Happy Privacy Week! There are a lot of events and seminars to check out this week and one of the most robust is PrivacyOC's three-day marathon of panels and discussions: www.privacyoc.net. CPW team members will be speaking on digital advertising and data management. Check it out.

Another good way to give attention to privacy this week is to conduct a mini-assessment of your own privacy program. Here are five things to consider with an eye toward US privacy laws. We can make similar suggestions more tailored to other territories upon request.

  1. Look back at 2021: Have you done an assessment of your 2021 data practices to address any material changes? If you have not yet implemented a privacy impact assessment (PIA) program, do so this year to make it easier to track changes. California, Colorado and Virginia will require PIAs in 2023 for high risk processing, and those states' new purpose limitations will effectively require them of all processing activities.
  2. Annual Notice Update and Training: Your California privacy notice is supposed to be based on a 12-month look back and updated annually, which for most companies is January 1 of each year. If you are late in doing so, remember the California Attorney General (CalAG) deems the 30-day cure period to start upon the date you knew or should have known you were not in compliance. The CalAG has a robust program of reviewing website privacy notices for inadequacies. An out-of-date notice is low hanging fruit, as are notices that simply fail to include what the final regulations require (e.g., verification details, financial incentive notices (including valuation statements) and non-discrimination statements, categories of recipients by category of personal information, etc.). Other state laws require an accurate privacy policy so check your general notices too. And don't forget training. Every CalAG enforcement action we have defended has included a review by the CalAG of the sufficiency of a company's training program, especially as to areas where program failures have been alleged.
  3. Assess Rights Response Programs: The CalAG has been brining enforcement actions regarding consumer rights response program inadequacies. Common claims include inadequate notice of how to exercise rights, failure to provide all required mechanisms for exercising rights or not including availability of all available rights, customer service representatives that do not know how to process requests, inadequate verification procedures, untimely, inadequate or no responses, failure to properly accommodate agent requests, and overly narrow "do not sell" programs, including regarding cookies and SDKs as explained in the next point. And, if you process a high volume of California consumer personal information, don't forget to publish your 2021 consumer rights response statistics.
  4. Revisit Cookies and GPC: As of last summer when the CalAG published a summary of enforcement actions, they put publishers and tech companies on notice that they consider third and fourth party cookies, and other tracking technologies, operating in connection with online properties to, when the technology is not contractually limited to processing only as the publisher's service provider (i.e., personal information is not used for other purposes such as to build interest-based advertising profiles for use by advertisers) to be a "sale" of personal information by the publisher and thereby require an opt-out by the publisher in the form of the CCPA's "Do Not Sell My Personal Information" procedures. Even where publishers have cookie consent banners and preference centers most do not address opt-out in a manner that reflects what the CalAG has been maintaining in enforcement actions must be said and done. Off-the-shelf tools need to be customized. If you are not already participating in the IAB's limited service provider agreement signal program, consider doings so, and look at the similar internal program requirements of large tech companies. Also, beware that the CalAG takes the position that the global privacy controls implemented by some browsers meet the CCPA regulatory requirements and must be honored, although this is being challenged.
  5. Assess Gaps: If you have not already done a privacy program audit to assess gaps in current compliance and prepare for the new US data subject rights and business / controller obligations coming into effect in 2023, now is a good time to do so. Even companies that are in good shape for the current state of CCPA will have a lot to do over the next eleven months to prepare. Remember that human resources and business-to-business data come into scope for California next year, and California will require published data retention schedules. The new Colorado and Virginia laws differ in material ways from California, and each other. A comparison of existing and new privacy laws is here. We can provide an assessment questionnaire to help you identify gaps and have long and short form workstreams, and can help you develop project plans and budgets, to assist you in being 2023-ready. Time flies so don't delay in getting started.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.