Connect with us


An Enterprise-Wide Data Privacy Solution to the State Privacy Law Problem




Despite predictions to the contrary, 2022 will not be the year a federal data privacy law is enacted. While the bipartisan proposal for the American Data Privacy Protection Act (ADPPA) was presented to the House Committee on Energy and Commerce, it was blocked from moving to the full House, fearing that the law does not preclude existing and newly enacted state privacy laws with a higher level of consumer protections, and otherwise negate work being done at the state level to address data privacy.

In the absence of a comprehensive federal law, states have taken the lead this year more than ever. Four states (Colorado, Connecticut, Utah and Virginia) passed privacy laws this year, joining California in regulating the data collection practices of businesses and employers in the state.

The California Privacy Protection Agency (CPPA) recently released amended regulations under the California Privacy Rights Act (CPRA), touching on everything from asymmetry in presenting consumer choice through website banners to procedures for enhanced verification in response to data subject requests. The California State Legislature’s inaction to expand an HR exemption means that HR files and employee data will now be regulated under the CPRA as of January 1, 2023. The Colorado Attorney General has also issued draft regulations under that state’s law.

Because there are discrepancies in state privacy laws, companies may find rolling out a fractured state-by-state compliance program problematic and administratively burdensome. But there is a solution: create a company-wide data privacy program that meets the basic requirements of applicable state privacy laws and allows for minor state-specific modifications if necessary.

Such a compliance program will necessarily include:

  • Data mapping: A fundamental purpose of all national privacy laws is to require companies to understand the types of data they collect, why, and for how long they collect it. data, what consent or permissions they have in place, which third parties the information is shared with, and how the companies protect the data. Data mapping is intended to help companies refine their data collection practices and is fundamental to a company’s ability to respond to data subject requests.
  • Sensitive Personal Data: Under most state privacy laws, the collection of sensitive personal information now requires express consumer consent, and in California, companies must restrict the processing of sensitive personally identifiable information or provide additional notices and opt-out opportunities. Thus, a data mapping exercise should categorize and locate sensitive personal information according to state law definitions.
  • Employee/HR Data: In California, employee and candidate information is now regulated by the CPRA, which means that employees share the same rights to access, correct, and delete information as consumers. The collection of employee data for surveillance purposes must also be reconsidered under the CPRA and other national electronic surveillance laws. Internal data flow mapping for sensitive data and employee/HR data is necessary to comply with law and data subject request requirements.
  • Consent Management: All state laws require companies to conduct assessments to assess the purpose of collecting sensitive information or conducting high-risk processing activities. National privacy laws may require companies to provide notice and obtain consent from users before collecting their personally identifiable information. California regulations specify that consent practices disclosed via website banners must be asymmetric (meaning that the offer to opt out is as important as the offer to accept cookies, and that “grey patterns” – unequal burdens on consumer choice or misleading and hidden information – should be strictly avoided). In addition, privacy policies must disclose the basis of collection, identify the third parties with whom the information is shared, the purpose for sharing the information, retention periods, and instructions on how to submit a data subject request.
  • Global opt-outs: In California and Colorado, businesses must honor consumer cookie preferences set in browser settings. In these states, and as a good practice elsewhere, these parameters must be honored as an opt-out from targeted advertising and the sale of information to consumers.
  • Data Subject Rights Procedures: Companies must offer individuals (and in California, employees and job applicants) the right to access, delete, correct, transfer, and opt out of the sale of their information personally identifiable. Companies must not discriminate against consumers for asserting a data subject request, and in some states they must offer consumers the right to appeal any response. State laws require companies to honor requests within 45 days. Businesses need to understand where consumer data, sensitive data, and regulated employee/HR data is stored; be able to access and report on this data; and respond substantially to requests for data. State privacy laws provide consumer appeal rights in certain cases.
  • Update and audit service provider contracts: A commercial transfer of personally identifiable information to a third party should be carefully scrutinized. In some cases, employers must have service provider agreements with provisions limiting secondary sale and use, requiring notification in certain cases, and allowing the company to audit service provider privacy practices.
  • Reasonable Safeguards: A business that collects a consumer’s personal information must implement reasonable security procedures and practices to protect the personal information from unauthorized use or access. In California, businesses may be required to submit annual cybersecurity audits to the California Privacy Protection Agency.
  • Employee Trainings: Provide training to employees on compliance with privacy law, as well as training for customer-facing employees on how to facilitate the handling of data subject requests. This training should take place at least once a year. Annual on-the-job training and cybersecurity training are also recommended as part of a company’s reasonable security measures.

The California Attorney General’s Office’s (OAG) $1.2 million settlement with French beauty retailer Sephora is their largest enforcement action to date. At the same time, California AG disclosed the subjects of its infringement notices to include failure to comply with consumer disclaimers, untimely responses, lack of verification, and failure to disclose data service request procedures in privacy policies.

Companies can expect additional investigations by the California OAG as it continues to respond to consumer complaints and monitor companies’ compliance with the CCPA/CPRA. All other state laws also allow enforcement by the state attorney general, with fines and penalty authorizations.

Myriah V. Jaworski is an attorney at Clark Hill in San Diego, California. Paul F. Schmeltzer is an attorney at Clark Hill in Los Angeles. © 2022. All rights reserved. Reprinted with permission.