We would not blame companies for feeling fatigued after the race to comply with the amended California Consumer Privacy Act (CCPA), the soon-to-be finalized CCPA regulations and the new Virginia Consumer Data Protection Act (CDPA) requirements. For some companies, however, these events were simply mile markers in the race to comply with Connecticut and Colorado’s new laws coming into effect on July 1, 2023, and Utah’s new law on December 31, 2023. For others, one of these upcoming state laws will be the first time that your company will need to build a US consumer privacy program. Either way, the Global Privacy and Cybersecurity team at McDermott Will & Emery is here to assist.
IN DEPTH
WHO IS COVERED?
Closely resembling Virginia’s CDPA, the application of the Colorado Privacy Act (CPA), Connecticut’s Personal Data Privacy Act (PDPA) and Utah’s Consumer Privacy Act (UCPA) depends in large part on the number of residents of each respective state whose information is processed by a company. In Colorado and Connecticut, companies that do business or offer good or services in Colorado or Connecticut and control the processing of 100,000 or more residents in each state are subject to the new laws. In Utah, a company is subject to the UCPA if the company does business or offers good or services in Utah and has annual global revenue of at least $25 million and controls the processing of at least 100,000 Utah residents. The other way that these new laws could be triggered is if a company receives 50% or more of its annual revenue from the sale of personal information, including through the sale of the data for at least 25,000 residents in each state. Of course, each state law also contains a variety of exemptions for companies subject to federal laws, such as the Gramm–Leach–Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).
Critically, however, the CPA applies to nonprofit organizations, that produce or deliver commercial goods or services in Colorado, which makes it an outlier among the laws coming into effect in 2023. If you are a nonprofit organization (for example, a hospital), Colorado will likely be the first time that you must contend with these new consumer privacy laws.
WHAT IS REQUIRED?
Targeted Advertising
Connecticut, Colorado and Utah will give consumers the right to opt out of targeted advertising, which is generally defined as displaying a digital advertisement that is based on personal information obtained or inferred over time across nonaffiliated websites or applications. Both Connecticut and Colorado require that companies provide methods outside of a company’s privacy policy for consumers to opt out of targeted advertising. In Connecticut, that means providing a static link on a home page. In Colorado, the opt-out must be “clear and conspicuous, and readily accessible.” These requirements are likely to require even businesses that already have an opt-out link on their website to comply with the CCPA.
While many businesses engaging in targeted advertising already have an opt-out link on their home page to comply with the CCPA, the Colorado and Connecticut laws will likely require updates to these links given the proscriptive nature of the CCPA’s “Do Not Sell or Share” language, which may not “conspicuously” communicate the opt-out of targeted advertising required by Connecticut and Colorado.
Action item: If engaging in targeted advertising for consumers in Colorado and Connecticut, place an opt-out link on your website or update your existing opt-out link.
Sensitive Personal Information
Each of the new state laws that take effect in 2023 have rules regarding “sensitive” data. Most of the new state laws treat ethnicity, religious beliefs, mental and physical health diagnoses, sexual orientation, citizenship, specific geolocation, biometric and genetic information, and the information of a known child as sensitive. Like Virginia, Colorado and Connecticut require consumer consent before a business can collect this type of information. In contrast, Utah requires that companies offer consumers the opportunity to opt out of a company collecting this type of information.
Notably, the draft Colorado regulations (which are not yet finalized) also require businesses to add disclosures in their privacy policies related to sensitive data inferences (e.g., inferring religious beliefs or medical conditions from a dietary preference).
Action item: Ensure that you have a consent or opt-out mechanism in place if you are collecting sensitive personal information and sensitive personal information inferences.
Data Protection Assessments
Colorado and Connecticut’s new laws require companies to prepare data protection assessments in the event that they are (1) engaged in targeted advertising; (2) selling personal data; (3) profiling where the profiling could have a legally significant impact on the consumer (e.g., credit decisions); or (4) processing sensitive data. These assessments are critical compliance pieces that companies may need to provide to regulators upon request. Companies that have already performed these assessments to comply with other laws will still need to refresh them to account for data processing activities related to Colorado and Connecticut residents. Companies will also need to keep an eye out for California’s next wave of CCPA rulemaking which will make effective the CCPA’s requirements to conduct data protection assessments.
Action item: Update or prepare data protection assessments for regulated data processes.
Consumer Appeal Rights
Companies that have implemented compliance programs for the Virginia law may already have a system in place for addressing consumer appeal rights, but if not, the new laws in Colorado and Connecticut will require them. Colorado and Connecticut require a company to implement an internal appeal process by which a consumer can challenge a company’s prior decision not to honor a consumer rights request. In addition to designing this internal process, companies must inform consumers in privacy policies and responses to rights requests about their right to appeal and the process for doing so.
Action item: Implement or expand the scope of your internal data subject request appeal process and update privacy policies and template rights request response materials to include information about the right.
No Employee or B2B Data
The good news for many companies is that each of the Colorado, Connecticut and Utah laws expressly exempt from coverage employee data and business contact information. California remains the only state where that information is in scope.
Action item: Nothing!
WHAT’S NEXT?
We have highlighted some of the key obligations that companies will face to prepare for the effective dates of the new laws in Colorado, Connecticut and Utah. However, what each company must do to comply with the new laws likely will vary based on each company’s current compliance posture. And, of course, the work starts with a thorough examination of whether a company is subject to these new consumer privacy laws in the first instance.