Privacy Considerations for the End of 2022

Jan. 1 is approaching, and with it comes new requirements under the California Consumer Privacy Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). What should you and your company be focusing on to ensure you are prepared for the looming compliance deadline? This Data Privacy Dish post offers end-of-year considerations for closing out 2022:

1. Update consumer-facing privacy notices - Have you accounted for the new requirements under the VCDPA and CPRA, including discussing retention periods and describing new and updated data subject rights?
2. Update data subject request form and processes - Does your data subject request form or online portal include options for the new data subject rights, such as the right to correct inaccurate information or the right to opt-out of targeted advertising in Virginia? Have you identified profiling activities or processing of sensitive personal information for which you may be required to provide an opt-out right?
3. Confirm your company's position on "sales" and "sharing" - Do you need a "Do Not Sell or Share My Personal Information" link or an "opt-out of targeted advertising link"? Are you alternatively getting opt-in consent for AdTech cookies as part of your strategy for addressing California-specific AdTech related requirements?
4. Validate opt-out protocols and honor Global Privacy Control (GPC) signals - Does your website respond to the GPC signal? Have you informed IT and Marketing that new signals may be under development that may need to be identified and addressed?
5. Address new employee privacy requirements in California - Do you have a privacy notice for California Employees? Do you have processes in place for handling requests from California applicants, employees, former employees, and dependents and spouses, to exercise their rights under the CPRA, including the rights to access, correct, delete, and opt out of "sales" and "sharing"?
6. Finalize updates to contract templates and/or amendments - Have you confirmed contract templates have been updated with the new requirements for "service providers" / "contractors" / "processors"? Have you confirmed contract templates with "third parties" have been updated with new CPRA requirements?
7. Obtain consent for sensitive data - Have you identified processes/applications that collect sensitive data about Virginians for which you may be required to get consent from the individual to process?
8. Document your data protection impact assessments - Have you prepared written data protection impact assessments (DPIAs) to ensure you are appropriately processing personal data for targeted advertising, "selling" personal data, profiling, processing sensitive data, or data for which there is a heightened risk of harm?
9. Review your information security policies and procedures - Have you reviewed your written information security plan to ensure it adequately protects data based on the level of sensitivity and applicable legal requirements?
10. Provide privacy awareness training - Have you informed key stakeholders in the company (e.g., Information Technology, Marketing, Human Resources, Procurement, etc.) of the main compliance obligations under the new state privacy laws?