Just In Time: Last Minute Compliance Tips for the CPRA and VCDPA
By: Lewis Brisbois' Data Privacy & Cybersecurity Team
December is a busy time for businesses and individuals alike and the last thing anyone wants is more on their to-do list. However, we encourage organizations to take stock of their privacy program, and to pay particular attention to the new privacy laws that will become effective on January 1, 2023: the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). Businesses with operations in these states should assess whether the new laws apply to them and, if so, take meaningful steps towards compliance before year’s end.
Below is a quick overview of a few critical steps for businesses to prioritize.
CPRA and VCDPA Applicability
Subject to certain exceptions, the CPRA applies to for-profit businesses conducting business in California that meet one or more of the following threshold requirements:
- Has annual gross revenues in excess of $25 million;
- Annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Importantly, the CPRA applies to personal information collected from employees, vendors, and clients.
With certain exceptions, the VCDPA applies to for-profit businesses conducting business in Virginia that meet one or more of the following threshold requirements:
- Controls or processes the personal data of 100,000 or more consumers in a calendar year; or
- Controls or processes the personal data of 25,000 or more consumers and derives over 50% of its gross revenue from the sale of personal data.
What to Do Before January 1, 2023
Businesses that are just starting to focus on compliance with these new laws may not have time to develop and implement a fully compliant data privacy program before January 1. However, they can start to lay a strong foundation for the compliance program. Below are a few suggestions on where to start.
- Develop a compliance roadmap. Businesses should take stock of their program, identify gaps in compliance, and document how they will address gaps in a plan that identifies key stakeholders and timelines for each compliance activity. This will be customized to each business and will vary based on the data processed and maturity of the existing data privacy program. For example, the roadmap should document key steps toward compliance, such as (i) data inventories and mapping, (ii) data minimization, (iii) privacy notices and disclosures; (iv) compliance audits; (v) data protection impact assessments, and (v) internal policies such as information security, record retention, and vendor management policies.
- Update privacy notices. Businesses should update data inventories to confirm that they understand the information they collect and how information is shared with third parties. This will inform disclosures about data processing in privacy policies, notices at collection, and disclosures to employees and job applicants. The policies must also inform consumers about their rights under applicable law, as well as how consumers can exercise these rights.
- Update data subject rights policies and train responsible personnel. Businesses should review and update existing Data Subject Rights Policies (or draft new policies) to address new rights such as the consumer’s right to correct personal information under the CPRA. Businesses should also train employees on how to respond to consumer requests under the California and Virginia laws. The Data Subject Rights Policy should also document how technical and security controls are configured to recognize and respond to consumer privacy preferences about how their personal information is processed, including preferences submitted via Global Privacy Controls.
- Update vendor agreements and develop a template data processing agreement. Both the CPRA and VCDPA require businesses to execute contracts with service providers that process personal data on the business’ behalf. These contracts must contain specific provisions that, among other things, limit how service providers can use the personal data processed on behalf of the data controller. Businesses should prioritize reviewing and updating existing contracts with service providers.
As January 1, 2023 quickly approaches, businesses still have time to take meaningful steps toward compliance with the CPRA and VCDPA. Our recommendation is to use the remaining time in 2022 wisely to develop a roadmap toward compliance and implement foundational steps that the business can build upon in 2023.
For more information about the CPRA or VCDPA, or for assistance with your privacy compliance program, please contact the author of this post or reach out to our Compliance Advisory Team at PrivacyCompliance@lewisbrisbois.com. You can also subscribe to this blog to receive email alerts when new posts in this series are published.