Wait! Before You Go…

This summer, Colorado and Connecticut made their mark on an increasingly complex patchwork of state data privacy laws. The Colorado Privacy Act and Connecticut Personal Data Privacy and Online Monitoring Act are the latest in a steady stream of state regulations that shows no signs of abating.

In the absence of federal oversight in the U.S., more states are eyeing data privacy legislation of their own — at least 25 states introduced or considered consumer privacy bills in 2023.

With bandwidth already stretched and the threat of more regulatory projects looming, how can organizations mitigate risk and position themselves for success with the new laws in Colorado and Connecticut and other state regulations on the horizon?

While there are similarities between the various state laws, there are also nuances that impacted organizations must understand and navigate. In general, states have slightly different processing and sale thresholds for impacted businesses, as well as specified rights for consumers.

This patchwork of data privacy legislation translates to operational headaches — that’s where contract management comes in.

A contractual body contains the full breadth of an organization’s responsibilities, obligations and rights, housing the framework for every business relationship. But when minute elements of that framework must change on a case-by-case basis, organizations are often faced with an operational nightmare.

New legislation, new organizational complexity

Teams impacted by new data privacy laws must balance two priorities: implementing changes to comply with new requirements, while continuing to manage existing requirements.

This balancing act is particularly difficult when new regulations create onerous business obligations, as is the case with the Colorado and Connecticut laws. For example, businesses may be obligated to:

• Treat consumers under a certain age with an “opt-in” default for the sale of their personal information.
• Obtain parental consent to process data of consumers under the age of 13.
• Provide notice to consumers about certain data practices.
• Conduct certain risk assessments of privacy and/or security projects or procedures.

As new obligations mount and existing demands persist, organizations need a sustainable strategy for navigating the complex regulatory landscape. What’s more, that strategy needs to be documented.

But what if you’re not sure where to find your impacted documents at all, let alone the language that needs updated? This is an all-too-common reality. Nearly 70% of contract professionals search for completed documents at least once a week — almost 30% of the time, they’re doing it to meet legal and regulatory requirements. On average, the hunt to find impacted documents and locate relevant language takes over two hours.

Multiply this time commitment across any scale — as is inevitable when meeting regulatory demands — and it quickly becomes untenable. To avoid burnout without risking noncompliance, better contract management is vital.

Because these laws are so far-reaching, complying with new and existing data privacy legislation requires cooperation from across the entire organization. Still, one person or group must fully understand the implications of the legislation and the necessary work to comply — often, a huge portion of this work lives in the bucket of contractual requirements.

Implement these practical steps to ensure your organization is prepared to meet immediate regulatory requirements and positioned to meet others that arise. 

Complete a holistic review of your contract body

The best way to get a view of your organization’s risk profile is through a top-down contract review. You don’t know what you don’t know, so if you haven’t completed a thorough review of your contract population, you run the risk of something slipping through the cracks. Insights from this review will position you to manage existing data privacy obligations and those that have yet to unfold. 

Elevate contract hygiene from ‘nice to have’ to core imperative

Organizations with subpar document storage and organization processes often find that reaching compliance with data privacy legislation requires them to complete a project within a project. When it takes unnecessary time and effort just to locate the latest version of a contract, then additional legwork to review it for compliance, teams already burdened by untenable workloads are further bogged down by inefficiency.

A sophisticated storage and retrieval system allows organizations to locate contracts and review relevant clauses quickly; as new state data privacy laws continue to emerge and regulatory burdens become more complex, this sort of system will prove vital in reaching compliance.

Consider a new approach to managing data processing agreements

Though in-house legal teams often struggle with bandwidth when handling work-intensive regulatory updates, they tend to shoulder the burden alone, unaware that an alternative partner can meaningfully assist.

Data processing agreements are one of the contracts most impacted by data privacy laws; they require careful management to ensure alignment with specific state requirements while maintaining consistent positions. This work is relatively high in volume and complexity, making it a constant drain on in-house resources but an ideal basis for a managed contracting service.

Achieving compliance with data privacy legislation

Even grasping the value of contract management, organizations are bound to struggle with a sense of overwhelm as they wade through the bevy of state legislation. Consider these tips to help focus your contract management strategies on highest-impact priorities:

• Understand your legal requirements. It is important to know where the legislation permits discretion by the organization, such as determining the specifics of how to process consumer requests about their data, as well as the areas where the legislation is very precise, such as the setting of response periods in event of a breach.
• Be aware of requirements for certain types of personal data. Many state laws have specific requirements for the handling of different types of personal data, such as the handling of children’s data or the handling of sensitive data/health data. Each impacted business needs to ensure it has specific, more protective processes in place where necessary, and that these processes are implemented and policed.
• Be aware of the rights of the consumer. In each state, consumers are granted specific rights. For example, both the Colorado and Connecticut laws grant consumers, at least, the right to access, correct, delete and obtain a copy of their personal data. Consumers also have the right to request that their personal data be deleted. Copies of their personal data can be requested, and where it is technically possible, businesses are required to provide a copy to the consumer in a usable format.
• Have appropriate processes and controls. Ensure your organization has mechanisms in place to gather, track and store the consents of the consumers as necessary.
• Have adequate technological security measures. Similar to the EU GDPR, the personal data protection legal framework requires data controllers and processors to put in place adequate technological security measures taking into account (i) the nature of the personal data subject to processing; (ii) the vulnerability of the processing systems; and (iii) the technological developments in the market. Such security measures must be reviewed and updated regularly, requiring management oversight and visibility into developments.
• Ensure your organization provides privacy notices about how it uses and processes data. Each state has its own requirements on the content of these notices with the general requirement to ensure reasonable data security practices.
• Note the trending of universal “opt-out” mechanisms. As in other states, Colorado and Connecticut will soon require a universal opt-out mechanism. This means that company websites require a mechanism whereby online consumers can exercise their right to “opt-out” from their personal data being processed (or sold) for targeted advertising. Once this privacy preference is set, the preference is automatically sent each time the consumer visits a website. 
• Carefully manage data processing agreements. Many states follow the EU in requiring data processing agreements between controllers and processors. It is important to ensure your organization is familiar with the specific requirements to be included in any DPA. State laws vary with respect to what is required by a data processing agreement. Your business should ensure there is an effective process in place for determining when a DPA is required and then agreeing the terms with the counterparty. Other considerations, such as the storing of the executed DPA, ensuring the content of the agreement is effectively communicated to the relevant bodies in your organization and, of course, implementing the obligations, should be met. 

With a clearer understanding of the broad contract management strategies that support regulatory compliance, as well as key tips for focusing your approach on data privacy legislation, you can simplify the otherwise unnavigable maze to compliance. 

It is both fascinating and daunting to witness the law catching up with the technological developments of modern society. Compliance with privacy laws requires patience, collaboration and detailed organization. As organizations grapple with new legislation coming into effect and wonder what may be next, taking proactive steps toward thoughtful contract management will prove vital in navigating the regulatory landscape.

Author: Sarah Mcavoy