As you know the following state laws are gearing up for go in 2023. California Privacy Rights Act (CPRA; replaces California Consumer Privacy Act -CCPA), Connecticut Data Privacy Act (CTDPA), Colorado Privacy Act (CPA), Utah Consumer Privacy Act (UCPA), Virginia Consumer Data Protection Act (VCDPA).
Though the minutiae of each state law vary the core tenets of compliance remain the same. It commences with a creating a data inventory of the information to be collected.
Think of this as the foundation for the information gathering. GDPR refers to this line of questioning as a record of processing activity and that succinctly describes the first steps of how to get compliant.
Step 1: start a spreadsheet to include information such as, name and contact details of who is collecting the data. What the purpose of processing the data is, categories of data subjects and types of personal data. Categories of data recipients, including those who have already received a user’s data and those who will receive a user’s data in the future is also useful. Add time parameters, general description of security measures, advertising targets if appropriate etc.
Step 2: build the spreadsheet for each business element of your company and ask department to fill out the parts of the spreadsheet you cannot. This process though tedious creates a map of how information is used in your business and that helps you meet the privacy requirements needed. These includes things like your privacy policy and how accurate it is, user privacy choices such as etc.
Of course this is a simple overview of reaching compliance but these first two steps are what will help you know more about where your customer personal information is and what happens to it within your business. THAT is half of the job done when it comes to meeting the requirements.
Why is any of this important to you?
Apart from the fact it is fast becoming law across the US. There are huge benefits that can be reaped when reaching for and becoming compliant. To coin a cliche that actually bears some relevance, “it is not actually just about the destination but the journey,” and along the way revelations such as enhancing your privacy operation can occur. When you understand the requirements you can implement things like new opt-in/opt-out processes or enhance vendor management practices while strengthening the interdepartmental collaboration via privacy, legal, IT and the business. Added perks come from simply following the process.
You can evaluate privacy risks by establishing assessment practices (this will make regulators happy) and documenting the results of the assessment also help with the process. The end goal is to be able to sustain and monitor privacy and this can be done by establishing a rationalized control framework aligned to regulatory requirements. It has defined roles and responsibilities attached to it and therefore accountability.
So you can see though at first it might seem like a large amount of work, the hardest part is identifying where the data resides within your organization. The rest is best practice 101 and enhancing what you already know is there.