2023 is around the corner. As a refresher, on January 1, 2023, two new comprehensive privacy laws – the California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”) – take effect. Although businesses should be well on their way to compliance, we have compiled some last minute tips in this alert for your consideration before the year’s end.
- Update Your Privacy Policy. Businesses should review and update their privacy policies to address new disclosure obligations. For example, CPRA requires disclosures regarding sales and shares of personal information, and details regarding the new right for consumers to correct their personal information. Virginia requires disclosures around the process for submitting data subject requests (including an explanation of the controller’s appeal process) and the contact details for the Virginia Attorney General.
- Address Data Subject Requests. In connection with addressing new disclosure requirements, businesses should ensure they have tools to address new data subject rights. As mentioned above, California has added new rights to correct and opt-out of the sharing of personal information (the California Consumer Privacy Act (“CCPA”), which the CPRA replaces, already included the rights to know, access, delete, and opt-out of the sale of personal information). Virginia now grants its data subjects the rights to: (a) access, correct, and delete their personal data; and (b) opt-out of the processing of personal data for sales, targeted advertising, and certain types of profiling.
- Respond to Preference Signals. Businesses should implement measures to honor Do Not Sell or Share opt-out preference signals, particularly relating to Global Privacy Control (“GPC”). In August, the California AG brought the first public action under CCPA (which we blogged about) against a business for alleged failure to process Do Not Sell requests via GPC. Characterizing GPC as a “game changer,” Attorney General Bonta has left little doubt that GPC compliance is now a requirement under California law.
- Conduct Data Protection Impact Assessments. Business should have a form ready and begin conducting data protection impact assessments as required by Virginia. Taking a page from GDPR, starting in January, Virginia will require controllers to assess their data practices involving certain processing operations. For example, a controller must conduct a data protection impact assessment where personal data is processed for targeted advertising or an activity that creates a “heightened risk of harm” to data subjects.
- Revise Contracts. Businesses should review and update their contracts (including data processing addendums) to ensure they contain language required by CPRA and VCDPA. For purposes of Virginia, a data processing addendum that complies with GDPR may be sufficient, as long as it incorporates personal data subject to Virginia. However, CPRA requires very specific language that differs from both CCPA and Virginia, and likely involves more comprehensive revisions.
- Evaluate Sensitive Personal Information. Businesses should evaluate whether they process any sensitive personal information, which is a new category of data under California and Virginia law. Sensitive personal information includes Social Security Number, precise geolocation, health data, genetic data, and more. Both laws require specific disclosures around sensitive personal information. In addition, under Virginia, processing of sensitive personal data is opt-in, while under California, processing of sensitive personal information is opt-out under certain circumstances.