2023 is shaping up to be a landmark year for data privacy, as comprehensive consumer privacy laws take effect in four states and a fifth state expands its already robust privacy compliance requirements. As part of Womble Bond Dickinson’s Growing Global thought leadership series, a panel of privacy, technology and data security attorneys discussed these upcoming changes and the regulatory compliance steps companies need to take. This article is taken from that conversation. The speakers were:
Since taking effect in 2020, businesses have wrestled with the California Consumer Privacy Act (CCPA), a sweeping omnibus privacy and data protection regulatory scheme that goes well beyond U.S. federal requirements. Any companies wanting to do business in the world’s fourth-largest economy has to comply with California’s strict consumer privacy protections.
Four other states— Virginia, Colorado, Utah and Connecticut—have enacted similar state privacy laws, and California is expanding the scope of its privacy protections with the California Privacy Rights Act (CPRA). All of these new measures take effect in 2023, and companies need to take action now in response.
In 2022, Womble Bond Dickinson’s Privacy and Data Security Team polled corporate leaders for the WBD State of U.S. Data Privacy Law Survey. “We were trying to see how prepared C-suite executives were for the privacy changes coming in 2023,” Cho said.
“We were trying to see how prepared C-suite executives were for the privacy changes coming in 2023.”
Their answers show that while companies realize the significance of these changes, plenty of work remained to be done:
- 59 percent say their organizations are well prepared to meet new consumer privacy guidelines;
- 89 percent have increased budgets to comply with new U.S. state privacy laws; however,
- Less than 50 percent have completed key compliance steps, including updating policies and conducting data assessments and data mapping.
The Expanded Scope of the CPRA
So what makes these five new state laws different from privacy compliance in the rest of the country? Cho said a common thread of these laws is “giving consumers power as to how they are tracked online.” California’s expanded law (under the CPRA) also impacts how companies can track and store both employee and B2B data.
Cordell said, “All of these five new state laws use the word ‘Consumer,’ and I think we all initially thought it meant an individual customer. But on January 1, the law in California began to apply to employees, job applicants, former employees, beneficiaries of company benefits policies and independent contractors, as well as B2B contacts, all for the first time. That’s a formidable scope to expand privacy rights to.”
At least for now, the four other states with omnibus consumer privacy laws take a more narrow approach to defining “Consumer.”
“All of these five new state laws use the word ‘Consumer,’ and I think we all initially thought it meant an individual customer. But on January 1, the law in California began to apply to employees, job applicants, former employees, beneficiaries of company benefits policies and independent contractors, as well as B2B contacts, all for the first time. That’s a formidable scope to expand privacy rights to.”
Cho said one key question for companies with multiple locations is whether they should treat California employees differently from employees in other states. Cordell said the answer will have business, as well as legal, considerations. For example, will employee morale be affected if workers in some states have fewer privacy rights than their California colleagues?
“There are so many challenges with this law. The CCPA started as a ballot initiative and anyone who reads the law understands it was written with customers in mind, not employees,” he said. “When you take a consumer protection law and try to make it fit employees, it’s like trying to hammer a square peg into a round hole. We don’t have all the ambiguities straightened out yet.”
Cordell said there are many exemptions in the CPRA and figuring out when to use those exemptions is crucial.
“You also have to know where those employee records are housed,” Cho said.
Sensitive Data, Geolocation Tracking and Biometric Info
“Each of these state laws includes something we have not previously seen in this country, which is a special set of extra protections for sensitive data,” Claypoole said.
“Each of these state laws includes something we have not previously seen in this country, which is a special set of extra protections for sensitive data.”
Up until now, all data protections were for personally identifiable data. But taking a cue from Europe, lawmakers are adding a different type of data, such as that pertaining to race, religion, sexual orientation and other sensitive information. This presents a particular challenge for employers, who may be required to collect some of this data for legal purposes, such as EEOC compliance, he said.
“Several of these states also classified as sensitive data geolocation information—where you are on a map at a given time,” he said. This is particularly relevant to cell phone usage, where geolocation capture is common.
“All of a sudden, we have several states putting their hand up and saying, ‘Stop. You can’t do this anymore,’” he said. Companies that take any information from mobile device usage need to be extremely careful to ensure they comply with these new state privacy laws. More than 70 percent of companies responding to the WBD Privacy Survey said they are “very concerned” or “moderately concerned” about new geolocation privacy requirements.
Cordell said that such privacy concerns are likely to apply when companies use GPS to track employees driving company vehicles.
Biometric technology use is yet another emerging area of focus for privacy compliance. Some states consider it a “sensitive data” category. This category includes a wide range of technology and data collection, including fingerprints, facial recognition, voice recognition, retina scans and other physical information used to verify a person’s identity. Nearly 80 percent of companies responding to the WBD Privacy Survey said they either currently use biometric information or are planning to do so.
Other states, including Texas, Washington and Illinois, have privacy laws only pertaining to biometric data collection. For example, a group of truck drivers successfully sued a Chicago trainyard’s security requirement that a fingerprint scan is required to enter.
Best Practices for Global Compliance
Cordell said companies that take a patchwork approach to compliance—attempting to comply with individual state laws, with different sets of rules for employees depending on their office location—are “dying a death of a thousand cuts.”
He believes that multi-state and global businesses instead need to take a more strategic “big picture” approach to finding privacy solutions that will serve all locations. By taking this approach, if a new state law takes effect, it is not nearly as disruptive to the company’s operations.
“You have to look at your organization and think of where the highest areas of risk are,” Cordell said. For example, consumer-facing companies probably should prioritize protecting customer data versus employee data.
“You have to look at your organization and think of where the highest areas of risk are.”
“If you don’t have a link on your website that says, ‘Do Not Sell My Personal Information,’ you are almost asking for an inquiry from the California Attorney General,” he said. Companies should avoid the temptation of dealing with the low-hanging fruit first, and instead concentrate their efforts on the areas of highest risk.
“The priorities that need significant effort should be started as quickly as possible,” Claypoole said. He recommends creating a list of the workstreams involved in implementing a solution and which employees need to be involved. This may include working with service providers, contractors and vendors, as well as employees.
Cho noted that, “Very few people have the luxury of having a team dedicated to full-time responsibility for privacy compliance.” Company leaders need to make sure they give team members the time needed to tackle these critical privacy priorities.
Compliance also needs to be a team effort, she said. Approximately 80 percent of the companies responding to the WBD Privacy Survey say they have charged their IT department with privacy compliance. “Someone with skills in project management needs to be involved in coordinating compliance, since IT, HR, legal and other departments are all involved,” Cho said.
Cordell said that technological solutions, as well as sound policy decisions, should be part of the company’s compliance toolkit.
Other suggested best practices for compliance include:
- Designating an internal project manager or owner;
- Conducting data mapping and understanding data practices across the organization;
- Developing platforms and systems to process and respond to data privacy rights requests;
- Engaging outside legal counsel to advise on compliance, particularly related to the 2023 changes;
- Updating company privacy policies;
- Planning and conducting data assessments;
- Setting metrics and specific goals to track compliance progress;
- Drafting or updating agreements with third parties to comply with new privacy requirements; and
- Conducting a comparison of state privacy law frameworks.
“You need to start tackling tasks one at a time, rather than waiting for the final regulations,” Cho said. This is particularly true if companies haven’t yet begun working on compliance measures. Virginia’s new law became effective Jan. 1, 2023, with Connecticut, Colorado and the CPRA taking effect July 1, 2023, and Utah coming online Dec. 31, 2023.
“Ultimately, this is doable,” Claypoole said. “You don’t need to be perfect, but you do need to make the effort.”
This article is part of Womble Bond Dickinson’s Growing Global series. For more insights, click here to visit our Growing Global hub.