Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

U.S. Regulators Lift the Curtain on Data Practices with Assessment, Reporting and Audit Requirements

By Alan Friel, David Manek, Sasha Kiosse, David Farber and Colleen M. Yushchak
March 01, 2024

California enacted the California Consumer Privacy Act (CCPA) in 2018, which was the first of its kind in the U.S. and drew inspiration from Europe's General Data Protection Regulation (GDPR). Following California's lead, other states, including Colorado, implemented their own laws and regulations. California further strengthened its legislation in 2020 through a ballot initiative known as the California Privacy Rights Act (CPRA).

Unlike the GDPR, the first generation CCPA was light on affirmative due diligence requirements and many companies designed data privacy and protection programs that were little more than window dressing (e.g., privacy policies and a consumer rights request process). In the second generation of state consumer privacy laws and regulations, as well as in recent laws pertaining to the privacy of minors (such as in California and Connecticut), numerous states require affirmative due diligence and a structured approach for conducting and documenting risk assessments and associated remediation. The assessment documentation must be available for review by regulators, and the CPRA requires risk assessments to be filed with the state, a requirement that is currently under consideration in a condensed form with certification by the executive officer. This means that companies subject to the applicable state privacy laws need to develop or refine their data inventory and assessment practices as a top priority in 2024 to be prepared for the coming enforcement of these requirements.

|

How Did We Get Here?

Companies subject to the consumer privacy regimes in California (CCPA), Colorado (CPA), Connecticut (CTPA), and Virginia (VCDPA) are now required to conduct and document data protection assessments prior to engaging in certain types of data processing. At least eight additional state laws that go into effect in 2024 and 2025 have similar requirements. Most notably, assessments are required if the processing is deemed "high risk," which specifically includes, without limitation, processing for targeted advertising, profiling/automated decision making (ADM), processing of sensitive personal data and sale of personal data. Since these requirements are inspired by the GDPR, companies should consider guidance from the European Data Protection Board (EDPB) on what might be considered high-risk processing, and how to analyze risk. So far, only Colorado has promulgated regulations or issued guidance regarding what needs to be in assessments and how they should be conducted and documented, but California is currently developing its own rulemaking that it has stated seeks to be compatible with Colorado and reflect EDPB guidance.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Top 5 Strategies for Managing the End-of-Year Collections Frenzy Image

End of year collections are crucial for law firms because they allow them to maximize their revenue for the year, impacting profitability, partner distributions and bonus calculations by ensuring outstanding invoices are paid before the year closes, which is especially important for meeting financial targets and managing cash flow throughout the firm.

The Self-Service Buyer Is On the Rise Image

Law firms and companies in the professional services space must recognize that clients are conducting extensive online research before making contact. Prospective buyers are no longer waiting for meetings with partners or business development professionals to understand the firm's offerings. Instead, they are seeking out information on their own, and they want to do it quickly and efficiently.

Should Large Law Firms Penalize RTO Rebels or Explore Alternatives? Image

Through a balanced approach that combines incentives with accountability, firms can navigate the complexities of returning to the office while maintaining productivity and morale.

Sink or Swim: The Evolving State of Law Firm Administrative Support Image

The paradigm of legal administrative support within law firms has undergone a remarkable transformation over the last decade. But this begs the question: are the changes to administrative support successful, and do law firms feel they are sufficiently prepared to meet future business needs?

Tax Treatment of Judgments and Settlements Image

Counsel should include in its analysis of a case the taxability of the anticipated and sought after damages as the tax effect could be substantial.