Mark your calendars - July 2023 is an important month for US privacy enforcement. On July 1, California’s new privacy law, the California Privacy Rights Act (CPRA), becomes enforceable. That same day, Colorado and Connecticut’s new privacy laws, the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA), take effect and become enforceable. And, on July 5, New York City’s new automated decision-making law, New York City Local Law 144 (AI Law), becomes enforceable. We’ve identified five key action items to help you prepare for enforcement under these various laws. This list is not comprehensive, and you should speak with a lawyer about your obligations under the law.

1. Review Your CPRA Compliance. 

Although we’ve been talking about CPRA compliance for what seems like forever, July 1 is the first day that the California Attorney General and the California Privacy Protection Agency (CPPA) can enforce violations of CPRA. All actions brought to date – whether public, as in this case, or the many that have been prosecuted behind closed doors– have been based on alleged violations of CCPA, the precursor to CPRA. With CPRA enforcement starting, California regulators are no longer required by law to give businesses 30 days to cure alleged violations. That means we can expect public enforcement of CPRA this year. Now is the time to review your CPRA compliance. (For a list of additional CPRA action items, see our prior posts here and here.) 

2. Harmonize Colorado and Connecticut Compliance with Prior Virginia Compliance.

Let’s start with some good news. You probably don’t need to start from the bottom with your CPA and CTDPA compliance. These laws share much in common with Virginia’s privacy law, the Virginia Consumer Data Protection Act (VCDPA), which took effect and became enforceable in January. For example, all three laws set out similar disclosures, consumer rights, obligations around sensitive personal data, contractual obligations for controllers and processors, and more. If you already worked toward VCDPA compliance last year or earlier this year, you should be able to build upon that compliance to help address these laws. (If you haven’t worked toward VCDPA compliance, it’s not too late to begin.) We expect harmonization to become increasingly important for businesses as various comprehensive state privacy laws take effect over the next several years, including laws from Indiana, Iowa, Montana, Tennessee, Texas, and Utah.

3. Consider the New Obligations under Colorado and Connecticut. 

Now some bad news. Although CPA and CTDPA share much in common with VCDPA, they aren’t the same. For example, CPA and CTDPA both add a requirement that businesses must honor opt-out preference signals. Businesses do have some additional time to address certain requirements – CPA and CTDPA both include a delayed enforcement date for preference signals (until 2024/2025). And there is a 60 day right to cure (through the end of 2024). Nevertheless, we’ve heard that both the Colorado AG and Connecticut AG intend to aggressively enforce their laws, so businesses should aim for compliance by July. 

4. Address the Colorado Regulations.

Similar to California, Colorado’s privacy law is supplemented by a set of regulations (CPA Regs) that establish implementation and operational guidelines. And, like California, the CPA Regs establish obligations far beyond those in the underlying statute, including relating to privacy policy disclosures, profiling, loyalty programs, secondary uses of personal data, records and documentation, and data protection assessments. Businesses should be careful when addressing the CPA Regs – addressing some of the technical requirements could potentially lead to inadvertent misrepresentations or omissions. Given the extent of these obligations, we hope that the Colorado AG will consider best efforts rather than a “gotcha” approach for technical violations. 

5. Review the Tools You Use to Make Hiring Decisions.

New York City’s AI Law is one of the first laws in the US to regulate AI and automated-decision making. Under the AI Law, any business that uses “automated employment decision tools” in screening candidates for hiring or promotion within New York City must provide notice to the candidates and conduct a bias audit prior to using those tools. Audit requirements are set out in the law and the published regulations. The law establishes civil penalties of at least $500 and no more than $1500 per violation, enforceable by the New York City’s corporation counsel, the New York City Division of Human Rights, or through a private right of action. Businesses should carefully review the tools they use, and associated contracts and data flows, for compliance with the AI Law. Given the recent buzz around AI and automated-decision making, we expect many AI and automated-decision making laws to follow in the coming months. For example, California regulators have already indicated that the next set of CPRA regulations will include obligations around automated decision making.