The obligations and responsibilities of U.S. businesses relating to the protection of consumer’s personal data, are ever changing. Several states are implementing new compliance obligations for businesses. Earlier this year, Virginia passed the Virginia Consumer Data Protection Act, which will become operative on January 1, 2023. Likewise, on July 7th, Colorado signed into law the Colorado Privacy Act to become effective July 1, 2023. Additionally, late last year, California passed the California Privacy Rights Act that will create new compliance obligations in addition to those required by the California Consumer Privacy Act. These obligations also become operative January 1, 2023 for any personal information collected after January 1, 2022.

 

These state specific obligations, as well as federal privacy regulations, are applicable to the majority of U.S. businesses. U.S based businesses who conduct business in these states, market to consumers in these states, or collect information from consumers who reside in these states, may be subject to these regulations. Based on this broad scope, U.S. businesses that operate an e-commerce website and sell their products throughout the United States or provide an informational website that can be accessed by consumers throughout the United States, must comply with not only federal privacy regulations but also these state specific regulations, if applicable.  Non-compliance could result in hefty penalties and reputational damage. Now is the time to:

 

• Review your privacy policy to ensure compliance based on the nature of your business.

• Review your vendor and customer-facing agreements to ensure appropriate privacy language and links to your privacy policy are included.

• Establish written agreements with any down-stream entities that process personal data on your behalf.

• Review your website terms of use to align with your privacy policy.

 

For questions regarding the obligations of consumer data protection for businesses in Ohio, contact one of the attorneys in the firm’s corporate practice group.