Wiland Blog

The most recent round of state data privacy legislation means that there is work to be done by brands and organizations this year to ensure upcoming compliance with new regulations. We believe that organizations that begin to address these changes now will be able to avoid undue impact on their marketing efforts and will be better positioned to comply with future privacy laws that may emerge.

So, what are the elements of the most recent round of state privacy legislation, and what should brands and organizations be doing now to prepare?

What’s New in State Data Privacy Legislation

The CCPA was a catalyst for updates to the data privacy practices of many U.S. organizations, but CCPA compliance is not sufficient to meet the new state legal requirements that have recently been passed. The CPRA, Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (CPA), differ from the CCPA in important ways. They apply an incrementally broader set of consumer privacy requirements to a wider group of organizations, adding new demands that will need attention.

By way of review, the four consumer rights under the CCPA are:

1. Consumers’ right to access information about the personal data that organizations collect or sell about them. We refer to this as the Access Right.
2. The right to have certain personal data about them deleted in certain circumstances. We refer to this as the Deletion Right.
3. The right to opt out of the sale of their personal data. We refer to this as the Opt-Out Right.
4. The right not to receive differing treatment based on exercising the foregoing rights unless certain requirements are met.

The new state laws expand on these existing CCPA consumer rights, adding a few additional ones:

1. The Opt-Out Right is expanded to cover sharing of data collected across different sites or applications for targeted online advertising.
2. Consumers are given a new right to correct the data that organizations have about them in certain circumstances. We refer to this as the Correction Right.
3. Consumers gain new rights relative to data labeled as sensitive personal information (SPI) by these new laws. Under the CPRA consumers may opt out of many kinds of processing of SPI, whereas under the Colorado and Virginia laws, organizations must in many cases obtain a consumer’s opt-in consent to process the consumer’s SPI. We refer to these as Sensitive Information Rights.
4. Organizations are required to implement additional internal procedures to evaluate the risk associated with processing consumer personal information in certain circumstances. Sometimes this is known as conducting a Privacy Impact Assessment.

How Brands and Organizations Should Prepare Now

The CPRA and VCDPA go into effect on January 1, 2023, and the CPA goes into effect on July 1, 2023. New laws of this scope can require appreciable changes to existing processes, infrastructure, technologies, and strategies. That means the time to prepare for these new laws is now. Here are some things to consider as first steps:

1. Categorize what data you have and how you use it. Conduct a thorough inventory of what data you have—your own customer or donor data and data you receive from other parties. Beyond legal compliance, this is a critical step in ensuring that data sourcing and use practices are ethically aligned with organizational values and consumer privacy concerns. This is often the first step of conducting a Privacy Impact Assessment, which will likely be required for many organizations under the new laws.
2. Map your data and data use to the legal requirements. Each of these laws has specific definitions of, and exceptions to, what “counts” as personal data, and organizations will be required to provide general public-facing disclosures and to respond to consumers’ specific Opt-Out Right, Deletion Right, Access Right, Correction Right, and Sensitive Information Rights requests. Most existing privacy processes will require enhancement or customization for legal compliance in addition to new workflows for the rights that organizations may not have given consumers before.
3. Convene the right stakeholders, identify key resources, and designate a responsible individual or team. Data use is about more than just compliance. It is about ethics and brand. Input from your marketing teams, executive teams, technologists, and legal and compliance professionals on the best way to assemble a privacy compliance plan is crucial. Designate an individual or team to coordinate these efforts across the organization.
4. Update consumer disclosures. All three of the new state laws require relatively specific disclosures about the types of data that organizations collect and how they use and share it. They also prohibit uses that are not reasonably necessary or compatible with the disclosed purposes. It will be critical to update your consumer disclosures to meet these requirements.
5. Review information security practices. All of these laws require that organizations adopt appropriate security for the personal data they handle. Regulators, especially in California and Colorado, will likely issue further guidance on how to evaluate and meet those obligations. Appropriate data security is a key data ethics practice and typically required for a Privacy Impact Assessment.
6. Work with service providers on privacy-related processes and update contracts with them. Ensure that processes are in place to notify service providers when a consumer has exercised the Access Right, Opt-Out Right, Deletion Right, or Correction Right. Depending on the role played by a service provider and the data the service provider holds for your organization, one or more of these rights may require assistance or action from them. In addition, contracts with service providers should contain relevant instructions and commitments.
7. Work to educate legislators and regulators about the many good uses of data in marketing. Reach out to your legislators and help them understand how your organization is using personal data ethically to promote beneficial engagement with consumers and donors.
8. Don’t wait. Privacy compliance has been quite a journey for many organizations. We have found that it takes significant time and sometimes modification of existing technologies and relationships—or adoption of new ones—to be prepared.

The Wiland Perspective

Following the adoption of the CCPA and associated California Attorney General Regulations, Wiland rolled out robust functionality and workflows in order to comply with the CCPA. At the same time, we have made sure that the foundation we built is focused not merely on minimum compliance with the CCPA, but rather is extensible to a shifting future privacy landscape and in line with principles of good data ethics. For example, although the CCPA only applies to California residents, we allow consumers nationwide the same rights and processes as we apply to California residents. Accordingly, we have a platform on which we can construct additional privacy structures required by the new laws highlighted in this article, while looking to the future as well.

We will continue to monitor this changing legal environment, work with other organizations to positively influence consumer privacy legislation nationwide, and keep our clients apprised of best practices that will help them navigate these challenging waters. Of course, each client must be the final judge of its policies, and each client is solely responsible for its data privacy disclosures and practices. The information contained within this article does not constitute legal advice, and Wiland strongly encourages all organizations to check with their own legal counsel with respect to any legal questions.