November 08, 2022

Privacy Considerations for the End of 2022

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Jan. 1 is approaching, and with it comes new requirements under the California Consumer Privacy Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). What should you and your company be focusing on to ensure you are prepared for the looming compliance deadline? This Data Privacy Dish post offers end-of-year considerations for closing out 2022:

  1. Update consumer-facing privacy notices - Have you accounted for the new requirements under the VCDPA and CPRA, including discussing retention periods and describing new and updated data subject rights?
  2. Update data subject request form and processes - Does your data subject request form or online portal include options for the new data subject rights, such as the right to correct inaccurate information or the right to opt-out of targeted advertising in Virginia? Have you identified profiling activities or processing of sensitive personal information for which you may be required to provide an opt-out right?
  3. Confirm your company's position on "sales" and "sharing" - Do you need a "Do Not Sell or Share My Personal Information" link or an "opt-out of targeted advertising link"? Are you alternatively getting opt-in consent for AdTech cookies as part of your strategy for addressing California-specific AdTech related requirements?
  4. Validate opt-out protocols and honor Global Privacy Control (GPC) signals - Does your website respond to the GPC signal? Have you informed IT and Marketing that new signals may be under development that may need to be identified and addressed?
  5. Address new employee privacy requirements in California - Do you have a privacy notice for California Employees? Do you have processes in place for handling requests from California applicants, employees, former employees, and dependents and spouses, to exercise their rights under the CPRA, including the rights to access, correct, delete, and opt out of "sales" and "sharing"?
  6. Finalize updates to contract templates and/or amendments - Have you confirmed contract templates have been updated with the new requirements for "service providers" / "contractors" / "processors"? Have you confirmed contract templates with "third parties" have been updated with new CPRA requirements?
  7. Obtain consent for sensitive data - Have you identified processes/applications that collect sensitive data about Virginians for which you may be required to get consent from the individual to process?
  8. Document your data protection impact assessments - Have you prepared written data protection impact assessments (DPIAs) to ensure you are appropriately processing personal data for targeted advertising, "selling" personal data, profiling, processing sensitive data, or data for which there is a heightened risk of harm?
  9. Review your information security policies and procedures - Have you reviewed your written information security plan to ensure it adequately protects data based on the level of sensitivity and applicable legal requirements?
  10. Provide privacy awareness training - Have you informed key stakeholders in the company (e.g., Information Technology, Marketing, Human Resources, Procurement, etc.) of the main compliance obligations under the new state privacy laws?

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

International Entrepreneur Parole Program: USCIS Issues Policy Guidance

By Linnea Porter Greenberg Traurig March 22 , 2023

On March 10, U.S. Citizenship and Immigration Service (USCIS) issued an announcement with comprehensive guidance on parole for international entrepreneurs.

New UK Sanctions Package Would Target Russia's Arms Exports, Front-Line Resources

By Annabel Thomas Greenberg Traurig March 22 , 2023

The UK announced a further round of sanctions and trade measures on 24 February 2023 to coincide with the first anniversary of Russia’s invasion of Ukraine.

PFAS in Drinking Water: EPA Proposes Historic New Regulation

By Bernadette M. Rappold Greenberg Traurig March 17 , 2023

On March 14, 2023, the U.S. Environmental Protection Agency (EPA) issued a proposed National Primary Drinking Water Regulation (NPDWR) which, if finalized, would set enforceable limits, known as Maximum Contaminant Levels (MCLs), for six Per- and Polyfluoroalkyl Substances (PFAS).

More From Privacy

Is a business required to include an 'opt out of targeted advertising' link on its homepage (i.e., a Do Not Share link) if it recognizes opt-out preference signals?

By David A. Zetoony Greenberg Traurig March 13 , 2023

Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.

Trade Associations Urge Illinois High Court to Reconsider BIPA Decision in Cothron

By Nadine C. Abrahams Jackson Lewis P.C. March 13 , 2023

The Illinois Supreme Court’s decision that a separate claim under Illinois’ Biometric Information Privacy Act (BIPA) accrues each time an entity scans or transmits an individual’s biometric identifier or biometric information will lead to absurd and unjust results not intended by the Illinois General Assembly, Jackson Lewis argued in a friend-of-the-court brief filed on behalf of a coalition of trade associations representing the interests of thousands of Illinois businesses employing approximately 2.9 million individuals in Illinois.

EU-US Transatlantic Data Flows Framework: EU Supervisors Shine Light at the End of the Tunnel

By Rosa Barcelo McDermott Will & Emery March 09 , 2023

In a recent non-binding opinion, EU regulators expressed timid positivity about the European Commission’s draft adequacy decision on the EU-US transatlantic data flows framework (Data Privacy Framework or DPF).

Featured Stories