It’s no surprise that a US federal privacy law is the current talk of the privacy community. There have been MANY recent developments with individual US state privacy laws, along with numerous additional legislation on the horizon. With the advent of the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Privacy Act (CDPA) plus activity with the Washington Privacy Act (WPA) and Oklahoma Computer Privacy Safety Act, there's a lot to focus on. The changing privacy landscape can make it tricky for privacy leaders to stay up to date as they manage their privacy programs. And there's no indication US privacy regulation changes will slow down in 2021. While it may feel like a bad game of "Whack-a-Mole," there are ways to keep your company in-the-know and empowered as more regulations pop up. This webinar will review: -Recent developments in US state privacy laws -US federal privacy law predictions -Best practices and tips on how your company can keep up

1. 1
1
© 2021 TrustArc Inc. Proprietary and Confidential Information.
So Many States, So Many Privacy Laws:
US State Privacy Law Update
April 14, 2020

2. 2
2
Thank You for Joining “So Many States, So Many Privacy Laws: US State
Privacy Law Update”
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers

3. 3
3
Speakers
K Royal
Associate General Counsel
Privacy Intelligence
TrustArc
Christina Fratschko
Privacy Research Specialist
Privacy Intelligence
TrustArc

4. 4
4
Agenda
● Recent developments in US state privacy laws
● US federal privacy law predictions
● Best practices and tips on how your company can keep up

5. 5
5
CCPA vs. CPRA vs. VCDPA

6. 6
6
California
California Privacy Rights Act (CPRA)
CCPA CPRA
Threshold Application Buy, receive, or sell the personal information of
50,000 or more California residents, households,
or devices.
Buy, sell, or share the personal information of
100,000 or more California residents or households.
Employee B2B
Exemption
Concludes January 1, 2021 Concludes January 1, 2023
Consumer Rights ● Right to Know/Access
● Right to Delete
● Right to Opt-out of Sale
● Right to Non-Discrimination
Same rights as the CCPA, and an addition of:
● Right to Rectification
● Right to Limit Use and Disclosure of Sensitive
Personal Information
Enforcement Enforcement by the State Attorney General. Creation of the California Privacy Protection Agency
for enforcement and guidance.
Sensitive Information Not defined under the CCPA It is defined as personal information, which includes a
consumer’s SSN, driver’s license, state ID card, etc.

7. 7
7
Virginia
How it differs from CCPA/CPRA:
● Has an explicit definition of sensitive data
● Applicability to employees and B2B communications
● Designation of controllers and processors
● Data protection impact assessments
● Consumer Rights
Next steps:
● This law is effective January 1, 2023
Virginia Consumer Data Protection Act (VCDPA)

8. 8
8
Current Consumer Privacy
Landscape

9. 9
9
Oklahoma
Current status:
If passed, businesses that do business in Oklahoma or collect consumers' PI must comply with
consumers' requests for access and portability (within 45 days of receipt of request), cannot
discriminate against a consumer for exercising any consumer right (including denying goods or
services), and must provide notice to consumers that their information may be sold; violations
are liable for civil penalties between $2,500 and 7,500.
Next steps:
● If passed, this Act will take effect on January 1, 2023 due to the latest bill amendments.
Oklahoma Computer Data Privacy Act (OCDPA) / HB 1602

10. 10
10
New York
Current status:
The Act is identical to the version introduced in the previous Senate sitting; if passed, covered
entities must comply with consumers' requests for disclosure, access, correction and deletion
of personal data, cessation of processing, and data portability, and will have a fiduciary
responsibility to exercise a duty of care and confidentiality over personal data in its possession;
consumers may bring a private right of action for damages, and the attorney general may
impose civil penalties for violations.
Next steps:
● If passed, the Act will take effect on the 180th day after it becomes law.
New York Privacy Act (NYPA or A680) + Multiple Bills

11. 11
11
Washington
Current status:
If passed, consumers must be provided one or more secure and reliable means to submit a
consumer request (e.g., data portability, erasure, opt-out), risks assessments must be
conducted when processing personal data for purposes of targeted advertising, and covered
data must be deleted or deidentified when such data is no longer being used for such
purposes; the AG may may initiate an action and seek damages of up to $7,500 for each
violation of this Act.
Next steps:
● This bill covers both private sector management of consumer personal data and privacy
and public sector management of data processed for a public health emergency (i.e.,
COVID-19)
● Most sections of the bill would take effect July 31, 2022
Washington Privacy Act (WPA)

12. 12
12
Florida
Current status:
If passed, businesses must comply with opt-out requests within 15 days (including requests received
from authorized persons), make available a notice that is reasonably accessible to all consumers
whose PI is collected, and comply with deletion, correction, and access requests (deletion and
correction requests must be responded to within 30 days); consumers can recover damages ranging
between $100 and $750 for violations of this Act.
Next steps:
● If passed, this Act will take effect July 1, 2022 due to the latest amendments made to the bill
● The revised bill has also removed the private right of action provision, and limited the amount of
businesses required to comply with the Act (i.e., the Act would only apply to businesses that
annually buy, sell or share the personal info from 100,000 or more users or that generate at
least 50% of its global annual revenue from selling or sharing personal information about
consumers).
SB 1734

13. 13
13
Alaska
Current status:
SB 116 and HB 159 were both introduced on March 31, 2021 to the Alaska State Senate and
House. The Consumer Data Privacy Act contains 4 new rights, the right to know, disclosure,
delete, and opt-out. Businesses cannot disclose consumer’s PI for a business or commercial
purpose, or use the consumer’s precise geolocation data for a purpose other than to provide
goods or services if it has actual knowledge that the consumer is under the age of 18.
Next steps:
● If passed, this Act would take effect January 1, 2023.
Senate Bill 116 and House Bill 159

14. 14
14
Consumer Privacy Heat Map

15. 15
15
Commonalities & Differences

16. 16
16
State by State Comparison

17. 17
17
State by State Comparison

18. 18
18
The Federal Scenario

19. 19
19
Poll Question
What do you think the time frame is for getting a US federal privacy law in place?
● This year
● Within the next 4 years
● Not anytime in predictable future
● There shouldn't be one

20. 20
20
Federal Regulation
● Several promising bills have been introduced in the past, with most disagreement
centering on private rights of action and federal preemption
● Once again, current proposed legislation seems promising
○ Information Transparency and Personal Data Control Act - Rep DelBene
■ HR 1816
○ Most bills target specific areas of privacy - contact tracing, research, etc.
● How many state laws will it take to encourage Congress to pass legislation?
○ Are the differences among the states operationally impactful?
○ Keep in mind, every state has a data breach notification law
● Would other federal laws simply be expanded and strengthened?
● Consider global implications and impact
What’s next?

21. 21
21
How Do You Keep Up?
Managing an Up-to-Date Privacy
Program

22. 22
22
US Consumer Privacy Laws Map and Chart

23. 23
23
Frameworks Facilitate Better Comparisons
Framework Element GDPR LGPD CCPA HIPAA Security USSG C&E Program Virginia CDPA
Integrated Governance
Risk Assessment
Resource Allocation
Policies and Standards
Processes
Awareness and Training
Data Necessity
Use, Retention, and Disposal
Disclosures to 3rd Parties & Onward Transfer
Choice and Consent
Access and Individual Rights
Data Integrity and Quality
Security
Transparency
Monitoring and Assurance
Reporting and Certification

24. 24
24

25. 25
25
Thank You!
See http://www.trustarc.com/insightseries for the
2021 Privacy Insight Series and past webinar
recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.