Data Privacy - Dates to Watch for in 2022-23
Information privacy is the right of consumers to have some control over how their personal information is collected and used. For businesses, it means the risk of litigation and monetary penalties is high. According to law firm Morrison & Foerster, “Companies will begin in earnest to implement the additional obligations under the California Privacy Rights Act, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act in 2022 to meet the 2023 deadlines for compliance.”
Given growing legislation and litigation, businesses are concerned with proving privacy compliance as a statutory, contractual, and legal requirement. Here are a few critical dates regarding state privacy regulations that may apply to your organization.
JAN 1, 2022
- All data collected as of January 1, 2022, is subject to the California Privacy Rights Act CPRA
In the fall of 2020, California voters approved the California Privacy Rights Act (CPRA). CPRA expanded the 2019 California Consumer Privacy Act (CCPA).
Effectively the CPRA brings the CCPA up to par with GDPR. The California Privacy Protection Agency (CPPA) won’t fully enforce CPRA until July 1, 2023. However, the new obligations from CPRA will apply retrospectively to data collected on or after January 1, 2022.
JAN 24 – 28, 2022
- Data Privacy Week – National Cybersecurity Alliance
The National Cybersecurity Alliance (NCA) promotes Data Privacy Week 2022! This event convenes data privacy experts from industry, government, and academia for discussions on data privacy.
As part of the event, the NCA encourages businesses to be transparent about collecting and using customer data. Publicly communicate clearly and concisely what privacy means to your organization and the steps you take to achieve and maintain privacy.
NCA RECCOMENDATIONS for 2022:
- Conduct a privacy risk assessment
- Adopt a privacy framework
- Educate Employees
JUL 1, 2022
- The California Attorney General must adopt final regulations for implementing CPRA by this date.
July 1 is the deadline for the California Attorney General to adopt CPRA final regulations. The regulations will be enforced by the California Privacy Protection Agency beginning July 2023.
NOV 22, 2022
- Colorado general election vote to approve SB 190
SB 190 will not go into effect unless approved by voters during the general election.
JAN 1, 2023
- CPRA goes into full effect
- All remaining provisions of CPRA become operative
- The CCPA Employer-Employee exemption goes away
- Virginia Consumer Data Protection Act (VCDPA) ‘delayed’ effective date
Passed on March 2, 2021, VCDPA defines PI as similar to CPRA California. According to experts, the law has somewhat broader exceptions for the uses of data from which consumers cannot opt out.
JUL 1, 2023
- CPRA Civil and administrative enforcement begins
- The CPPA will be empowered to fine transgressors, hold hearings and clarify privacy guidelines.
- Administrative enforcement shall apply to violations occurring on or after this date.
- Presuming NOV voter approval, CO SB 190 goes into effect
Number of State Privacy Bills Introduced 2018 - 2021
In 2022 privacy litigation risk increases, making privacy risk management essential to business resiliency. Companies that already have mature privacy risk programs should have a smooth transition to the new laws coming in 2022-2023. For startups, it is an opportunity to build privacy risk resiliency into your information management system. Begin by conducting a privacy risk-management workshop and assessment.
Why choose Truvantis? World-class competence, expertise, and experience.
Truvantis has the experience to examine privacy policies, protocols and procedures the same way regulators and class action attorneys do. Our experienced and accredited team has the competence and expertise to drive effective privacy management in your organization. We have helped hundreds of organizations address the challenges of conveying complex privacy concepts with clear outward-facing documentation.
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. We can help build a solid central privacy risk-management program. A single program to support the entire matrix of international, federal, and rapidly changing state laws and regulations.
Truvantis Three Steps to Data Privacy Risk-Management
We help your organization take an organized and prioritized approach to your privacy program.
- Privacy Workshop
- Understand your privacy goals
- Define and scope your privacy management system
- Build executive and departmental stakeholder awareness
- Privacy Risk Assessment
- Conduct and analyze privacy risk information across policies, people, and processes
- Formal Privacy Gap Report and Recommendations
- Prioritized Remediation Roadmap
- We work with your vendors, third-party service providers, stakeholders from IT, IG, compliance, security, legal, and discovery departments. We do everything for you from training, risk assessment, data-flow mapping, document preparation, technology integration to guiding compliance audits.
Ready to move forward? Contact Truvantis for more information and to start your pre-audit consultation.