Privacy compliance is a daunting task, especially when the legal and tech landscape keeps shifting. 2023 is shaping up to be a critical year for data privacy preparations. Do you have a strategy to ensure your privacy program meets regulatory and technical expectations?
The privacy landscape increases in complexity every day. From new regulations, to expanding systems and datasets, to stakeholders involved in privacy-related decisions: creating a comprehensive privacy program is a significant challenge for every business. Here are the key things to keep an eye on and work through in 2023.
This content is summarized from a recorded webinar led by privacy and legal experts from Kelley Drye and Ketch on Wednesday, January 26th.
California: the moving target you can't ignore
Many of our clients have been hard at work prepping for CCPA, and more recently CPRA regulations. If you do business in the state of California, your data is affected. (Need to learn more about these laws, and the distinctions between CCPA and CPRA? Check out our guide.)
The effective date of CPRA is January 1, 2023. Many are asking for when initial CPRA rules will be published, and we haven't seen an answer on this yet.
The latest California news is announcement of the creation of the California Privacy Protection Agency (CPPA), a five-member board for state-level compliance in California. They have not yet officially taken over rule-making authority yet, but their timeline for events is ambitious. Where the board will go remains to be seen, but keep an eye on the CCPA website for latest updates.
While we wait to see what new information comes out, there are a few key things you can do in the meantime to shore up your enterprise outlook:
- Sign up for CPPA press release schedule. Typically released on Fridays, this is a great way to stay in the loop on latest California updates.
- Is your data discovery process automated or manual? If you're still using spreadsheets, email, and surveys for data discovery and mapping—start thinking about a transition to a more dynamic, always-on tool.
- Is your data discovery tool connected to your privacy software? We're seeing data discovery as essential to driving efficiency in setting up new laws to be compliant.
Notable updates from additional U.S. states
- Colorado has passed a privacy law, with an effective date of July 2023. We're watching to see the substantive areas where the CO Attorney General, Philip J. Weiser, will focus in on. We're especially interested in what they plan to mandate regarding universal opt-outs, indicated to be an area of interest so far. General Weiser does seem to have a sophisticated understanding of privacy and the associated technical complexity, and we're excited to watch how Colorado's legislation progresses as a principled example for other U.S. states.
- Virginia is a state in transition, with a recent leadership transition including a new Attorney General.
- What else? We're hearing an additional 5-6 states may pass legislation, but nothing concrete enough to focus on just yet. The important thing to accept is that more legislation is coming, and it's critical to build a privacy program that can flex and scale to accommodate more rulings. This is why data mapping and hygiene is so important.
- Federal rule-making at the FTC is going to take a very long time. There are a number of steps that can't be bypassed, such as notice to Congress; and if the FTC attempted to short-circuit any steps, it would risk the process.
- How should you manage FTC-related risks? Stay focused on fundamentals. Key among them is keeping your arms around your privacy representations. Are you keeping your privacy promises? And make sure you're keeping an eye on specific sectors that apply to you, like telemarketing or children's privacy (COPPA).
Getting to work: how to get started in 2023
Privacy leaders must become champions and allies for privacy across the business. From alignment with your CISO or security leader, to collaboration on how privacy impacts the brand and marketing strategy, privacy is pervasive. It's gone from an internal compliance requirement to a board-level discussion for most organizations.