2023 may be the year of privacy laws. Five states have new laws that go into effect this year, which will likely usher in a new era of consumer privacy protections in the United States.
As stated in Reuters, “The new laws coming online in 2023 in California, Colorado, Connecticut, Utah, and Virginia reflect the influence of GDPR's rights-based philosophical framework. These new laws represent a comprehensive approach to privacy protection, applying to businesses across numerous sectors, in addition to the sector-specific laws that remain in place.”
Data Minimization in the 2023 State Privacy Laws
These laws have many aspects to them, but one stands out, particularly for corporate legal and records management teams: data minimization requirements. Here’s a look at the different data requirements for each state with a law coming into effect this year.
Data Retention and Minimization Requirements
“DATA MINIMIZATION: Under the CPRA, any information collected must be “reasonably necessary and proportionate to either the purposes for which it was collected or another disclosed purpose” similar to the context under which it was collected. The individual’s data can’t be used in another way without notifying and receiving additional consent from the consumer.
“RETENTION OBLIGATIONS: Whereas the GDPR made a point to focus on records retention, the CCPA didn’t include rules pertaining to the length of time an individual’s data could be stored. Storing too much data is common (and vastly increases liability surrounding data breaches), but now businesses will have to find a way to focus on establishing and enforcing new data retention standards.”
“Controllers must assess and document the minimum types and amount of Personal Data needed for the stated processing purposes.
“To ensure that the Personal Data is not kept longer than is necessary, adequate, or relevant, you must set specific time limits for erasure or conduct a periodic review.
“Biometric identifiers or any Personal Data generated from a digital or physical photograph, or an audio or video recording held by a controller shall be reviewed at least once a year to determine if storage is still necessary, adequate, or relevant to the express Processing purpose. You must obtain consent to process biometric identifiers or any Personal Data generated from a digital or physical photograph or an audio or video recording each year after the first year that it is stored.”
“Transparency, purpose specification, and data minimization – A controller shall provide consumers with a reasonably accessible and comprehensive privacy notice that includes (1) the categories of personal data processed; (2) the purposes for which the personal data is processed; (3) how and where consumers may exercise a right; (4) the categories of personal data that the controller shares with third parties; and (5) the categories of third parties with whom the controller shares personal data.”
“Among other obligations, controllers must:
“Provide notice regarding the types of personal data the controller processes, the purpose(s) for processing, whether and why the controller shares personal data with third parties, and information about how consumers can exercise their various rights (e.g. access, deletion) over their personal data.
“Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the specific purpose(s) for which the data is processed (also known as “data minimization”).
“Obtain consent before processing a consumer’s sensitive data.
“Respond to requests to exercise consumer rights granted under the CTDPA.
“Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers (called “Data Protection Assessments”). This includes processing personal data for the purposes of targeted advertising, sale, or profiling, and processing sensitive data.
“Use reasonable safeguards to secure personal data.
“Not discriminate against consumers who exercise their rights under CTDPA or process personal data in a manner that would otherwise result in unlawful discrimination.
“Obligation to post a privacy notice and specific requirements for what must be included, including all intended purposes for use of the personal data.
- Data Minimization: Obligation to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
- Data Security: Obligation to maintain reasonable administrative, technical, and physical data security practices.
- Data Protection Assessments: Obligation of the business to undertake a formal “data protection assessment” of its data collection and processing activities that involve certain types of personal data or processing activities.
- Consent to Process “Sensitive Data”: Obligation to obtain affirmative consent from the consumer before collecting or using sensitive data for any purpose. “Sensitive data” is defined as personal data:
- Revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- Genetic or biometric data for use in uniquely identifying an individual
- Personal data of a known child
- Precise geolocation data
Data Minimization and Challenges with Collaboration Data
With new requirements under these laws, companies will need to practice good data management as well as be able to quickly sort through large volumes of data and identify any personal information. With collaboration data, this comes with additional challenges because the data is extremely complex and unstructured, so it’s vital to establish retention policies to ensure everything is assessable and to utilize artificial intelligence-powered search to help identify any PII violations.
It’s more important than ever for in-house legal, privacy, and records management teams to keep up with the latest regulations. As we reported on the Hanzo blog, new enforcement efforts by the FTC are creating more investigations and litigation. Add to that these new privacy laws, and it’s clear why enterprises should begin preparing to become compliant now in order to avoid penalties down the road.
To learn more about how regulatory rulings can affect your enterprise ediscovery efforts
Download How Regulatory Rulings Shape Compliance: 7 Best Practices!