Sarah Hutchins and Robert Botkin wrote an article in Risk Management Magazine about how businesses should prepare ahead of California and Virginia's data privacy laws taking effect on January 1.
"These laws will result in steeper requirements—and penalties—for many companies across the United States," they wrote. "The California Privacy Rights Act (CPRA), which builds upon the California Consumer Privacy Act (CCPA), and Virginia Consumer Data Protection Act (VCDPA) both apply to companies ‘doing business in the state,’ including actively engaging in e-commerce with their residents. These companies must control or process the personal data of at least 100,000 residents of that state, or control or process personal data of at least 25,000 residents and derive at least 50% of their gross revenue from the sale of personal data."
"The CPRA also applies to any enterprise that does business in the state and has a global gross revenue of $25 million, regardless of how much consumer personal data it collects," they continued. "Starting on January 1, it will extend beyond consumer data and apply to business-to-business data and employee data. As a result, the CPRA will bring into scope a much larger swath of data than any other state privacy laws, including VCDPA."
"At a high level, these two laws require affected businesses to make certain disclosures in their privacy notices, provide consumers the ability to opt-out of the sale of their personal data, and limit the collection of personal data to what is adequate, relevant and reasonably necessary," they wrote. "There are nuances with these requirements, but the laws are rather clear in this area and the biggest risk comes with noncompliance. To prepare for new requirements and mitigate the risk of costly penalties, businesses should pay particular attention to three specific areas: navigating uncertain opt-out requirements; developing a data governance program to ensure efficient responses to consumer requests; and managing risks with third-party vendors."
You can read the full article here: Key Business Considerations for Impending State Data Privacy Laws
Risk Management is the official magazine of the Risk and Insurance Management Society (RIMS), a network of 10,000 risk management professionals in more than 60 countries.