2023 is turning out to be the year of the state privacy law, including new laws in five states with the possibility of more to come. Indeed, in recent days both Indiana and Iowa have likewise passed new statutes, which we will detail in a forthcoming blog. These new laws, which are largely inspired by the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”), include:
- The California Privacy Rights Act (“CPRA”) which is already in effect as of January 1, 2023, with civil and administrative enforcement to begin on July 1, 2023 (the CPRA is a voter-approved ballot-initiative that amends the CCPA).
- The Virginia Consumer Data Protection Act (“Virginia Act”), which is already in effect as of January 1, 2023.
- The Colorado Privacy Act (“Colorado Act”), which will become effective on July 1, 2023.
- The Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“Connecticut Act”), which will become effective on July 1, 2013.
- The Utah Consumer Privacy Act (“Utah Act”), which will become effective on December 31, 2023.
These laws generally grant consumers an array of rights related to their personal information. They also impose affirmative obligations on businesses in connection with data collection and use, notice to consumers, and the processing of consumer requests. Businesses that are already compliant with the CCPA or GDPR may be in position to use their existing compliance programs as a framework for meeting these obligations. However, even robust compliance programs will likely require key changes to meet updated standards for website privacy policies, collection notices, consumer request forms, third-party vendor contract language, and other procedures. This high-level overview provides considerations for businesses with respect to each law, as well as action items that can be taken to prepare for and achieve compliance.
What consumers and businesses are covered?
Under the new laws, a “consumer” is typically defined as a resident of a particular state. Each law except for the CPRA further clarifies that a resident is only a consumer when acting in an individual or household capacity, as opposed to a commercial or employment capacity. By contrast, the CPRA broadly applies the definition of “consumer” to employees and job applicants of a covered business, as well as other businesses that share their data with a covered business.
Whether an entity will be deemed a covered business or “data controller” under one of the laws generally depends on the number of consumers from whom the entity has collected personal information and the percentage of revenue that the entity derives from selling or sharing personal information. One difference between the laws is that the Virginia Act, Colorado Act, and Connecticut Act each apply to for-profit entities and certain non-profit entities, whereas the CPRA and the Utah Act only apply to for-profit entities. The CPRA and the Utah Act also include a revenue threshold of $25 million, although each state utilizes this threshold differently. In California, a business with $25 million in gross revenue usually must comply with the CPRA even if it does not meet the remaining criteria related to consumer numbers and revenue percentages. In Utah, a business is not subject to the Utah Act unless it has an annual revenue of at least $25 million, regardless of the remaining criteria. The applicability and scope of the Utah Act is thus limited compared to that of the other laws.
The following table presents a breakdown of the criteria to be a covered business or “data controller” in each state.
What personal information is protected?
The new laws intend to protect personal information, which the Virginia Act, Colorado Act, Connecticut Act, and Utah Act define as “information that is linked or reasonably linkable to an identified or identifiable natural person” (the CPRA uses a similar but slightly differently worded definition that carries over from the CCPA). Notably, each law creates a unique category of personal information referred to as “Sensitive Personal Information” or “Sensitive Data” (collectively, “SPI”). The definition of SPI varies by state, but typically includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship status, genetic or biometric data processed for identification purposes, and precise geolocation data. In California, the scope of SPI is broadened under the CPRA to also include personal and financial information about a consumer such as a social security number, driver’s license number, passport number, or a financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials which allows access to the account.
What rights do consumers have?
Under each of the new laws, consumers will generally have a right to know what personal information a covered business has collected about them; a right to obtain such information in a portable data format; a right to delete such information in the business’s possession; and a right to opt-out of the business’s sale of such information (in California, each of these rights already existed under the CCPA). Each law except the Utah Act also provides consumers with a right to correct inaccurate personal information in a business’s possession. Under the CPRA, consumers also have a right to opt-out of a business’s “sharing” of personal information for cross-context behavioral advertising, an activity which is defined independently of the “sale” of personal information.
With respect to SPI, the Virginia Act, Colorado Act, and Connecticut Act require that a covered business must obtain the consent of a consumer before it may process any of the consumer’s SPI. The CPRA does not require consent, but consumers have the right to limit the use and disclosure of their SPI to business functions like the provision of a business’s regular services, communication with the consumer, processing of payments, safety issues, and fraud and incident prevention. The Utah Act does not provide a right to limit the use and disclosure of SPI, but it does require that a business must provide consumers with notice of the business’s intent to process SPI, and then allow consumers the opportunity to opt-out of processing at any time.
Since the implementing regulations of some laws have not been finalized yet, the list of consumer rights described above could potentially expand by the time that the remaining laws go into effect. It is worth noting that the rights granted under these laws are not absolute, but are subject to limitations on a state-by-state basis. For example, the CPRA allows a business to decline to comply with a consumer’s request to access, delete, or correct information on the basis that doing so would require a “disproportionate effort” on the part of the business. Similarly, under certain circumstances, a business that receives a request to correct in California may instead simply delete the allegedly inaccurate information. A businesses that is subject to the CPRA also has discretion as to whether to offer an appeals process to consumers in the event of a denied request. On the other hand, the Virginia Act, Colorado Act, and Connecticut Act each require businesses to offer an appeal process.
What other affirmative obligations might businesses have?
In addition to processing consumer requests, covered businesses are also required to meet several affirmative obligations and standards under each new law. Businesses usually must act with transparency in collecting and processing personal information. Depending on the state, they may be required to provide consumers with a notice at the time and place (e.g., online, over the phone, or in person) where personal information is collected, or make request forms available online. They typically are prohibited against discriminating or retaliating against any consumer who exercises any rights under the law, for example, by providing a level of services that is less than what the consumer would have received had the consumer not made a request. They also generally must adopt data information technology security measures for personal information which are reasonable based on the industry and for each type of personal information collected. Each law except the Utah Act further requires some level of risk assessments and cybersecurity audits for certain threats and activities on a periodic basis.
Each law also establishes contractual requirements where a business engages a service provider to process or use personal information to render services on behalf of the business. These contractual requirements also differ based on the state, but they are somewhat similar to those which HIPAA imposes with respect to Business Associate Agreements regarding the exchange of Protected Health Information. For example, in California, the business must enter a written agreement with the service provider which states (among other things) that the service provider will adhere to security measures that are at least as stringent as those of the business, will only use personal information for the purposes expressly set forth in the agreement, and cooperate with the business in responding to consumer requests.
Who enforces the laws and what are the penalties?
Enforcement is one area in which the five states have adopted differing approaches. Under the Virginia Act, Connecticut Act, and Utah Act, the state Attorney General will have exclusive authority to enforce the law. In Colorado, however, the Attorney General and District Attorneys will each have enforcement authority. In California, the CPRA has established a new state agency called the California Privacy Protection Agency for enforcement purposes, and the Attorney General may prosecute violations in certain circumstances as well. The existence and length of a cure period following notice of a violation also varies between the states. Businesses that violate a law or fail to resolve an issue prior to the expiration of a cure period (where applicable) may be subject to fines as follows:
- CPRA – $2,500 to $7,500 per violation.
- Virginia Act – Up to $7,500 per violation.
- Colorado Act – Up to $20,000 per violation.
- Connecticut Act – Up to $5,000 per violation.
- Utah Act – Up to $7,500 per violation.
In addition to enforcement by state agencies and departments, the CPRA is the only law which grants a limited right of private action to consumers. This right can be exercised in certain circumstances, such as where a consumer’s non-encrypted and non-redacted personal information is stolen or improperly accessed due to the business’s failure to implement appropriate security measures. The CPRA allows a plaintiff(s) who succeed in bringing such an action to obtain $100 to $750 per plaintiff, per violation, or actual damages (whichever is greater).
How do I get my business prepared?
The following is a list of initial steps that businesses can take to prepare for compliance with the CPRA, Virginia Act, Colorado Act, Connecticut Act, and Utah Act, or any additional laws in the coming years. State legislatures in New York, Kentucky, Tennessee, and Oklahoma have introduced their own comprehensive state data privacy bills in the early weeks of 2023. If these bills become law, they will likely share similarities with the five laws described above.
- Assess coverage and gaps in existing compliance programs. Businesses should determine whether they are covered by one of more of the new laws based on the criteria set forth above. Notably, a business that does not meet the criteria for coverage in a certain state could still be subject to that state’s law if it receives personal information as a service provider to a covered business. Once a determination is made as to which laws apply, a deeper review should be performed to assess where the business’s existing compliance program must be updated.
- Review whether specific data collection or activities trigger heightened requirements. Businesses that sell or share personal information may be subject to additional affirmative obligations beyond those applicable to businesses that only use personal information for their own internal purposes. Depending on the state, businesses that collect SPI from consumers may also be required to obtain additional consumer consents or comply with a wider array of consumer requests and opt-outs.
- Implement audit and assessment plans and procedures. As required by each applicable law, businesses should ensure that they have implemented sufficient procedures to routinely audit and assess data protection standards and technology, and employee compliance with purpose limitations, data minimization, privacy-by-design, and other policies. Businesses should consider whether third-party audits or certifications would be appropriate based on industry standards and the nature of the personal information collected.
- Update Privacy Policies and Collection Notices. Businesses should review and update their website privacy policies as necessary to ensure that they meet the requirements of each applicable law. Businesses may consider adding specific sections to their privacy policies to address each applicable law. Depending on the state, businesses may also need to develop a notice to provide consumers at the time that personal information is collected. In California, where the CPRA covers employee and B2B personal information, businesses should determine whether and how this notice will be required on job applications and other HR documents or business contracts.
- Review Consumer Request Forms and Procedures. The personal information request forms that businesses make available to consumers should be reviewed and updated to ensure that they cover any new rights granted under these laws. Businesses may also need to update their information technology capabilities to detect opt-out preference signals which consumers send through their personal web browsers, indicating that a business may not collect their personal information or use it in a particular way. Additionally, businesses should consider implementing internal policies which govern the procedure for employees to follow in responding to consumer requests.
- Implement a Third-Party Data Management Program. Businesses that provide personal information to service providers or other third-parties for any purpose should determine whether the arrangement necessitates a written agreement pursuant to any of these laws. It may be useful for businesses that depend upon multiple downstream service providers or third-parties to develop a template agreement that can be modified depending on the specific language that a certain state requires.
- Prepare or Update Internal Data Privacy and Security Policies and Training. Businesses should review and update their internal policies relating to data privacy and security policies, including a written information security policy, incident response plan, record-keeping and document retention policy, cookie management policy, acceptable use policy, and/or remote access policy. As applicable, these policies should include training requirements for employees with specific responsibilities related to personal information collection, use, processing, maintenance, or protection. Training materials should be prepared and a training schedule should be developed. Businesses should consider appointing a Compliance Officer or Data Security Manager to oversee the implementation of these policies and any training.
As this overview provides a non-exhaustive list of the specific consumer rights that are available and the affirmative obligations that are required under each new law, businesses should confer with their legal counsel regarding a plan for achieving compliance. Foley Hoag’s Privacy & Data Security Practice Group will continue to monitor developments that affect the rollout of the above data privacy laws. Our team of experienced attorneys is ready to assist clients in navigating compliance questions and challenges related to the collection, use, and maintenance of consumers’ personal information.