Advertising Law Tool Kit - Twelfth Edition | 2024

Venable / 59 58 / Venable Privacy and Data Security — State Privacy Laws The following steps will help your business to comply with state privacy laws effective in 2024: • Determine which, if any, of the new laws will apply, given your business’s size and practices. To be subject to such laws, a business typically must do business in the state, control or process personal data about consumers in such state, and meet certain thresholds relating to revenue and/or data processing activities. • Assess your practices regarding personal data collection, use, and disclosure, noting exemptions that may apply. For example, pseudonymous data (like device identifiers) faces more limited requirements. • Create or update your data map. • Conduct a gap analysis to determine whether your practices meet the requirements of applicable laws, then develop a compliance checklist based on the gaps identified. • As applicable, ensure that your compliance strategy aligns with regulations issued under the Colorado Privacy Act and the CCPA. • Keep an eye on rulemaking developments under the CCPA, such as those related to automated decision making, and the Colorado Privacy Act, such as those related to universal opt-out mechanisms (UOOMs). • If sensitive data is collected in states that require opt-in consent to process such data (e.g., CO, CT, FL, MT, OR, TX, VA), develop and implement processes to comply. Implement opt-out rights relating to sensitive data in CA and UT. • Review your privacy policy to meet state privacy law requirements. Create internal policies to document your compliance processes. • Maintain mechanisms for consumers to submit rights requests—certain state laws specifically require a link by which consumers can submit requests to opt out of sales of personal data or sharing for targeted advertising. • Maintain processes for responding to consumer rights requests with close attention paid to deadlines for responding to such requests under applicable laws. • Develop or update contracts with vendors as required under applicable laws. • Conduct employee training in your company on the current and forthcoming state privacy laws. • Stay up to date on CPRA developments to help your business adapt to the evolving data privacy landscape in California. The CPRA established a new California Privacy Protection Agency (CPPA), which is responsible for issuing implementing regulations and enforcing the CPRA. Even if not subject to comprehensive state privacy laws, businesses may have privacy- and security-related legal obligations. The below questions are critical for assessing your business’s corporate privacy and security practices. If you answer yes to any of the first ten questions or no to the last two, consider engaging experienced privacy counsel: • Do you use information about customers for marketing or other purposes not related to the particular sale or transaction in which you collected the information? • Do you knowingly sell personal data about consumers with whom you do not have a direct relationship? • Do you collect and retain contact information from individuals when they interact with you? • Do you ask visitors to your website to tell you their age? Do you advertise to children online? Do you knowingly collect personal data from children under the age of 16? • Do you process or retain credit card information? • Do you have a privacy policy on your website or app? Is it outdated? • Do you provide services to companies subject to omnibus state privacy laws? • Do you conduct business with companies in the healthcare, financial services, video streaming, or telecommunications sectors? If so, do you process personal data about individuals when conducting business in these industries? • Do you monitor your employees in the workplace? • Do you collect, receive, or otherwise process personal data about customers, employees, vendors, or other individuals of Europe or other foreign jurisdictions? Do you transfer personal data about European individuals to other jurisdictions? • Do you have an effective security program designed to safeguard personal data with adequate technical, administrative, and physical protections? Is it in writing? Do you conduct regular tests of your data security program and mitigate any vulnerabilities detected in such tests? • Do you have an effective response plan in place for data security incidents?