Many businesses undertake background checks on potential employees before making recruiting decisions. During the screening process, candidate’s private information such as the details about their credit history, financial situation, criminal history, and health concerns are taken under evaluation. To safeguard the processing of such personal information and to secure the privacy rights of candidates being screened, a large set of laws, generally known as privacy laws, has been established under which individuals' identity information, personal healthcare information, and financial information, which can be gathered by governments, public or private organizations, or other individuals, is regulated, stored, and used. Everybody has the right to privacy, according to the Universal Declaration of Human Rights.

These rights are interpreted differently in different countries and are not always universal. In the framework of an individual's privacy rights, privacy laws are evaluated. Speaking of the United States, dozens of state-by-state data privacy and security regulations exist in the U.S. Some solely apply to government entities, while others only apply to commercial entities and some are applicable in both areas. Today we will review three new data privacy laws of the United States that are going to be in effect in 2023 and how businesses can develop their compliance programs accordingly. Businesses are advised to revisit their compliance programs and eliminate any redundancies and inconsistencies as the new laws will require businesses to promptly adapt to the new legal developments.

California Privacy Act Laws (CPRA)

The California Privacy Rights Act (CPRA) is an extension to the existing California Consumer Privacy Act (CCPA). The CPRA's majority of provisions will be in effect on January 1, 2023, however firms will need to respond in 2022. The CPRA applies to for-profit businesses operating in California that meet one or more of the following statutory requirements.

1. annual gross revenues of more than $30 million;
2. half of revenues is generated by selling personal data; or
3. collection of personal information from more than 100,000 California residents or households.

Following action plan for 2022 is recommended for the businesses that are subjected to the CPRA:

A. Determine whether any available exceptions are applicable.

Businesses should carefully review the applied exemptions since the CPRA increased the CCPA revenue threshold It can happen that a business that is currently subjected to CCPA compliance may be exempt under the CPRA.

B. Re-evaluate and confirm CCPA compliance.

Businesses must start with reviewing important CCPA compliance elements by verifying and revising the CCPA privacy policy. It is advised to update organizational operations, as well as procedures for responding to consumer requests as required by the CPRA.

C. Prepare to expand obligations of personal information disclosure.

A new category of personal information called ‘sensitive personal information’ is introduced by the CPRA which comes with additional disclosure requirements according to which the consumers have right to (i) restrict the usage of their personal data; (ii) correct inaccurate personal information; and (iii) limit disclosure of sensitive personal information. With the expiration of CCPA, subjected businesses will be required to treat all gathered personal information as approved by CPRA.

D. Track the acquired Data

The CPRA’s new consumer rights taking effect on January 1, 2023 will be applied to the data that is acquired in the previous 12 months. Businesses are advised to keep track of (i) the data that they obtain in 2022; (ii) the systems where the processing takes place, and; (iii) the third parties or service provider with whom they share the personal information in order to be able to respond to consumer requests that will be received after the promulgation of CPRA.

E. Make CPRA-compliant changes to agreements with third parties, service providers, and contractors.

Since CPRA contains additional contracting obligations, businesses will be required to amend their agreements with third party vendors and service providers. The new laws requires that the third-party service providers must have a limit to use personal information. The laws oblige the contractor to be in compliance with the CPRA with respect to the disclosed information and to send notice to the business in case of noncompliance.

Virginia Consumer Data Protection Act (VCDPA)

Virginia’s law takes effect on January 1, 2023 and is applicable for any company that does business in Virginia, markets its products and services to Virginia citizens and controls or processes the data of;

1. Atleast 100,000 Virginia citizen or
2. 25,000 citizens of Virginia along with half of its total annual revenue being generated by selling the personnel data.

The key components of VCDPA are:

A. Data Disclosure

Businesses subjected to VCDPA are obliged to adopt privacy policies including details on consumer rights and procedures to use the personal data. The businesses must implement appropriate methodology to ensure security of confidential information.

B. Opt-in Consent

Virginia's law mandates the subject businesses to get consent of the data subject before processing their sensitive data.

C. Opt- out Rights

Under VCDPA, Virginia residents have rights to withdraw their consent for their data being sold or being processed for online advertising and profiling purposes.

D. Risk Evaluation

The new laws mandate the subject businesses to conduct data protection risk assessments while processing sensitive data or engaging in targeted advertising, personal data sales, or any other high-risk consumer activities.

E. Vendor Agreements

Like CPRA, the VCDPA also requires the businesses to make VCDPA compliant changes to their agreements with their vendors, contractors or third party service providers who deal with the personal data.

Colorado Privacy Act

The Colorado Privacy Act (CPA) will take effect on July 1, 2023, and will apply to businesses who do operations in Colorado or manufacture or distribute "commercial items or services that are expressly targeted to Colorado citizens" and meet one or both of the following criteria:

1. controls or processes the personal data of 100,000 or more Colorado residents yearly; or
2. both generates revenue or gets a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers.

A. Opt-out Rights

Under CPA, the consumers can withdraw their consent for having their personal data processed for targeted advertising, personal data sales or profiling. Consumers have the right to know, access, correct, delete their personal data and request a copy of their personal data.

B. Data Security

Businesses must create and sustain acceptable organizational, technological, and physical data security standards to protect personal data.

C. Product Availability

Regulated entities are prohibited from raising the cost or reducing the accessibility of their product or service only because they are exercising the new law.

D. Privacy Notice

Businesses are required to convey to the consumer the types of personal data collected and processed, the purpose of processing, type of personal data shared and its recipient in a policy notice that is readily available, concise, and relevant. The privacy notice must include a clear and prominent notice of consumer’s choice to opt out of data collection and processing.

E. Data Processing Agreement

The new laws require the businesses to explicitly assign responsibilities to any vendor or service provider who deals with the personal data as well as including CPA mandated provisions to data processing agreement. Compliance with these new privacy regulations will need quick, strategic planning. Companies that collect personal information from citizens of California, Virginia, or Colorado are advised to evaluate their legal duties under these laws and begin making plans to comply with the appropriate requirements.

---