TL;dr: Do you sell consumer data (or share for a financial benefit like a discount)? Do you do business, or target consumers, in CA, CO, CT, UT or VA, or the European Union? Let’s review your policy and practices and see if you need an update.
Hey, remember that time, back in early 2018 – I know, before-COVID times can feel like a lifetime ago, but bear with me – so, way back in early 2018 your email inbox was flooded with an avalanche of emails (I love mixed metaphors!) from every website you ever visited in your entire browsing history letting you know that they were updating their privacy policy.
You may, or may not, know that this was because companies needed to update their policy to comply with the GDPR – the European Union’s Data Privacy rule. The GDPR is the GrandDaddy for all the privacy policies that have followed across the globe and in the US.
Well, brace yourself, kiddos! You may yet get another batch of email notices during 2023, as five different states in the US have adopted privacy laws that go into full force and effect some time in 2023.
California’s two (2!!) privacy laws have already been implemented, but the second (CPRA) has been implemented only partially, with full compliance required in January 2023. Connecticut and Virginia also passed laws that go into effect in January 2023. On their heels is Colorado, effective July 2023, and rounding out the year is Utah with its privacy law effective as of December 31, 2023. That’s six laws in five states that you may (or may not) have to comply with as a business owner.
Each law has its own thresholds to determine if it applies to your website and data collection practices. The first is whether you do business in or target residents of that respective state. If you answer yes to that, then you dive deeper into things like revenue, how many users/consumers’ data you collect, and what you do with the data. This ends up being a state-by-state analysis, though they are all very similar in construction.
That’s not by accident. Each has roughly modeled itself on the Data Privacy Law GrandDaddy, the GDPR. Comply with that, and you are well on your way to compliance with each state. There are currently 27 other states with legislation in various states of progress, six of those nearing the finish line. Until a Federal law is passed, compliance will remain a task of adhering to a patchwork of state-by-state laws.
What the laws and bills each have in common is the establishment of consumer rights: access to data collected and/or shared or sold; rectification of incorrect or outdated information; deletion of personal data; restriction of the use of data; portability of data in a common file format; and, the right to opt-out of having your data sold. These rights are all modeled after the rights created in the GDRP.
Some US laws also prohibit automated decision-making about a consumer without human input (software/AI can’t solely make decisions). Others create a private right of action for the consumer – in other words, a consumer can sue a company for violating their rights. Most states, however, like the GDPR, leave enforcement up to the appointed official or agency – such as the State Attorney General.
So, what does this mean in practical terms for a business owner? If you have a website that collects any personal data – name, email address, billing information, phone number, etc., then you need to review how you are collecting and handling this data because you may need to comply with these state laws. So now is the time to start your review and get your policy updated so you are ready for 2023. If your website doesn’t collect personal data (for example, if it is really just an informational website proving you exist, sharing a bit about who you are and what you do, with zero ways for your visitors to interact with the site and no way to place orders or process payments) then you probably don’t need much of a privacy policy at all.
But what if you do need to comply? You may need to comply with all the states’ privacy laws or just some. A properly drafted privacy policy can address the common parts of the laws generally, and then have a section for the specifics of each state.
But having a well-written policy is only half the matter – you also have to walk the walk, not just post the talk. Your internal data handling and processing practices may need to change to reflect what your policy says online.
What about other countries? I mentioned the EU, and the US, but left out the rest of the globe. Many countries have implemented their own data privacy laws. Most are not as robust as the GDPR or are modeled closely after it. Some don’t have the global reach that the GDPR has and aren’t likely an issue that most US small businesses need to worry about. This isn’t to say they don’t apply at all, but again, if you’re following the GDPR model, you’re likely compliant.
The International Association of Privacy Professionals is a great resource to track data laws (I use it myself!) and if you’re looking for some heavy reading, you can check it out here: https://iapp.org/
But if you aren’t looking for a cure for insomnia, and you are a small business that needs to update your website’s privacy policy – I’ve got you covered. Book a no-obligation consultation and we can talk about getting your Privacy Policy up to snuff in time for 2023. https://calendly.com/lisasigmanlaw/consult