U.S. state legislatures accelerated efforts in 2021 to fill the gap created by the absence of national data privacy legislation. California, Virginia, and Colorado passed or amended data protection laws, and the trend is expected to continue in the coming year. The immediate challenge for businesses in 2022 will be successfully integrating the new requirements with minimal disruption.
California Leads the Trend
The California Privacy Rights Act (CPRA) amends and expands the California Consumer Privacy Act of 2018 (CCPA), and aligns more closely with the EU General Data Protection Regulation (GDPR). Like the CCPA, the CPRA protects the data privacy rights of consumers, which it defines as all California residents and their households. The CPRA is effective on January 1, 2023, with a look-back period beginning on January 1, 2022; enforcement is slated to begin on July 1, 2023. The CPRA introduced key changes to the CCPA, including:
- Threshold Requirements
The CPRA applies to any for-profit entity conducting business in California that processes personal information of California residents, and meets one of the following requirements: (i) annual gross revenue over $25 million, or (ii) alone, or in combination, annually buys, sells, or shares the personal information of 100,000 (up from 50,000) or more consumers, or derives 50 percent or more of annual revenue from selling or sharing consumers’ personal information.
- Expanded Consumer Rights
The CPRA not only retained the Right to Know and the Right to Delete personal information, but granted California residents (and households): (i) the Right to Correct personal information, and (ii) the Right to Opt-Out of Sharing Personal Information. “Sharing” is defined as disclosing personal information to third parties for cross-contextual behavioral advertising purposes. A business must clearly disclose that it shares personal information, provide an opt-out link on its website, honor opt-out requests, and send those opt-out requests on to third parties with whom the business previously shared personal information. The CPRA also created a new category of “sensitive personal information,” and granted consumers the right to restrict its use and disclosure.
- Privacy Disclosures
- Data Security
The CPRA explicitly requires businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information that they handle in order to protect it from unauthorized or illegal access, destruction, use, modification or disclosure. The CPRA takes an approach similar to the GDPR by not defining reasonable security procedures and practice, leaving it to the regulated entities to determine the appropriate measures depending on the sensitivity of the data, the consequences of a breach, and other factors. The CPRA also requires an annual cybersecurity audit and submission of a risk assessment to the newly created California Privacy Protection Agency (CPPA).
- Recipients of Personal Information
The CPRA states that businesses may make available, share, sell and/or disclose personal information to contractors, service providers, and third parties. Businesses must have written contracts with contractors and service providers that “flow down” certain obligations. Additionally, contractors, service providers, and third parties may have obligations under the CPRA that are independent of the business. This approach has notable similarities to GDPR requirements including requiring notification to the business when a contractor or service provider engages sub-processors, and certain audit rights.
- New CA State Agency
Once again, California broke the mold when it created a new state agency with the authority and budget to implement and enforce the CPRA (without a cure period, and with newly increased penalties), and issue regulations.
- Moratoria Extended
The CPRA extends the moratorium on employees and B2B business contact data to January 1, 2023. While the bulk of the CCPA and the CPRA is not applicable to employees and B2B personal data during the moratorium, businesses still have limited obligations.
The Virginia Consumer Data Protection Act (VCDPA) became effective in March 2021, with an enforcement date of January 1, 2023 (aligned with the CPRA effective date). The VCDPA reflects core principles from the CCPA and the CPRA (the “CA Privacy Laws”), and continues the trend of U.S. data privacy laws moving closer to the GDPR. However, there are some key differences from the CA Privacy Laws, such as the absence of a consumer private right of action.
- Threshold Requirements
The VCDPA applies to any entity conducting business in the state of Virginia, or targeting its products and services to Virginia residents, that controls or processes the personal data of at least (i) 100,000 Virginia residents, or 25, 000 Virginia residents and derives more than 50 percent of its annual gross revenue from the sale of personal data.
The VCDPA explicitly carves out financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA), and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). By contrast, the CA Privacy Laws exempt data regulated by GLBA and HIPAA, but not the regulated organizations.
- Personal Data
Like the CPRA and the GDPR, the VCDPA divides personal data into two broad categories: personal data and sensitive data, with similar definitions. Additionally (and likely taking a cue from the post-enactment moratoria on enforcement under the CCPA), the VCDPA explicitly exempts B2B business contact data and the personal data of employees.
- Privacy Disclosures
Like regulated businesses under the CA Privacy Laws, VCDPA controllers are required to establish privacy policies that include disclosures about the use of personal data and consumer rights, and maintain “reasonable” security measures to protect personal information. The VCDPA is further aligned with the CA Privacy Laws and the GDPR because it leaves the decision on specific security measures to the regulated entity.
- Opt-In Consent May be Required
The VCDPA is aligned with the GDPR and CA Privacy Laws on creating a separate category of “sensitive data.” However, unlike the CA Privacy Laws, the VCDPA requires businesses to obtain consent in order to process sensitive data.
- Sale of Personal Data
Like the CA Privacy Laws, the VCDPA grants Virginia residents the right to opt-out of the “sale” of their personal data. Under the VCPDA, however, “sale” only applies to the exchange of personal data for “monetary consideration.” The concept of “sale” under the CA Privacy Laws is far broader, applying to the exchange of personal data (including the sharing or transfer of personal data) for “monetary or other valuable consideration.”
- Opt-Out Rights
The VCDPA also grants Virginia consumers additional opt-out rights specifically related to targeted online advertising and profiling.
- Risk Assessments
Similar to the CPRA and the GDPR, the VCDPA requires periodic “data protection risk assessments” when: (i) processing sensitive data, or (ii) engaging in targeted advertising, sale of personal data, profiling, and other activities of heightened risk to consumers.
- No private cause of action
The VCDPA does not provide for any consumer private cause of action. In California, under certain conditions consumers may seek damages directly against regulated businesses following a data breach. Under some circumstances, the GDPR also allows data subjects to seek damages from data controllers and/or data processors for violations of the regulation.
- Flow-Down Obligations
Similar to the CA Privacy Laws and the GDPR, the VCDPA requires businesses to flow down certain contractual obligations to their vendors, service providers and other third parties that process personal data on their behalf.
On July 7, 2021 the Colorado Privacy Act (CPA) became law, with an effective date of July 1, 2023. The CPA confers certain rights on Colorado consumers to control their personal data. Under the CPA, California consumers will have rights that are similar to those granted to California consumers under the CA Privacy Laws, and the rights of Virginia residents under the VCDPA.
- Threshold Requirements
The CPA applies to individuals and organizations (controllers) conducting business in Colorado or producing or delivering commercial products or services intentionally targeted to Colorado residents that during a calendar year, either: (i) control or process the personal data of 100,000 consumers or more, or (ii) control or process the personal data of 25,000 consumers or more, and derive revenue from the sale of personal data (including by receiving a discount on the price of goods or services).
In a clear departure from the CA Privacy Laws, the CPA applies to non-profit organizations.
Like the VCDPA, Colorado residents acting in a commercial or employment context are not covered by the CPA. The CPA contains an exemption for data governed by the GLBA and financial institutions regulated by the GLBA but, unlike the VCDPA, does not exempt covered entities and business associates regulated by HIPAA. Like the CA Privacy Laws, the CPA exempts protected health information, medical information and certain information processed for research purposes.
- Opt-Out Rights
Under the CPA, consumers have the right to opt-out of processing their personal data for targeted advertising, personal data sales (defined, as in California, as the exchange of personal data for monetary or other valuable consideration), or for profiling which has legal or other significant effects on the consumer (as defined by the CPA). In common with consumers under the CPRA and the GDPR, consumers have the Right to Know, Right to Access, Correct, or Delete their personal data. Like the GDPR, the CPA allows consumers to obtain a copy of their personal data in a commonly used and machine-readable format.
- Data Security
- Regulated entities are required to implement and maintain reasonable administrative, technical, and physical data security practices to safeguard personal data. The CPA aligned with the GDPR and the CA Privacy Laws by not imposing specific security standards and allowing regulated entities determine appropriate measures.
As under the CA Privacy Laws, regulated entities must refrain from increasing the cost or decreasing the availability of its product or service based solely on the exercise of a CPA right.
- Data Protection Impact Assessments
Similar to the VCDPA, the CPA requires that data protection impact assessments be conducted and made available to the Attorney General on request.
- Privacy Notice
Provide consumers with a reasonably accessible, clear, and meaningful policy notice stating, among other items, the categories of personal data collected and processed, the purpose of processing, how to exercise consumer rights and appeal adverse controller decisions, and the categories of personal data shared and the categories of recipients. Under the CPA, a clear and conspicuous notice of consumers’ right to opt out of collection and processing for sales purposes or targeted advertising must be included in both the privacy notice and in another readily accessible location.
- Universal Opt-Out
Effective July 1, 2024, consumers must be able to exercise their opt-out right through a user- selected universal opt-out mechanism that meets technical specifications established by the Colorado Attorney General by July 1, 2023.
- Data Processing Agreement
The CPA requires a binding data processing agreement with any vendor or service provider who processes personal data on behalf of the regulated business that clearly allocates the responsibilities of each party and, similar to the GDPR and the CA Privacy Laws, incudes CPA required terms.
- No Private Right of Action
Like the VCDPA, the CPA does not create or confer any private right of action for violations.
Despite grace periods of a year or more, the time left to comply with the CPRA, VCDPA, and the CPA is relatively short. After reconciling the laws as they apply to your business, compliance may necessitate modifications to business processes, technological infrastructure, customer-facing websites, apps, brick-and-mortar locations, security measures, and other critical operations. At the same time, stakeholders may be experiencing a certain “privacy fatigue,” more than three years after GDPR became effective, with little enthusiasm for new or updated implementation programs.
With all of these issues and more, businesses may benefit from keeping the following principles in mind throughout the process, and implementing them (to the extent allowed by your existing structure) from day one.
- Take affirmative and internally visible steps to ensure that the compliance roadmap is aligned with overall business goals, including particularly the sources of current revenue and anticipated business;
- Engage the stakeholders and relevant business teams to establish mutual priorities that align with business objectives, and revisit them on a regular basis to take into account changes in the business and potential amendments to relevant laws;
- Guide the business to focus on fundamental privacy principles, even when making interim decisions on compliance (e.g., data minimization, notice, transparency, business purpose, security and data retention);
- Where feasible, build on your existing privacy infrastructure (e.g., the current process for responding to data subject requests under the GDPR may have utility with consumer requests under the CCPA and the CPRA);
- Be particularly attentive to the user experience, notices, and compliance with your published policies, and promptly respond to all inquiries and requests for access, deletion, data portability, and other consumer rights as permitted under applicable law.
- To the extent possible, strive to remain flexible, recognizing that the only constant in 2022 is likely to be continued change.