In 2023, the Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Virginia Consumer Data Protection Act, and significant modifications to the California Consumer Privacy Act with the enactment of the California Privacy Rights Act go into effect. Below is a compliance checklist that can be utilized to prepare for and ensure compliance. 

1. Work With Counsel to Determine the Applicability of State Privacy Laws and In-Scope Data. 

2. Develop a Comprehensive Inventory of all In-Scope Data. 

  • Indicate data owners, sensitivity/classification levels, purposes of processing, collection mechanisms (e.g., consent, notice), and data flows. 
  • Identify data that is sold or disclosed and indicate third parties involved.  

3. Update Privacy Policies. 

  • Disclose the categories of sensitive data collected and processed. 
  • Ensure clear notice is provided to consumers before the collection of sensitive data or a child’s data. 
  • Establish a process to obtain opt-in or affirmative consent before collection. 
  • Describe the retention of data by: 
    • Identifying the length of time for which the organization will retain each category of data, or 
    • Stating the criteria used to determine whether or not data will be retained. 
  • Provide clear instructions on how consumers may exercise their rights. 
  • Inform consumers of their right or ability to appeal decisions on consumer rights requests and how they may submit an appeal. 

4. Update Other Internal Policies (e.g., Data Security, Acceptable Use, Incident Response, Record Retention) to Ensure Alignment With New Privacy Requirements. 

5. Implement Processes to Support Consumer Rights. 

  • Ensure data can be located and destroyed or corrected. 
  • Review systems, processes, and software to ensure data can be exported in a portable, machine-readable format. 
  • Implement controls to restrict or allow opt-out of the: 
    • Sale of personal data. 
    • Processing for targeted advertising.
    • Processing for automated decision-making. 
    • Use of sensitive data. 
  • Establish a process for consumers to appeal decisions related to their consumer rights. 
  • Establish an internal review process for instances when the organization refuses to take action on a consumer rights request. 

6. Implement Data Protection Controls Based on Data Sensitivity/Classification Levels. 

  • Consider encryption, masking, pseudonymization, deidentification, and access controls. 

7. Conduct Periodic Risk Assessments and Audits, as Required. 

  • Establish ongoing risk assessment and review process that identifies and documents: 
    • Categories of data collected and processed. 
    • Purpose of collection and processing. 
    • Collection or processing of sensitive data or data relating to children. 
    • Risk to the consumer’s security and privacy for each collection and processing activity. 
    • Controls implemented to mitigate assessed risks. 
  • Ensure risk assessments are submitted to regulators, when appropriate. 
  • Review existing risk assessments on an annual basis or upon a change that materially alters the risk to the consumer. 
  • Perform data protection impact assessments as part of planning for new projects and technologies.  

8. Streamline and Simplify the Opt-Out Process. 

  • Develop a universal opt-out option to exercise all opt-out rights in one location. 
  • Provide a single location to review and modify all selections. 

9. Document, Catalog, and Review Third-Party Relationships With Service Providers and Data Processors. 

  • Ensure a contract exists to govern the relationship between the organization and each service provider or processor. 
  • Review contracts for provisions to limit processors from improperly selling, sharing, retaining, or combining personal data. 
  • Establish a process to ensure third parties properly limit processing and provide appropriate privacy protections. 

10. Deliver Training to all Employees on Privacy Requirements and Their Responsibilities as it Relates to Data They Collect and Process. 

11. Get Help. 

CrossCountry Consulting’s robust privacy and data protection team is actively involved in the industry, holds leadership roles within IAPP, and is passionate about data protection and the evolution of the field.  

We would love to discuss your organization’s data privacy needs and challenges. Contact CrossCountry Consulting today with questions or to discuss how we can best partner to achieve your goals.