2021 brought significant changes in the data privacy realm. California, Virginia, Colorado, China, and the European Union passed or amended both omnibus and industry-specific data protection laws last year. Privacy professionals are bracing for this trend to continue in 2022 with enforcement deadlines for these laws quickly approaching. Businesses should budget for compliance efforts during 2022 to account for necessary modifications to business processes, operations, and technological infrastructure. Below are five prominent laws and regulations to look out for in 2022.
The California Privacy Rights Act (CPRA) amends and expands the California Consumer Privacy Act of 2018 (CCPA) to create new and additional privacy rights and obligations. Most of the CPRA’s substantive provisions become operative on January 1, 2023. However, the law provides a look-back period beginning on January 1, 2022—the data collected now will be subject to CPRA compliance. In addition to the CCPA’s requirement that business provide consumers with the right to know and right to delete personal information, the CPRA expands consumer rights to include the right to correct personal information and the right to opt-out of not only sales, but sharing of personal information. “Sharing” is defined as disclosing personal information to third parties for cross-contextual behavioral advertising purposes. The CPRA also mandates specific contractual provisions to govern service providers and requires businesses to flow down data subject requests to not only service providers, but also to contractors and third parties. Assessing security procedures should also be a priority this coming year as the CPRA explicitly requires businesses to implement reasonable security procedures and practices and requires an annual cybersecurity audit and submission of a risk assessment to the newly created California Privacy Protection Agency (CPPA). Lastly, companies should work to implement practices for employee disclosures and data requests. Many employee-facing obligations were deferred to January 1, 2023, but some requirements will start on January 1, 2022, and others will require a revamping of internal practices that will require efforts beginning in 2022 to meet the January 1, 2023 compliance deadline.
The Virginia Consumer Data Protection Act (VCDPA) became effective March 2021, with an enforcement date of January 1, 2023. Similar to the CCPA and CPRA, the VCDPA reflects core data privacy principles including privacy disclosures, maintaining reasonable security measures, and flow-down obligations. Additionally, the VCDPA requires businesses to obtain consent in order to process sensitive data and conduct data protection assessments for processing that presents a heightened risk of harm to consumers, including targeted advertising, sale of data, certain profiling activities, and collecting sensitive data.
On July 8, 2021, the Colorado Privacy Act (CPA) became law, with an effective date of July 1, 2023. The CPA applies to individuals and organizations (controllers) conducting business in Colorado or that produce or deliver commercial products or services that are intentionally targeted to residents of Colorado. The CPA applies where the controllers either (1) control or process the personal data of at least 100,000 consumers or more during a calendar year; or (2) control or process the personal data of 25,000 consumers and either derive revenue or receive a discount on the price of goods or services from the sale of personal data. Unlike the California laws, the CPA does not include any revenue thresholds; therefore, a business that does not control, process, or sell personal data may not become subject to the law merely due to its annual revenues. However, also unlike the California law, the CPA applies to non-profit organizations as well.
Similar to California and Virginia, the CPA confers certain rights on consumers to control their personal data including the right of access and right to correct, right to delete, data portability and the opportunity to opt-out. Additionally, the CPA requires businesses to maintain reasonable administrative, technical, and physical data security practices and to conduct data protection impact assessments. Notably, enforcement of the CPA falls not only to the Colorado Attorney General but also district attorneys. It is likely that further developments will be issued by the Colorado Attorney General during the coming year.
On November 8, 2021, New York’s Governor signed into law A.430/S.2628 which requires employers with a place of business in New York State (regardless of size) who engage in employee telephone, email, or internet monitoring to provide prior written notice about such monitoring. The required notice must inform the employees that their telephone conversations, emails, or internet access or usage may be subject to monitoring by the employer at any and all times and must be provided upon hiring and once annually to all employees. Additionally, the notice must comply with specific format requirements and be acknowledged by the employee in writing or electronically. The New York Attorney General will enforce the law, which goes into effect on May 7, 2022. Maximum civil penalties for violations range from $500 for a first offense, $1,000 for a second offense, and $3,000 for a third and each subsequent offense.
Though many companies have been, and continue to be, in the full swing of EU General Data Protection Regulation (GDPR) compliance, it is worth mentioning that during the summer of 2021, the European Commission published new Standard Contractual Clauses (SCCs) for transfers of personal data from the EU to third countries, such as the United States. These new SCCs are required for new transfer agreements entered on or after September 27, 2021. Agreements currently in effect must be replaced with the new SCCs by December 27, 2022, requiring renegotiation of existing contracts that provide for cross-border data transfers with the EU.
China’s Personal Information Protection Law (PIPL) was finalized on August 20, 2021 and took effect on November 1, 2021. PIPL clarifies and enhances existing Chinese data privacy and cyber laws, setting high-level principles that may look similar to the three U.S. state data protection laws and the GDPR, but in practice interpretation and enforcement are very different. Perhaps most notably, China prescribes significant data localization regulations, requiring certain personal and non-personal data to be kept inside of China.
With new laws and amendments becoming operational within the next year, or sooner, the time left to comply with the privacy requirements is running short. Businesses should assess applicability of privacy laws and regulations and initiate a compliance roadmap. Fortunately, many companies have already undergone the heavy lifting with the CCPA and GDPR. We recommend that companies begin planning ahead with privacy counsel to assess privacy notice compliance, consent mechanisms, complete a data protection impact assessment, and draft or revisit policies and procedures for receiving and responding to consumer requests. The effective dates in 2023 may seem a long way off, but we encourage companies to budget for these action steps and begin planning now. Building toward a compliant platform over the next year or two, particularly as more companies are migrating to new systems accelerated by the effects and opportunities of the COVID pandemic, may be easier than trying to retroactively change processes.
Ice Miller has the professionals and experience to help clients develop privacy programs that comply with the requirements of state, federal, and international privacy laws and regulations. To speak to an attorney, please contact Reena Bajowala, or Tiffany Kim for more information. Reena is a partner in Ice Miller’s Chicago office and practices within the Data Security and Privacy and Information and Software Disputes practices. Tiffany is an associate in the Data Security and Privacy Group.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.