Complying With 2023 Consumer Privacy Laws in California and Virginia

Service providers, contractors and data collectors operating in California and Virginia, must prepare for imminent changes. The California Privacy Rights Act (CPRA), which amends the current California Consumer Privacy Act (CCPA), and the Virginia Consumer Data Protection Act (VCDPA) both take effect on January 1, 2023.

The CPRA and VCDPA require noteworthy changes to a business’s privacy policy disclosures with respect to the processing of consumers’ personal information, as well as to contractual provisions in agreements with service providers, contractors and other third parties.

For information regarding the general scope and application of the CPRA and VCDPA, as well as the various consumer rights granted under the CPRA and VCDPA, please see our previous eAlert on the VCDPA, as well as our webinars on the CPRA and other state privacy laws.

What are the New Privacy Policy Disclosure and Collection Notice Requirements?

The CPRA now covers information related to employees and business-to-business relationships, and requires the following new disclosures in a business’s privacy policy:

• If a business is sharing a consumer’s personal information for cross-contextual behavioral advertising (also referred to as “targeted advertising”) purposes, a disclosure about the sharing of the consumer’s personal information, and the ability to opt-out, must be included via a link on the business’s internet homepage titled "Do Not Sell or Share My Personal Information."
• If a business collects sensitive personal information about a consumer, then the policy must include the categories of sensitive personal information collected, the purposes for which sensitive personal information is collected or used, and whether such information is sold or shared. The business must also provide a “clear and conspicuous” link on the business’s internet homepage titled “Limit the Use of My Sensitive Personal Information,” which, if followed by the consumer, will allow them to limit the use or disclosure of their sensitive personal information to the uses and disclosures authorized by the CPRA.
• A disclosure that a consumer has the right to correct any inaccurate personal information.
• A disclosure about the retention period(s) of the various categories of personal information collected by the business.

There is a significant amount of overlap between the requirements of the CPRA and VCDPA with respect to privacy policies. However, unlike the CPRA, the VCDPA does not require that a privacy policy include the sources from which personal data is collected, a description of the process that will be used to verify consumer requests and a description of a consumer’s rights under the VCDPA.

The VCDPA does, however, require a description of a consumer’s right to appeal a decision to deny their rights request, as well as a description of a consumer’s right to opt out of targeted advertising.

The CPRA also introduced new requirements for its collection notice, which must be provided to consumers either at or before the point of collection of personal information. This notice must include the following information:

• The categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that information is sold or shared.
• The categories of sensitive personal information collected, if any, and the purposes for which sensitive personal information is collected or used, and whether such information is sold or shared.
• The length of time a business intends to retain each category of personal information collected, including sensitive personal information, or alternatively, the criteria used to determine this time period.
• The categories of personal information shared with, or sold to, third parties.

What are the New Contracting Requirements Under the CPRA and the VCDPA?

Under the CPRA, agreements with service providers (as well as a new category of third parties deemed “contractors”) must now include the following new provisions, in addition to those already required under the CCPA:

• An obligation that the entity receiving a consumer’s personal information comply with the CPRA and provide CPRA-required levels of privacy protection.
• A requirement that the personal information is sold, shared and/or disclosed only for the limited and specified purpose(s) set forth in the agreement.
• A provision granting the business that is providing personal information the right to take reasonable and appropriate steps to ensure that the party receiving such personal information uses the personal information in a manner consistent with the CPRA.
• A requirement that the party receiving personal information notify the party disclosing such personal information if it can no longer meet its obligations under the CPRA.
• A provision granting the party that is disclosing personal information the right, upon notice, to take reasonable steps to stop and remediate unauthorized use of personal information by the receiving party.
• A prohibition on the party receiving personal information against combining the personal information it receives with other personal information that it receives from or on behalf of another person(s), or that it collects from its own interaction with the consumer.

In addition to these new requirements, if the service provider or contractor engages a sub-processor, or a sub-processor engages another sub-processor, then the service provider or contractor is required to notify the business and enter into a contract with the sub-processor containing the provisions set forth above.

Similarly, the VCDPA requires a written agreement with third party service providers. However, the agreement required under the VCDPA aligns more closely with the data processing agreement concept set forth in the European Union’s General Data Protection Regulation (GDPR). A VCDPA-compliant data processing agreement (DPA) must include the following details:

• The controller’s instructions for processing data.
• The nature and purpose of the data processing.
• The type of data subject to processing.
• The duration of the data processing.
• The rights and obligations of the parties.

The DPA also must include confidentiality requirements for individuals accessing personal data on behalf of the processor, provisions necessitating the deletion or return of personal information at the end of the processing and a provision allowing the controller to reasonably request information that demonstrates the processor’s compliance with the VCDPA. Notably, as a point of departure from the CPRA and the GDPR, the VCDPA requires that the DPA contain a provision providing that processors should either allow reasonable assessments by a controller or another entity designated by a controller, or arrange for a qualified and independent audit to review the processor’s policies and technical and organizational measures in light of its obligations under the VCDPA.

Warner can assist you with updating your website privacy policy, developing a CPRA-compliant collection notice or drafting agreements with service providers and contractors to comply with the CPRA or VCDPA. Please contact any member of Warner’s Cybersecurity and Privacy Practice Group for assistance on this and any other cybersecurity and privacy matter.

Warner Associate Alan Jurcak contributed to this eAlert.