Consumer Privacy: What You Need to Know About the New State Privacy Laws (Part 1)

Masters of Advertising Law Conference attendees: Scroll down for CLE materials

With comprehensive federal privacy legislation likely not coming in 2022, marketers and advertising lawyers are left to decipher a multiplying group of state laws, some of which are expanding at the start of 2023. In this session at the 2022 ANA Masters of Advertising Law Conference, a panel of experts reviewed the basics of various privacy and cybersecurity laws, including which businesses are beholden to laws now and under new expansions, what counts as personal information for consumers, and disappearing exemptions.

Key Takeaways

Prior to the California Consumer Privacy Act (CCPA), U.S. privacy laws were industry- and sector-based. With the passage of the CCPA and other states' privacy laws, legislation now goes beyond industry to encompass essentially any business using data to engage with consumers, creating broad regulations for how businesses can handle a consumer's personal information, with stiff penalties for businesses that do not adhere to the standards.

The CCPA, widely regarded as the most influential and sweeping privacy law in the U.S., will expand in January of 2023. Of significance in this expansion of the law is the inclusion of HR data and B2B data, both of which were previously not beholden to the law's standards. To prepare for these changes, businesses should:

  • Perform a gap analysis to see which of their data sets will now be under more scrutiny than before.
  • Provide a full privacy policy to HR data subjects.
  • Implement a mechanism to accept HR data subjects and B2B data subjects.
  • Provide CCPA rights to shore up agreements with service providers.
  • Provide customers and individuals who had opted to share data under the prior privacy policy the opportunity to withdraw consents, as stipulated by updates in the law.

On the cybersecurity and information security front, many states are beginning to expand the requirements for businesses to assess their cybersecurity risk profile. For example, New York State's NYDFS Cyber Security Regulation has been using an FTC ruling that an entity is a "financial institution" if it's engaged in an activity that is "financial in nature" to vastly expand the scope of companies it can regulate, issuing cyber security-related fines to companies that previously were not considered financial institutions. Massachusetts now requires the handling of internal employee data to abide by data protection rules, while Colorado, Virginia, Connecticut, and Utah are requiring the implementation of "reasonable" security controls.

Vendor Management with Expanded Laws

Under the expansion of the CCPA, brands will now be responsible for how most third-party vendors manage data that the brand provides. Brands will need to button up their agreements with vendors and ensure that all campaigns managed by a vendor adhere to existing privacy laws. Businesses should immediately liaise with their sales and marketing teams to understand where data is being sent and what it is being used for.

Additionally, the panel provided some key questions to consider when reviewing if a relationship with or campaign conducted by a third party falls under the purview of privacy laws:

  • Is the vendor a processor (a.k.a. a contractor or service provider)?
  • What personal information/data is involved in the relationship or campaign?
  • What is the scope of processing that data?
  • Is the transfer of data from the brand to the vendor a "sale" subject to a consumer's right to opt out?

Action Steps

To prepare for the expansion of various privacy laws, the panel recommended that businesses should take the following steps by the end of 2022:

  • Assess readiness and conduct a gap analysis and develop a project plan.
  • Update data inventory.
  • Revise notices, policies, and procedures.
  • Refine consumer request programs.
  • Implement impact-assessment programs.
  • Update data protection agreements and reassess the status of data disclosures and recipients.
  • Complete a data-retention schedule and program implementation.
  • Implement reporting, record-keeping, and training.
  • Shore-up data security and breach preparedness.
  • Determine if all U.S. consumers will get all rights, regardless of residency, or develop and roll out a state-by-state approach.

CLE Materials


"Consumer Privacy: What You Need to Know About the New State Privacy Laws (Part 1)." Kyle R. Dull, senior associate, data privacy, cybersecurity, and digital assets at Squire Patton Boggs; Rick Border, partner, privacy and data security group at Frankfurt Kurnit Klein & Selz PC; Marisol Mork, partner, co-leader, advertising, media, and brands industry at Squire Patton Boggs; Matt Lubniewski, AGC, head of commercial at Zynga, Inc. 2022 ANA Masters of Advertising Law Conference, 11/8/22.

You must be logged in to submit a comment.