It’s been a busy summer for US state privacy laws, and companies now need to keep track of a growing list of requirements from these laws. These include many we have written about in the past, including notice, vendor contract provisions, and offering consumers rights and choices. The laws also impose certain record keeping requirements, which we discuss here.
But first, as a reminder, the laws have rolling effective dates. Only California, Virginia, Colorado, Connecticut are in effect. The others go into effect as follows:
- December 31, 2023: Utah
- July 1, 2024: Florida, Oregon, and Texas
- October 1, 2024: Montana
- January 1, 2025: Delaware and Iowa
- July 1, 2025: Tennessee
- January 1, 2026: Indiana
The laws impose record keeping requirements on companies to whom the laws apply (for more about the laws’ applicability read our prior post). These requirements overlap in many respects. They include:
- Rights requests: Records of rights requests must be kept for 24 months (CA, CO), and in readable and secure format. (CO). Each record must include the date and nature of the consumer request and include any business responses or denials (CA, CO).
- Deletion requests: Companies must also keep records of deletion requests and the minimum amount of data necessary to ensure that the consumer’s personal data remains deleted and not used for any other purpose (CA, CO, CT, DE, FL, IN, MT, OR, TN, TX, VA).
- Metrics: Companies must compile annual metrics for the number of consumer requests and opt-out requests they’ve received. (CA) As part of this, companies must track how many requests were processed or denied, and whether this was done in whole or in part (CA).
- Data limitation: Information kept for record-keeping purposes should not be used for any other purpose (CA, CO).
- Assessments: If engaging in targeted advertising, selling data, engaging in profiling, or processing sensitive data, companies must conduct data protection assessments under all states’ laws except those of Iowa and Utah. We discuss these requirements in more detail in our recent webinar. (And keep in mind that California is still working on regulations for these assessments.) Companies should keep in mind that these assessments also carry record keeping requirements. Namely:
- Document every DPA conducted (CA, CO, CT, DE, FL, IN, MT, OR, TN, TX, VA).
- DPAs must be kept for three (CO) or five years (OR)
Putting it into Practice: As the summer comes to a close, now is a good time to revisit your privacy programs. Keeping in mind the various requirements under the laws is getting more complex. Having a scalable program that addresses record keeping and other requirements can make compliance easier.