Here’s an update on recent state data privacy law developments. Currently California and Nevada have privacy laws in effect, and the California law is set for a significant update effective as of January 1, 2023 as a result of the California Privacy Rights Act (CPRA) amendment to the CCPA. This amendment expands the compliance obligations of businesses collecting personal information of California residents, with an additional focus on the collection of “sensitive” personal information such as race, ethnicity, genetic data, precise geolocation, social security number, driver’s license number, passport number, account information in combination with access information, and sexual orientation. While the CCPA has threshold requirements such as revenue or number of California residents whose data is processed annually in order for the law to apply, the Nevada law applies to owners and operators of Internet websites and/or online services that collect and maintain certain covered information from consumers who reside in Nevada and use or visit the Internet website or online service, provided that one or more specified jurisdictional requirements are met.
In addition to California, Virginia’s consumer privacy law takes effect on Jan. 1, 2023, Colorado’s and Connecticut’s privacy laws take effect on July 1, 2023, and Utah’s law takes effect on Dec. 31, 2023.
There are new laws in effect addressing use of biometric personal data. Many lawsuits have been brought under the Illinois Biometric Privacy Act, for example. Also, various provisions of the laws address tracking and geolocation – implicating not just analytics and AdTech usage via cookies and other technologies, but also smartphones and wearable devices (which also may collect biometric data).
The best way to achieve compliance is with a point person and a cross-functional team from both IT and compliance. The various departments in the organization must work together to achieve data mapping and compliance.
A recent survey of key decision makers in nearly 200 companies indicated that compliance preparation efforts were on the low side, especially in the data mapping and risk assessment areas, as well as a lack of appointing a key data privacy compliance leader.
This would be an ideal time for a health check on the status of your organization’s data privacy and security compliance efforts.