill in San Diego, Calif. Paul F. Schmeltzer is an attorney with Clark Hill in Los Angeles. © 2022. All rights reserved. Reprinted with permission.