Get ready for 2023 privacy regulations


The current state of data privacy regulation is complicated. As technology has advanced and digital tools have become more prolific, the need to protect customer data has become more important. Consumers need and expect privacy protection during every transaction, not just for high-security activity like banking, finance or healthcare. Buying groceries, signing up for a subscription streaming service, or using almost any phone app all have the potential to put personal data at risk.


To defend against the risk of identity theft and other cybercrimes, governments around the world and across the U.S. have passed laws to protect private data. These efforts began as a trickle, in response to the initial threat of cybercrime and identity theft, but have now grown into a torrent of requirements that differ from Europe to South America and from California to New York City.




U.S. regulations shift for the future


California implemented one of the first online privacy laws (the California Online Privacy Protection Act of 2003, amended in 2013) that required a privacy policy be posted on commercial websites. Today, the United States has almost 30 states with some form of privacy protection law in place or in draft for debate and passage.


Of the five states with comprehensive policies in place, California, Colorado and Virginia are set to make some important updates in 2023. Businesses located or operating in these states must understand these requirements and how they could impact their business operations moving forward. Here is a quick outline of changes in the privacy laws for these states in 2023:



California Privacy Right Act (CPRA)


The changes apply to for-profit businesses that conduct operations in California and either have gross revenues over $25 million, buy/sell/share personal information of 100,000+ consumers, or derive more than 50% of their revenue from personal information sales. The CPRA also establishes the California Privacy Protection Agency, increases individual and opt-out rights, limits retention of personal data to only that which is necessary, and includes protections for employee and business contact personal data. The changes go into effect January 1, 2023.



Colorado Privacy Act (CPA)


Changes to the CPA apply to organizations that do business in Colorado or target Colorado residents and either process the personal information of 100,000+ residents or process the personal information of more than 25,000 Colorado residents and profit from the sale of personal information. Violations incur a $2,000 fine (up to $500,000 total). This also includes universal opt-out by 2024 and a prohibition of “dark patterns.” New data privacy and security assessments are required for high-risk processing and this requires an assessment of the adequacy of vendors’ privacy/security (including the deletion or return of data at the end of a contract). The CPA changes go into effect July 1, 2023.



Virginia Consumer Data Protection Act (CDPA)


Virginia’s CDPA changes apply to organizations that do business in Virginia or target Virginia residents and either process the personal information of 100,000+ residents or more than 25,000 Virginia residents but derive more than 50% of revenue from personal information sales. Violations include up to a $7,500 fine plus litigation and attorney fees. Data collectors must obtain explicit consent for collecting or using sensitive data or for collecting or using minors’ personal data. The changes also include the assessment of the adequacy of vendors’ privacy and security to include deletion or return of data at the end of a contract. The CDPA changes will go into effect on January 1, 2023.


These regulations will soon go into effect, but there is still time to get prepared.




Getting ready


Data privacy is critical, and regulatory compliance is complex, so organizations really need a comprehensive privacy program to help them manage it all effectively. However, organizations might struggle to keep their programs updated for regulatory changes. In fact, attendees at a recent Grant Thornton webcast about regulatory changes, indicated that regulatory changes pose the biggest obstacle to their privacy programs.


Getting prepared is top of mind for many data professionals, and there are some tactical steps that can help:



Step 1: Build a strong foundation


The first step is always to determine and assess what personal data you have available. Tasks like conducting a data inventory and mapping privacy requirements are great ways to begin building the foundation. Some of the fundamental questions to ask at this beginning stage are:

  • “Who is collecting/managing personal information?”
  • “What personal information is being stored?”
  • “Who sells, receives, transfers or shares personal information?”

“Data inventories serve as the foundation of the information gathering needed to support other activities such as identifying high-risk processes; determining what data sets you collect to inform data subject request practices or even establishing how you will look to implement a data minimization program and where you will prioritize those efforts,” said Grant Thornton Privacy and Data Protection Principal Lindsay Hohler.



Step 2: Enhance privacy operations


Once the requirements are understood, companies need to begin to implement new opt-in/opt-out processes, adapt individual rights request practices, enhance vendor management practices, and implement data minimization/retention programs. All of these require cross functional collaborations across privacy, legal, IT and the business.


Implementing a program to address minimization (purge, obfuscation or anonymization) of inactive records (past the applicable retention period) is a big lift for many organizations. It is important to consider a risk-based approach and sustainability. Implementing data minimization/retention activities is not a one-time project, but an ongoing program. Privacy is unlikely to be the owner of this program but should establish monitoring practices to identify instances of non-compliance.



Step 3: Evaluate privacy risks


In addition to implementing the new requirements, regulators want to see that there are practices in place to continuously assess privacy risks and compliance. It will be important to establish assessment practices to evaluate high-risk processing and document the results of the assessment. CPRA also requires that cybersecurity audits are performed — both at the enterprise level and for the assets collecting personal data.


Companies should also consider what will be provided to regulators upon request, including documentation of risk assessments.



Step 4: Sustain and monitor privacy


Once your program is in place, work to define roles and responsibilities for privacy across all three lines of defense, with privacy as the second line. Also establish a rationalized control framework that is aligned to regulatory requirements and has a defined ownership and accountability structure. “Establishing a program like this will help to provide insight into the operations and can be used to generate guidance that can support specific remediation strategies and ultimately to reduce risks,” Hohler said.




Privacy as a priority


Effective preparation for these new changes can give you peace of mind. You need to know that your business operations meet the applicable data protection requirements, and that your company is in a good position to adapt for future local, state, federal or even international privacy requirements.


Make privacy a priority throughout your organization. It shouldn’t be something that only data specialists in marketing, sales and customer service consider. It should be a mandate from leaders down to the newest employee or vendor. It should be part of your culture.


Because if you take data privacy and protection efforts seriously, you’ll build more trust with your customers, and they will build more business with you.




Our featured risk, compliance and controls insights