2023 state data privacy legislation roundup
May 3, 2023 UPDATE: Iowa has joined the increasing number of states in adopting a comprehensive data privacy law that goes into effect on January 1, 2025. Click here for more information on the Iowa data privacy law.
With two new state data privacy laws already in effect in 2023 and three more on the horizon, the year brings with it a number of new requirements and internal and external obligations for businesses that process data for residents of Virginia, California, Colorado, Connecticut and Utah.
In order to ease the transition, below are key highlights to keep in mind for each state’s new law. If you think your company may be subject to the new regulations, be sure to review those applicable for important nuances, requirements, and exclusions.
VIRGINIA CONSUMER PROTECTION ACT
Effective: January 1, 2023
Virginia’s CDPA contains several new requirements that have significant operational implications. Unlike the California Consumer Privacy Act (CCPA), the VCDPA does not create a private right of action for consumers, but the act does create a number of internal and external obligations for businesses that process Virginia resident data. Businesses need to pay close attention to the statute as it will take time to ensure that the correct processes, contracts, and assessments are in place.
DOES THE VCDPA APPLY TO OUR BUSINESS?
The VCDPA specifically applies to businesses that control or process personal data of at least 100,000 Virginia consumers or control or process personal data of at least 25,000 consumers and derive more than half of their gross revenue from the sale of personal data. A business that falls under these definitions is the “controller.” A controller does not have be located or headquartered in Virginia to be subject to the law. An out-of-state business that collects data on Virginia residents may be
- State agencies, boards, commissions, or political subdivisions
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities or business associates covered by HIPAA regulations
- Nonprofit organizations
- Institutions of higher education
Other exempt data under the VCDPA includes data covered by the Fair Credit Reporting Act (FCRA), Driver Privacy Protection Act (DPPA), the Federal Educational Rights and Privacy Act (FERPA), the Farm Credit Act, and the Children's Online Privacy Protection Act (COPPA).
WHAT ARE VCDPA’S NEW REQUIREMENTS?
- The VCDPA has broader affirmative consent or opt-in requirements to process sensitive personal data. Virginia data controller will need to now plan for consent to process sensitive data from adults and children including: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal data collected from a known child.
- Broader opt-out right of processing that covers targeted advertising and profiling decisions, not just the sale of personal data.
- Requires mandatory data protection assessments for sale, targeted advertising and profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, “an intrusion upon the solitude or seclusion, of privacy affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person,” or any other processing of sensitive personal data or personal data that presents a “heightened risk of harm to consumers.”
- Obligation to confirm processing and broader deletion requirement in the consumer’s personal data, which requires some degree of data being retrievable. The obligation to delete personal data covers personal information collected and “concerning” a consumer.
- A mandatory right of appeal process for denials of consumer rights requests must be conspicuous. Affected processes must add the appeals step, time frame (60 days), content (written description of actions and reasons) and an additional instrument to inform the consumer that they have the option to file a complaint with the Virginia Attorney General.
- A mandatory requirement, if requested, to demonstrate compliance with processor obligations and cooperate with or provide an independent assessment of the processor’s controls framework.
- The data minimization limitations are curtailed to what is disclosed to consumers, or compatible with purposes disclosed, unless consent is obtained.
The VCDPA requires applicable businesses to draft privacy notices – such notices are usually conveyed to consumers a website privacy policy. A controller is required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal data processed by the controller
- The purpose for processing personal data
- How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request
- The categories of personal data that the controller shares with third parties, if any
- The categories of third parties, if any, with whom the controller shares personal data.
In addition to the above, the VCDPA has a number of other requirements including some applicable to third party service providers. For a detailed overview, click here to read our article from March 2022.
CALIFORNIA PRIVACY RIGHTS ACT
Effective: January 1, 2023; Enforcement begins: July 1, 2023
The California Privacy Rights Act (CPRA) is the new counterpart to the California Consumer Privacy Act (CCPA), and both expands consumer rights and compliance obligations for businesses. California consumers now have the right to opt out of sharing of personal information and certain uses and disclosures of “sensitive personal information”, right to correct inaccurate personal information, right to enhanced transparency about a business’s information practices, and new rights with respect to automated decision-making technology.
The CRPA applies to for-profit entities that do business in California, collect personal information from California consumers, and meet threshold requirements including:
- As of January 1 of the calendar year, the company exceeded $25 million in gross revenue in the preceding calendar year.
- The company buys, sells, or shares the personal information of 100,000 or more consumers or households.
- The company derives 50% or more of its annual revenue from selling or sharing consumers' personal information.
If the company meets any of the above criteria, the company is a “business” under the CPRA and must comply with the new obligations, including requirements related to data retention, data minimization, and purpose limitation. Businesses must pass deletion requests to not only service providers but to third parties, including contractors, to which the business has either shared or sold information. The CPRA also imposes additional provisions, which must be included in contracts with service providers, contractors, and other third parties. Companies which are considered a business under CRPA/CCPA should extensively review the updated requirements to ensure full compliance.
Further, companies need to be aware of the regulations that add obligations or provide guidance on CCPA/CPRA compliance. The CCPA regulations are still in effect until the new proposed rules that incorporate the changes brought about by the CPRA are finalized.
Previously, rulemaking authority under the CCPA was vested in the California Attorney General. In April, 2022, rulemaking authority was formally transferred to the California Privacy Protection Agency (CPPA) pursuant to the CPRA.
The CPPA released updated draft regulations in October, 2022. The Agency’s Executive Director commented that the final rules will likely be released in late January, 2023. The final rule making package will be presented to the California Office of Administrative Law which will have 30 days to review the final rules. This means the soonest the regulations could be in effect is April. To date, CPRA enforcement is still scheduled to begin on July 1, 2023, regardless of the status of the regulations.
COLORADO PRIVACY ACT
Effective: July 1, 2023
Colorado enacted the Colorado Privacy Act (CPA) on July 8, 2021, provisioning Colorado consumers with various privacy rights including the right to access, correct, and delete their personal data, as well as the right to obtain that data in a portable, usable format. Additionally, the act conveys to consumers the right to opt out of targeted advertising, the sale of their personal data, and certain types of profiling.
Colorado’s Privacy Act applies to a “controller” (a person or persons who determine the purposes for and means of processing personal data) that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to Colorado residents and:
- Controls or processes the personal data of 100,000 consumers or more during a calendar year.
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
However, the act does not apply to financial institutions or affiliates subject to the Gramm-Leach-Bliley Act, data processed pursuant to the GLBA, nor does it apply to a variety of other types of data including certain health care information, data regulated by COPPA, data maintained for employment purposes, and more. The CPA also outlines requirements for “processors”, as in persons that process personal data on behalf of a controller. Companies should review the requirements and exemptions to determine whether the CPA applies to its business or business operations.
If applicable, the CPA further specifies how controllers must fulfill their duties with respect to consumers’ assertion of rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data. Controllers will need to conduct a data protection assessment for each of their processing activities which involve personal data such as processing for purposes of targeted advertising, profiling, selling personal data, or processing sensitive data. Processors must be governed by a contract with the controller that includes specific provisions as well as adhere to controller instructions, both detailed in the CPA.
Further, the Colorado Attorney General is tasked with adopting rules for the purpose of carrying out the CPA. The guidance should include, among other things, the technical specifications of one or more universal opt-out options. The first draft of the proposed rules were published by the Secretary of State on October 10, 2022. Within a few short months, they published an updated version of the draft rules on December 21, 2022. There is a hearing on the proposed rules scheduled for February 1, 2023. The Attorney General plans on adopting the rules before the CPA comes into effect on July 1, 2023.
CONNECTICUT DATA PRIVACY ACT
Effective: July 1, 2023
Connecticut enacted the Connecticut Data Privacy Act (CTDPA) in May 2022. The effective date is July 1, 2023. The CTDPA applies to persons that conduct business in the state or produce products and services that target Connecticut residents and meets one or both of the following thresholds:
- Controls or processes the personal data of not less than 100,000 consumers. Notably, this threshold excludes personal data controlled or processed for the sole purpose of completing a payment transaction.
- Controls or processes the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
The Act exempts GLBA covered financial institutions or data subjects, PHI under HIPAA, and non-profit entities. Other important exclusions include employees from the definition of a “consumer” and de-identified data from the definition of “personal data”.
The CTDPA grants consumers several privacy rights; including the rights of access, rectification, deletion, portability, and the right to opt-out of the processing of personal data for purposes of targeted advertising, sale of personal data, and certain profiling. Controllers that are required to provide consumers the right to opt-out must provide an opt-out link on their website. However, by January 1, 2025, businesses must have an established mechanism to recognize opt-out preference signals. CTDPA requires opt-in consent to process sensitive personal data. The definition of “sensitive personal data” includes the personal data collected from a known child and Controllers processing the personal data of a known child are required to comply with the Children’s Online Privacy Protection Act (COPPA). For children between 13 and 16 years of age, a controller must first obtain parental consent to process the personal data for the purposes of targeted advertising or the sale of personal data. Controllers that comply with COPPA’s verifiable parental consent requirements will be deemed compliant with any parental consent requirements under the CTDPA.
Additionally, opt-in consent is required for further processing of personal data that is neither reasonably necessary to, nor compatible with, the disclosed purpose (i.e., such as in a privacy notice) for which the personal data is processed.
The controller is required to implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. It will be important for Controllers to review their vendor due diligence and risk management processes and ensure data processing agreements address both data security and contract requirements set forth in the Act. Additionally, like the General Data Protection Regulation, the CTDPA requires Controllers to perform data protection assessments when a processing activity presents a heightened risk of harm to the consumer, such as processing sensitive personal information.
UTAH CONSUMER PRIVACY ACT
Effective: December 31, 2023
On March 15, 2022, the Utah legislature sent the Utah Consumer Privacy Act (UCPA) to their governor for signature and it was signed into law on March 24, 2022. The law is effective December 31, 2023. The UCPA applies to any controller or processor who:
- Conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state
- Has annual revenue of $25,000,000 or more
- Satisfies one or both of the following thresholds:
- During a calendar year, controls or processes personal data of 100,000 or more consumers
- Derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Like several other state privacy laws, the definition of a “consumer” excludes employees. Moreover, the UCPA specifically excludes de-identified data and aggregated data from the definition of “personal data”. Other notable exemptions from the scope of the UCPA include PHI under HIPAA, financial institutions and affiliates of financial institutions under the GLBA, and non-profit corporations. Like the CTDPA, the UCPA does not apply to personal data processed for purely personal or household activities.
The UCPA grants consumers several privacy rights, including the right of access, data portability, deletion and the right to opt-out of the processing for purposes of targeted advertising or sale of data. Like the CTDPA, CPA, and the VCDPA, Utah provides an exemption to the right of access, data portability, and deletion for pseudonymous data. Notably, the UCPA does not include the right top opt-out of profiling nor does it grant the right to rectify incomplete or inaccurate personal data. While the Act does provide the right to opt-out, it does not provide any guidance in terms of the opt-out mechanism, nor does it require Controllers to recognize opt-out preference signals like several other state privacy laws. Unlike several of its counterparts, the UCPA does not require opt-in consent to process sensitive personal data. Instead, a controller must present the consumer with clear notice and an opportunity to opt-out of processing. Further, the UCPA does not require data protection assessments.
Lastly, the UCPA does require processor agreements to govern data processing activities; however, the mandated provisions are sparse in comparison to the other state privacy laws.
The McDonald Hopkins’ national Data Privacy and Cybersecurity Practice Group can help you develop the appropriate policies, procedures, and best practices to keep your business in compliance with the many new state data privacy laws coming in to play in 2023. For information or questions, reach out to the attorneys listed above or any member of our team.