New 2023 Data Security Laws
Compliance with various states' data security is a requirement. While California has long been the leader in addressing individual data security rights, other states are creating laws as well. Below, we highlight the various new laws for 2023, including those from California. Some limitations apply in terms of revenue and the number of individuals data you hold. But even if you aren't impacted by these new laws, these really represent great policies to protect your firm and your clients.
California Privacy Rights Act (CPRA)
This new law goes into effect on January 1, 2023, but isn't enforceable until July 1. 2023. Even though it is not enforceable until July, you must be actively taking steps to comply prior to July. This does not replace the current California privacy law, the California Consumer Privacy Act (CCPA) but is in addition to it. The CPRA creates a new category of personal information, Sensitive Personal Information (SPI). As you may imagine, that information includes an individual's social security number, passport number, driver's license, or state identification information.
To be in compliance, companies must provide a notice to individuals for the following items:
- Links to the Privacy policy of the company. Individuals must be given the option to limit the use of their SPI when conducting business.
- The purpose and retention time of using SPI or any other consumer information.
- If any information from the consumer will be sold or shared. Key to this is the definition of shared. If integrations are used on the company (or law firm) website, that is included in the definition of 'shared'.
All companies must have a Privacy Policy that makes it easy for individuals to opt-in or opt-out of any data activities, including emails, etc. Reasonable safety measures must be taken with stored data as well. Included in this are spam protections, certifications of data security, etc. All companies must be in compliance with Children Online Privacy Protection Act/Rule (COPPA).
Don't read the next bit and say, whew, doesn't apply to me. Even though it probably doesn't. The fact is all of these new California requirements are just good business sense. Especially as attorneys who access and use quite a bit of personal data. So you are likely not subject to the laws, but the above is all just good practice for companies of all sizes.
Companies doing business in California for profit are affected by CPRA. However, revenues in excess of $25 million, those who buy, sell, or share data of over 100,000 individuals or more per year, or earn over 50% of their revenue from sharing or selling their consumers' data are subject to legal action.
The Virginia Consumer Data Protection Act (VCDPA)
The VCDPA goes into effect January 1, 2023. Businesses are not required to be located in Virginia to be subject to this law. So if you have consumers in Virginia, you want to consider this. The new law requires companies who have clients in Virginia do the following:
- Consumers must have easy accessibility to correct or delete their information. Requests must be completed within 45 days with no discrimination.
- Clear instructions on how to opt-out of various processing items, including emails, renewals, etc. They must also have easy access to appeal a business decision.
- Opt-in consent is required prior to processing any sensitive data
- Availability of tools to easily submit complaints
- Companies must establish, implement, and maintain good data security processes
- Regular data protection assessments must be completed by the company
Companies' privacy policies must include all of the above, specifying what is included in each category of data, which third parties the company works with if any, and the purpose for each. Privacy policies must be easily accessible to consumers.
The same principle applies to Virginia in terms of this just being a good business habit for law firms, whether affected by the VCDPA or not. Companies who do business or have clients in Virginia and process or control personal data for 100,000 consumers or more within any calendar year, or who process or control personal data for 25,000 consumers or more AND generate 50% or more of their annual revenue from the sale of consumers' personal data, are subject to the VCDPA.
The Colorado Privacy Act (CPA)
The new law goes into effect on July 1, 2023. The CPA actively addresses the processing of sensitive and personal data. Consumer rights to opt-in or opt-out of targeted advertising, the sale of personal data, and specific types of profiling are protected under the CPA. The CPA requires those who manage the data for companies to:
- Comply with user opt-outs as quickly as possible
- Give consumers the right to access, delete, or update their personal data
- Minimize data processing
- Provide transparency to consumers
- Respond to consumers' requests within a 45-day window
There is no revenue threshold for the CPA, meaning all companies of all sizes are subject to these requirements. In addition, nonprofit organizations are not exempt. If any company does business in Colorado, they are subject to these laws.
Other Upcoming Privacy Laws
- Connecticut: Connecticut Data Privacy Act (CTDPA) goes into effect July 1, 2023.
- Utah: The Utah Consumer Privacy Act (UCPA) goes into effect December 31, 2023.
We will say it again. None of these likely affect law firms. However, they are all good examples of reliable data privacy policies. Review your Privacy Policy. See if your firm is actively protecting the sensitive data of your clients, including outlining strong retention policies. After all, even if it isn't legally required, it's still good policy. Maybe even be ahead of the curve. Your clients will appreciate your efforts.
What policies do you need to address?