2023 has been one of the most active years for privacy laws and regulations in the United States. In January, the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA), and the Virginia Consumer Data Privacy Act (VCDPA) both went into effect. In July, the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) become effective, closely followed by Utah’s privacy law in December. Moreover, in the past two months, five more states have passed comprehensive data privacy laws, which will go into effect in the next couple of years.

As the U.S. data privacy law landscape continues to evolve, including new regulations promulgated under the CPRA, organizations in many states may find comfort in revised privacy policies, prepared templates and processes for responding to data subject access requests, and updated retention policies in light of data minimization dictates. These actions are critical steps to data privacy compliance and preparedness. However, with more companies than ever outsourcing the processing of personal data, how would your organization answer this question: Do you really know how well your vendor has secured your personal data? It may come as a surprise to companies that they cannot simply rely upon the proscriptive and indemnification language in service provider agreements to demonstrate that they have taken sufficient measures to protect outsourced personal data that they control. On the contrary, it is important for businesses to revisit their vendor contracts as more and more GDPR-like data privacy requirements take root in the United States.

Outsourcing Data Functions or Moving Data to the Cloud Has Altered Security Risks