Taking Your First Steps: Key Compliance Tasks to Kick-start Compliance with California and Virginia Data Privacy Laws

As state and federal legislatures across the United States continue to contemplate comprehensive data protection legislation, two pending laws—the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA)—are set to become effective on January 1, 2023.¹ For general details on these laws, see our previous publications on the CPRA here, and the VCDPA, here.

Though businesses still have a year to prepare for compliance with the CPRA and VCDPA, there are certain tasks companies should consider starting early in 2022. In the first of our series of alerts providing guidance on how businesses can develop and implement compliance plans for the CPRA and VCDPA, we will discuss the key initial tasks that businesses should focus on today. Specifically, these key tasks include assessing the business’ cybersecurity practices and implementing reasonable cybersecurity measures, negotiating data processing agreements, performing detailed additional data mapping, and conducting required data protection assessments.

Background and Recent Developments

In June 2018, California passed the United States’ first comprehensive data privacy framework, the California Consumer Privacy Act (CCPA), which became effective on January 1, 2020. In November 2020, voters passed the CPRA, which amends the CCPA and becomes effective in January 2023. Notably, the CPRA established the California Privacy Protection Agency (CPPA) to develop and promulgate regulations to implement the CPRA. The CPPA board was appointed in March 2021 and is actively working to prepare regulations.

In March 2021, Virginia passed the Virginia Consumer Data Protection Act (VCDPA). Virginia established a working group to review the VCDPA’s provisions and provide recommendations for legislative review. A November 2021 report from the working group indicated that the Virginia legislature was focused on issues such as whether to include a general opt-out provision, revising the definition of "sensitive data," and the possibility of creating an agency to issue regulations. It remains to be seen whether the Virginia legislature will take any actions to implement the recommendations from the working group prior to the January 1, 2023 effective date.

Key Initial Compliance Objectives

As the effective date of these laws approaches, businesses will need to develop a plan to address upcoming requirements in the next twelve months. Businesses can implement certain requirements under these laws quickly as they reflect extensions of compliance obligations under existing data privacy laws. Other obligations, however, reflect new requirements that may necessitate substantial time and consideration.

• Implement Reasonable Data Security Practices. Companies should assess and implement data security practices and procedures to protect personal data as required under both the CPRA and VCDPA. The CPRA, in particular, requires the adoption of regulations that will obligate companies to perform regular cybersecurity audits for processing that presents a significant risk to consumer privacy or security. In most cases, performing such an assessment will require engaging a third-party cybersecurity firm to assist with the technical aspects of the assessment for consideration in determining legal compliance. The third-party cybersecurity firm may also be needed to assist in implementing specific controls and processes to address gaps in the business’ cybersecurity infrastructure and program. This process can take a significant amount of time to accomplish, as businesses will need to consider the compatibility of security controls with existing IT infrastructure, costs, and potential impacts to overall business operations. Businesses should begin to assess their cybersecurity practices in the immediate term, engage third-party technical experts as required, and if necessary, implement cybersecurity measures in accordance with CPRA and VCDPA requirements.
• Execute Data Processing Agreements. While written agreements governing data processing activities were only implicitly required under the CCPA as a means to exclude personal data transfers from the broad definition of “sale,” the CPRA and VCDPA explicitly require businesses to execute written data processing agreements. Under the CPRA and VCDPA, such written agreements govern how third-parties process data on behalf of the business. These agreements should generally address dynamics such as the purpose and duration of processing, the specific data the third-party is processing on behalf of the business, and any specific limitations on processing by the third-party. The VCDPA, in particular, requires a controller (business) to contractually obligate a processor to maintain confidentiality, delete or return personal data at termination, and cooperate with the controller in meeting its obligations under the VCDPA. As such, businesses will need to conduct a full audit to identify and review their agreements with third-party data processors to ensure they contain the required provisions. To the extent there are any deficiencies in the data processing agreements, businesses will need to re-negotiate terms and provisions with third-party data processors. In addition, for third-parties covered by the CPRA (i.e., service providers, contractors and third-parties), such parties may also have obligations to ensure they have adequate processes in place to comply with the required provisions in the data processing agreements. We recommend businesses leave ample time to shore up their data processing agreements, given the complexity involved in the process.
• Conduct Data Mapping. The CPRA and VCDPA expand the categories of personal information covered under prior state data privacy laws like the CCPA. As a result, companies may need to engage in additional, detailed data mapping to ensure that they understand the categories and sources of personal information collected, and how such data is stored, transferred, and otherwise used within the organization. Although not expressly required under the statutes, data mapping is a foundational component to ensuring compliance with the CPRA, VCDPA, and any future applicable data privacy legislation. Accurate and comprehensive data mapping enables an organization to more efficiently respond to consumer requests to access, correct, or delete data, and to identify if it is subject to additional requirements under data privacy laws related to, for example, sensitive personal information. Importantly, consumer rights to access under both the VCDPA and CPRA extend to consumer personal information processed before the respective laws’ implementation dates in 2023. For example, the CPRA extends these rights back through January 1, 2022. Data mapping in advance of the laws’ effective dates will also help businesses assess their compliance with data minimization and privacy notice requirements, implement appropriate contracts with processors, and allow companies to easily identify the flow of de-identified data to ensure that such data remains de-identified. Given that data mapping can be a time-consuming process requiring input and involvement by multiple internal stakeholders, we encourage companies to begin without delay.
• Perform Data Protection Assessments. The VCDPA includes a specific requirement for data protection assessments, similar to data protection impact assessments under the EU’s General Data Protection Regulation (GDPR). In addition, the CPRA requires the adoption of regulations that will require businesses to perform and submit risk assessments to the CPPA where processing activities present a significant risk to consumers’ privacy or security. Data protection assessments and similar audits are important because they assist organizations in identifying, addressing, and minimizing risks related to data processing activities. Data protection assessments touch on all stages of the life cycle of personal information processing by a company, and involve identifying the specific types of personal information the business collects and processes, reviewing business operations to identify specific functions that involve the processing of personal information, and evaluating those functions to determine if they present a substantial risk of harm to consumers. Implementing a compliant program based on a company’s particular data processing practices will require identification and consideration of such risks, along with the implementation of safeguards to address such risks. Companies should, therefore, begin efforts early to undertake a data protection assessment in accordance with the VCDPA and future regulations under the CPRA.

Next Steps

With January 1, 2023 just under twelve months away, businesses should prioritize the foundational and more time-intensive compliance obligations under the CPRA and VCDPA in developing a compliance plan. Conducting a data protection assessment and cybersecurity program review will necessarily involve the use of third-party vendors whose own policies and procedures will need to be assessed and capabilities evaluated against other potential vendors. Gaps that are identified in this process will need to be considered and remedial measures taken to address the gaps with minimal business disruption. Specific security controls will need to be configured and incorporated into the existing IT infrastructure or, in some cases, new IT infrastructure will need to be developed. In addition, data mapping may involve coordinating with multiple stakeholders throughout the enterprise who may have access to or otherwise use sensitive personal data. Finally, data processing agreements will need to be executed or renegotiated to reflect applicable requirements. Businesses who get ahead of these tasks will be better positioned to identify and implement appropriate policies and practices to comply with the CPRA and VCDPA, and data privacy laws set to become effective thereafter such as the Colorado Privacy Act. Notably, any compliance measures should remain nimble enough to respond to any regulatory guidance that emerges.

In this article series, we will continue to provide updates and analysis of the detailed requirements under the CPRA, VCDPA, and other upcoming data privacy legislation. Please do not hesitate to contact us. Our Data, Privacy & Cybersecurity Practice group is happy to advise on these requirements and to assist your business in revisiting or implementing your compliance plans as January 1, 2023 approaches.

_{1 Colorado passed its own comprehensive data privacy legislation in July 2021, the Colorado Privacy Act. This law will not take effect until July 1, 2023, and contains some similar provisions to the CPRA and VCDPA. The tasks suggested here may also provide a starting point to beginning compliance efforts under the Colorado Privacy Act. See more details about the Colorado Privacy Act here.}

Katherine Madriz (Law Clerk, White & Case, Washington, DC.) co-authored this publication.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2022 White & Case LLP}