Previously we discussed the need for Federal privacy legislation to clarify Washington’s position on consumer privacy and to alleviate the patchwork of state laws proliferating in its absence. It’s worth examining these state privacy laws for compliance purposes and more interestingly, to understand what some states consider to be priorities in the protection of personal information.
California, Virginia, Colorado, Utah, and Connecticut are rolling out comprehensive state privacy laws that are more similar than they are different. Most take effect in 2023, and many include offering GDPR-like individual rights to consumers. It’s also becoming increasingly common for state privacy laws to prescribe formal engagements on privacy in contracts with vendors and service providers, and to carve out special consent requirements for data deemed “sensitive”.
The California Consumer Protection Act (CCPA) passed in 2018 and took effect on Jan 1, 2020. Despite the unprecedented privacy-protecting measures enumerated by the CCPA, voters felt that even more regulation was needed. A companion regulation, the California Privacy Rights Act (CPRA) was passed by voter referendum in November 2020 and will take effect on Jan 1, 2023. The CPRA amends and adds to CCPA with some major developments, including:
- Establishing the California Privacy Protection Agency, a dedicated state regulatory agency that will administer and enforce all California privacy regulations.
- Adding clarity to the existing individual consumer rights enumerated in the CCPA, such as:
- The right to know, access and confirm personal data
- The right to delete personal data
- The right to correct inaccuracies in personal data
- The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company)
- The right to opt-out of the processing of personal data for targeted advertising purposes
- The right to opt-out of the sale of personal data
- Creating two new, GDPR-like individual rights for consumers:
- The right to correct inaccurate personal information
- The right to limit use and disclosure of sensitive personal information (“Sensitive personal information” is a new category of data created by the CPRA.)
- Adding the distinct right for users to opt-out of some “sharing” as well as “sale” of personal information
- Requiring companies to perform GDPR-like data protection assessments for data processing activities that pose “significant risk” to consumers
In passing the CPRA, voters in California took the opportunity to add items that had been discussed but not included in the CCPA. The components of the CPRA serve to push CCPA closer to the EU’s General Data Protection Regulation (GDPR) framework. For companies like Spectus that have chosen to be GDPR compliant since it was implemented in 2018, the CPRA presents only incremental changes and no major disruptions to business.
Virginia’s Consumer Data Protection Act (VCDPA) is set to take effect on January 1, 2023. Virginia focused on all the same individual consumer rights as California. The VCDPA, like CPRA, also requires companies to conduct and document a data protection assessment when processing sensitive data or conducting certain activities with the personal data such as targeted advertising, selling, or profiling.
The Colorado Privacy Act (CPA), is set to take effect on July 1, 2023. While very similar to the aforementioned laws, one notable distinction in Colorado is that the Attorney General will draft rules to detail technical specifications for a universal opt-out mechanism that must be adopted by covered businesses prior to July 1, 2024. This will likely intersect with the wider Global Privacy Control work that is already underway, which aims to provide its own clarity on what compliance will look like. This may prove more difficult than anticipated given the years of unsuccessful efforts to establish Do Not Track, but time will tell as the Colorado AG offers more details on how they expect companies to comply with their preferred global opt-out framework. As with the VCDPA and GDPR, the CPA also requires a data protection assessment in certain circumstances and a binding contract between a controller and processor to govern any data processing.
The Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022. The UCPA will take effect on December 31, 2023. The UCPA is similar to the Virginia law in that it adds GDPR-like individual rights. However, this law limits the definition of “sale” for opt-out purposes to include only data shared for “monetary consideration” and not gratuitous sharing like California and Colorado’s new laws. On the issue of “sensitive data”, Utah aligns most closely to California in providing a limited opt-out consent framework as opposed to the “opt-in” consent requirement of Colorado and Virginia.
The newest entrant in the state privacy law derby is Connecticut. In May, Connecticut enacted the Personal Data Privacy and Online Monitoring Act (CTDPA) which is substantially similar to the other enacted state laws and will go into effect on July 1, 2023. Similar to Virginia’s laws, the CTDPA adopts provisions for consumers to limit the “sale” of their personal information. However, unlike Colorado and California’s laws, CTDPA provisions do not extend to data provided without monetary compensation in return.
Anticipating Federal Privacy Legislation
While we wait for the promise of a comprehensive Federal privacy law to unify compliance across the United States, we can look to these state initiatives to anticipate what is likely to be table stakes for any bill that makes it through Congress. The best that companies can do to prepare for future Federal legislation is to ensure diligent compliance with current state privacy laws by exceeding the bar and not simply achieving bare minimum compliance. Addressing consumer privacy now will pay dividends if and when Congress acts in the future.
To learn more about Spectus’ privacy framework, visit our Privacy Center.