“Keep an eye on enforcement activity in all of the States to better understand how these new and complex requirements are Interpreted by their respective enforcement agencies.”
In 2018, California passed one of the most sweeping and comprehensive data privacy laws in the country. Known as the California Privacy Protection Act, the statute handed consumers great control over what personal information a business could collect about them. Then in 2020, the state further enhanced that protection by way of the California Privacy Rights Act (CPRA), which went into effect on January 1, 2023.
Four other states, Virginia, Colorado, Utah, and Connecticut, have similarly enacted data privacy laws rather than wait for the much-anticipated federal law, which—although it passed in committee by a landslide—has yet to be voted into law. The practitioner would be well-advised to become familiar with these significant changes to consumer data privacy protection.
How the CPRA Protects California Consumers
A primary feature of California’s CPRA is the ‘right to know’ provision, pursuant to which a consumer can request that a business disclose what personal information may have been collected, used, shared, or sold about the consumer. By filing a request, the consumer can find out what specific pieces of information have been collected, the sources from which the business collected the information, and with what category of third-party the data was shared.
The new (2023) provisions, in addition, give the consumer the right to correct inaccurate personal information and to limit the use and further dissemination of sensitive personal information that was collected. Businesses that fall under the CPRA must not only respond to consumer requests but also provide notices explaining what their data privacy practices are. The CPRA also applies to data brokers, which are defined as businesses that knowingly collect and sell a consumer’s personal information to third parties—even if the consumer does not have any relationship with such a third party.
What Virginia’s CDPA Provides
Virginia became the second state, after California, to pass a comprehensive data privacy law. Known as the Consumer Data Protection Act (CDPA), the law went into effect on January 1, 2023, and was widely hailed by the tech sector as well as by data privacy advocates. Perhaps one reason why the law enjoyed tech industry backing was because of the lack of a private right of action in the CDPA. For starters, the law only applies to businesses that have at least 100,000 customers in Virginia or any business that earns 50 percent of its gross revenue from the sale of personal data and processes personal data for at least 25,000 consumers.
Like California’s CPRA, the CDPA also allows consumers to access their private information that has been collected, correct mistakes in that information, and delete data that businesses have collected about them; and the law also has an opt-out feature eliminating data collection altogether. However, unlike the California model, the CDPA does not give consumers the right to sue a business via a private right of action when those rights are violated.
Complying with Colorado and Utah Law
The Colorado Privacy Act (CPA) will go into effect on July 1, 2023, and will apply to business conducted in Colorado that (1) controls or processes the personal data of 100,000 or more consumers during a year or (2) controls or processes the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data; however, the CPA does not state a particular revenue threshold. Furthermore, although the CPA does include as ‘consumers’ Colorado residents acting in their individual or household contexts, it excludes those individuals acting in a commercial or employment context, job applicants, as well as other categories from its definition of ‘consumer.’
To comply with the CPA, businesses will need to provide consumers with clear privacy notices and conduct data protection assessments for any personal data processing that presents a heightened risk of harm to consumers. The CPA does not offer much guidance as to what may or may not qualify as a “heightened risk of harm,” but the Colorado Attorney General could promulgate clarifying rules before the CPA goes into effect.
Businesses that operate in or serve Utah residents, including those that control or process personal data, will have to be ready for compliance with the Utah Consumer Privacy Act (UCPA) beginning December 31, 2023. Covered businesses are those with annual revenue of $25M or more that either control or process personal data of 100,000 or more consumers in a calendar year or derive more than 50% of gross revenue from the sale of personal data and control or processes personal data of 25,000 or more consumers.
Connecticut’s CTDPA
On May 10, 2022, Connecticut became the fifth state to enact a comprehensive data privacy law, and its effective date will be July 1, 2023. Similar to those data privacy laws enacted by California, Colorado, Virginia, and Utah, the CDPA provides Connecticut consumers with choices as to the personal data collected about them, and it imposes obligations on businesses that handle Connecticut consumer data. Some compliance highlights are that the CTDPA imposes obligations upon ‘controllers’ and ‘processors’ of consumer data, with ‘controllers’ being those who determine the ‘purpose and means’ of processing personal data, while ‘processors’ are those who handle data on behalf of a controller. Controllers are specifically required to provide a means for consent and consent revocation when processing sensitive personal data, including race, ethnicity, religion, health conditions, sex life or orientation, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation data.
The Downside of State Data Privacy Laws
The problem, of course, with five different—and likely growing—state data privacy laws are that this scenario puts an unfair burden on industry, tech sector or not, to keep track of and comply with a host of different laws in different jurisdictions. Given the fact that virtually all commerce, group association, most educational and academic resources, as well as medical, insurance, and financial services, are conducted ‘cross-border’ vis-à-vis access in every different state, these inconsistencies make it rather easy to land in violation territory. It is for that reason that most industry representatives advocate for a singular, uniform national law not unlike Europe’s GDPR.
However, until consensus is reached as to a national code for data privacy protection, industry stakeholders must continue to keep a careful eye on the individual state codes in order to stay in compliance with them. Curiously, some privacy advocacy groups are less keen on a national data privacy law fearing that the national standards—when finally hammered out—might actually prove to be less protective of consumers than California’s highly reformist CPRA and those of the other states reviewed above.
Executive Summary
The Issue
How will the latest state data privacy laws affect practitioners?
The Gravamen
Both similarities and differences between the various state enactments must be studied in order to maintain compliance.
The Path Forward
In the absence of a uniform national standard for data privacy, keeping abreast of what compliance—and enforcement—of state data privacy laws entail will serve your clients’ best interests.
Action Items
California First:
It is recommended that considerable attention be paid to California’s CPRA due to the strictness of its statute and the greater likelihood of running afoul of its privacy laws.
Status of Your Client:
Pay close attention to whether your client is a ‘controller’, ‘processor’, or otherwise falls under any of the state data privacy statutes.
Notices to Consumers:
Clients must comply with the specific notices to consumers as to their rights, the option to opt out where applicable, and how requests from consumers will be handled.
Which Enforcer:
Different states have different enforcement mechanisms ranging from a private right to sue, Attorney General enforcement, or a new agency created specifically for enforcement; understand what the unique mechanism is in each state that affects your clients.
Further Readings
- https://www.axios.com/2023/01/03/states-data-privacy-laws-2023
- https://www.financierworldwide.com/new-data-privacy-laws-in-various-us-states-are-you-ready#.
- https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
- https://www.reuters.com/legal/legalindustry/us-data-privacy-laws-enter-new-era-2023-2023-01-12/
- https://www.osano.com/articles/data-privacy-laws
- https://news.sophos.com/en-us/2023/01/28/data-privacy-laws-compliance-to-take-center-stage-in-2023-and-beyond/