Winter is Coming: 10 Steps Organizations Should Be Taking Now to Meet Their Obligations Under Expansive New Privacy Laws

Originally published in DRI’s For the Defense, October 2022, pg. 16–20.

Five new comprehensive state data privacy laws are scheduled to take effect in 2023: the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Consumer Privacy Act (UCPA). With enforcement of these laws approaching, organizations need to act now. Here are 10 steps organizations should be taking to prepare.

Step 1: Analyze Applicability Thresholds

Each of the five laws has different applicability thresholds based on factors such as:

• Number of consumers whose data is processed annually
• Revenue derived from the sale of personal data
• Percentage of gross revenue from data sales

Determine which laws apply to your organization before investing resources in compliance. An organization with no California consumers, for example, does not need to comply with the CPRA.

Step 2: Assess Compliance Readiness

Conduct a comprehensive compliance assessment through structured interviews with subject matter experts across your organization, including IT, HR, marketing, legal, compliance, and finance. The assessment should identify:

• What personal data is collected, used, disclosed, and retained
• How data flows through the organization
• Current gaps between existing practices and new legal requirements

Step 3: Prepare and Update Data Maps

Your data map should document all personal data your organization controls or processes, including:

• Data collected for targeted advertising and analytics
• Sensitive data flows (which require heightened protections under all five laws)
• Cross-border data transfers
• Third-party data processors and their data access

A current, accurate data map is the foundation of effective privacy compliance.

Step 4: Update Privacy Notices

Review and update all consumer-facing privacy notices, including:

• Website privacy notices
• Mobile app privacy notices
• Employee and job applicant notices (particularly important given CPRA changes)
• Business-to-business notices

Notices must be accurate, plain-language, and include all disclosures required by each applicable law. California’s CPRA brought significant changes to notice requirements, including required disclosures about automated decision-making and data retention practices.

Step 5: Prepare Consent Mechanisms and Required Links

Implement the “Do Not Sell or Share My Personal Information” opt-out link required by CPRA and other state laws. Also address:

• Global Privacy Control (GPC) signal recognition: California law requires honoring GPC signals
• Opt-in consent mechanisms for sensitive data processing
• Opt-out mechanisms for targeted advertising, profiling, and data sales as required by each applicable law

Step 6: Develop Data Subject Request Procedures

Establish or update procedures for receiving, authenticating, and responding to consumer data subject requests, including:

• Rights to access, delete, correct, and obtain a portable copy of personal data
• Rights to opt-out of targeted advertising, data sales, and profiling
• Verification procedures that balance privacy and security without creating unnecessary barriers
• Response timelines (generally 45 days, with extensions available)
• Appeals processes as required

Step 7: Update Third-Party Contracts

Review and update contracts with all third-party service providers that process personal data on your behalf. Data processing agreements must include the provisions required by each applicable law. Particular attention should be paid to:

• Advertising technology vendors (cookies, pixels, SDKs)
• Analytics platforms
• Cloud service providers
• HR technology and payroll processors

Step 8: Develop Data Processing Agreement Templates and Cybersecurity Audit Procedures

Organizations subject to CPRA must conduct regular cybersecurity audits. Prepare:

• Standardized data processing agreement (DPA) templates for use with vendors
• A cybersecurity audit schedule and methodology
• Risk assessment procedures for new vendor relationships

Step 9: Implement Information Governance

An effective privacy compliance program requires underlying information governance:

• Develop or update records retention schedules covering all data types
• Conduct legacy data review and disposition (disposing of data you no longer need reduces risk)
• Implement employee training on retention and disposal obligations
• Ensure litigation holds can be implemented efficiently without over-preserving data

Step 10: Assess and Improve Information Security

All five laws require controllers to implement reasonable security practices. Evaluate your information security program against recognized frameworks such as:

• CIS Controls: 18 critical security controls aligned to common threats
• NIST Cybersecurity Framework (CSF): Risk-based approach endorsed by the FTC

Addressing security gaps before an incident occurs is significantly less costly than responding to a breach. The FTC has confirmed it uses NIST CSF as a benchmark for evaluating the reasonableness of security measures.

Looking Ahead: Federal Legislation

The bipartisan American Data Privacy and Protection Act (ADPPA) represents the most serious federal privacy legislation proposal to date. While its passage remains uncertain, organizations that build robust multi-state compliance programs will be well-positioned if a federal law is enacted.

The expanding patchwork of state privacy laws makes now the right time to invest in a privacy program that is not only compliant with today’s requirements, but scalable to meet tomorrow’s challenges. Fey LLC is available to assist organizations at any stage of this process.