Bracewell’s Lucy Porter discussed with Communications Daily changes to three state laws taking effect in the next year and half: the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA).
Porter says to pay attention “because things are changing.” What happens in rulemakings and legislatures could significantly affect the specifics of how businesses must comply. “They’re potentially going to prescribe the way certain things are done,” continued Porter. Most organizations that will be subject to new laws will have “at least a passing relationship” with the EU’s general data protection regulation, Porter added. Compliance isn’t “complex,” but it’s expensive and time-consuming.
Porter also said businesses shouldn’t wait to assess what data they possess and how they use it. Companies can start building backend systems for handling data access requests from consumers. “From now on, privacy needs to be a part of your decision-making.” Porter had clients who initially thought they didn’t sell people’s data but later realized “they do in fact – within the definition of the law – sell data.” Companies subject to multiple state laws must decide whether to manage each state separately or follow the most restrictive state law everywhere, added Porter.
Click here to read more from Communications Daily (subscription required).