New State Data Privacy Laws in California and Other States

Corporate Counsel Compliance Guidance

Currently, there is no omnibus federal privacy law in effect in the United States–only issue or industry-related laws such as the Gramm-Leach-Bliley Act for financial institutions and COPPA for children online.
Instead, privacy laws consist of a patchwork of various state laws with ever-growing complexity. In 2023, California, Virginia, Colorado, Connecticut, and Utah comprehensive state privacy laws are scheduled to go into effect along with several other states proposing legislation. All five privacy laws define “personal data” and “personal information” broadly and California now covers human resources and business-to-business data subjects in addition to traditional consumers. Virginia, Colorado, Connecticut, and Utah borrow some key terms and definitions from the EU General Data Protection Regulation and others from the California regime. All give residents more control over their personal data, especially regarding third-party disclosures and use for advertising.The California Privacy Rights Act (CPRA) amends and broadens the California Consumer Privacy Act that was passed in 2020.
The CPRA is the only one of the five state privacy laws that creates a private right of action, which is limited to certain data security incidents. it contains increased penalties for violations related to a minor’s data. Also, CPRA creates a new enforcement and rulemaking body, the California Privacy Protection Agency.
Both California and Colorado are actively promulgating regulations that add obligations and limitations beyond what the underlying laws require.Although the other states’ laws have similarities with the CPRA, there are significant differences that every company and its counsel should be aware of in the event they meet pertinent size and revenue thresholds and utilize personal data in those states.
It is critical to have thorough knowledge of which state privacy laws apply, how to comply, and ways to avoid regulatory investigations to minimize costly claims and business disruption.
Strafford and HB Logos

Speakers

Alan Friel
Partner
Squire Patton Boggs

Myriah V. Jaworski
Member, Data Privacy/Cyber Security Group
Clark Hill

CLE Webinar On Demand

This Strafford production has been specially selected for HB audiences.

Topics

  • What are some of the similarities and differences with the new crop of U.S. state privacy laws and between them and data laws in Europe and other nations?
  • What are the benefits of conducting a data protection impact assessment, and when is it required?
  • How to practically prioritize company data privacy compliance efforts to minimize risk?
  • Attendees will receive summary materials and model workstreams

Outline

  1. U.S. state privacy laws and recent developments
    1. New data subject rights and company obligations and limitations
    2. Data minimization and retention limitations
    3. Advertising and cookies
    4. Data disclosures to vendors and others
    5. Security
  2. Effective methods of compliance and data handling
    1. Data inventory and info governance
    2. Gap assessments and remediation plans
    3. Processor and third party management
  3. Workstream and checklist for data privacy risk preparedness