Insights

CPRA & Beyond: US Data Privacy Laws, New Complexity and Compliance Strategies 

David Rawson
April 20, 2023

GCs rank data privacy and regulatory compliance as the top risk areas they face in 2023. Meanwhile, 59% of CLOs say data protection privacy laws will create some of the biggest legal challenges for their organizations this year.  

Developments in recent months have justified in-house legal leaders’ concerns. The first quarter of 2023 ended with California and Iowa completing the process of enacting new data privacy regulations.  

In late March, the California Office of Administrative Law approved new California Consumer Privacy Regulations, and the Iowan governor signed the Iowa Privacy Law. The Iowan law comes into effect on January 1, 2025, but California will begin enforcing its new regulations on July 1, 2023. Alongside California and Iowa, Colorado, Connecticut, Virginia and Utah have passed data privacy legislation this year. Twenty other states are actively legislating on data privacy.  

If anyone harbored distant hopes that legislative activity in this area was “done,” they have certainly been extinguished now. And as activity continues, staying on top of compliance obligations, especially around vendor contract provisions, will be an ongoing challenge.  

So, how can organizations minimize the effort needed to manage their growing obligations, without running unnecessary risk? As new data privacy legislation continues to arise both in the US and across the globe, the ability to move quickly at scale will become even more critical – and it may require exploring a new approach.  

Align in a hurry: data privacy compliance is an enterprise-wide project 

The Californian Consumer Privacy Act (CCPA), and its associated regulations (CPRA), illustrate the typical wide-ranging impact of data privacy legislation.  

CCPA vs. CPRA: granting rights and outlining compliance  

The CCPA grants consumers broad rights to prevent the sale of their personal data and request its deletion by businesses that hold it. It applies to many organizations that do business in California, whether they are based in the state or not. 

The CPRA set out in detail what compliance with CCPA looks like, along with additional requirements and obligations. The regulations include rules on how organizations must inform consumers of their rights and facilitate those rights being exercised. The CPRA also specifies certain contractual provisions that companies must include in their contracts with vendors to ensure consumers’ data is handled in accordance with the CCPA. 

The far-reaching impact of data privacy legislation  

In practice, this means that compliance requires an enterprise-wide project. Corporate websites need updating, companies must implement internal systems to facilitate prompt action when consumers exercise their rights (for example, when a consumer requests data deletion) and contracts need to be reviewed to make sure their terms align with the requirements of the CPRA. 

In other words, this isn’t something owned or driven solely by one team. But it does need someone – or a small group – to understand the implications of the legislation and ensure that the work needed to comply is happening in a timely manner. Without that kind of alignment and dedicated oversight, the risk of something slipping through the cracks increases.  

Contracts are a risk area – especially if there’s poor contract hygiene 

Privacy statements, user affordances for deletion requests and data usage opt-outs, and internal procedures for processing consumer requests are ultimately within the direct control of an organization. By definition, contracts require at least some interaction with the counterparty if they are to be updated. 

The project before the project: establishing the scope  

Before you can begin to approach the vendors and other contractual counterparties, you must identify what contracts (if any) need updating and what amendments are needed. Figuring that out can be a difficult and time-consuming task, especially if contract hygiene is suboptimal and contracts are not stored systematically or are not easy to interrogate. 

Vendor contracts are often stored in unsophisticated file systems. For them to keep any kind of meaningful structure, already-busy people must dedicate time to implement storage and naming protocols. And, in practice, despite internal rules and the best of intentions, that doesn’t happen as consistently as it might. In fact, the vast majority of organizations lack sufficient document storage and organization, leading to massive losses due to lost contract value and time dedicated to repeatable tasks that could be streamlined.  

That can mean that just finding the latest version of a contract with a long-standing vendor can be a challenge. And then, if the documents are simple soft copies of the agreements, additional time and effort is needed to review the contents and check for compliance. Only then can any amendments be determined, and the other party engaged. 

Looking ahead with a smarter CLM system 

Given that the stream of data privacy legislation shows no sign of abating, it may make sense to consider implementing a more sophisticated storage and retrieval system. A smart CLM system not only ensures that you know where the contracts are, but also that you can review the clauses within them quickly and easily, and so take the necessary steps to bring them into compliance faster. 

Hope for the best, prepare for the worst: signs of more complex compliance requirements  

In the past, legislative compliance has allowed a generic, blanket approach when it comes to contractual provisions.  

For example, where legislation requires contracts to specify the purposes for which data is captured and held, it’s common practice to make the purpose provisions self-referential: the data is captured and held for the purposes of the commercial business provided for by the contract. This approach allows organizations to comply with updated legislation and regulation by sending all vendors general addenda to existing contracts. 

There are signs that this approach may not work in the future.  

Reaching compliance on an individual basis 

A key sign that achieving regulatory compliance may soon be more labor-intensive lies in the new CPRA. The regulations appear to specifically rule out self-referential business purpose definitions. Instead, they require each contract to specify the business purpose for which data is collected and kept.  

If the intention of the Californian legislature is to ensure that each contract receives individual attention, the burden of compliance with this aspect of the CPRA could be significant. It’s notable, in this context, that the California Chamber of Commerce has launched court action to delay the implementation of the CPRA.  

Whatever practice develops around the CPRA, it highlights a sweeping truth: what worked in the past will not necessarily work in the future. Anticipating – and planning for – the most onerous possibilities will help ensure that the most resource-effective solution is capable of implementation.  

In a situation like this, for example, working with an experienced provider to explore alternative models of handling contract review and amendment can help create options for all eventualities. Even better, seek a partner with experience handling the sort of contracts impacted or with a track record of success during projects related to Schrems II and GDPR.  

Explore alternative ways to handle data processing agreements 

When faced with the prospect of work-intensive regulatory updates, in-house legal teams inevitably struggle with bandwidth. Still, many legal departments aren’t clear on how an alternative partner can alleviate the pressure, or through which types of work. 

In principle, data processing agreements are the kind of contract that could form the basis of a managed contracting service. There are ascertainable “moving parts” and usually consistent positions taken.  

Most managed service options include a technology component that will facilitate quick and efficient retrieval and analysis should legislative developments require. But technology alone won’t solve the problem – someone needs to interpret the entire contractual relationship, determine how the regulation applies and weigh the clauses against the updated legislation. Technology can then learn from (and ideally, replicate) these human interpretations. The same service that handled the original negotiation along with long-term management can easily spin up a project to handle any necessary amendment.  

The bandwidth that this frees up within legal teams can then be deployed in horizon-scanning for future developments, ensuring that, no matter how heavy the deluge of new legislation might be, the organization can be confident of keeping its head comfortably above water. 

Recent developments with data privacy legislation speak to a broad and disconcerting trend: the pace of regulatory change isn’t slowing, and achieving compliance is also growing more complex and burdensome. As updates continue to unfold and compliance projects cross every departmental line, organizations can mitigate risk and position themselves for success by taking action now.  

Get in touch to learn more.