RETAIL INDUSTRY 2021 YEAR IN REVIEW
While Congress failed to advance a federal privacy bill in 2021, Colorado and Virginia passed legislation that added to the emerging patchwork of privacy laws at the state level. The Virginia Consumer Data Protection Act (VCDPA) becomes effective January 1, 2023, and the Colorado Privacy Act (CPA) will take effect six months later on July 1, 2023. Both the CPA and VCDPA draw, in part, on the California Consumer Privacy Act of 2018 (CCPA) (as amended by the California Privacy Rights Act of 2020 (CPRA)) and the EU General Data Protection Regulation (GDPR), but neither entirely mirrors these existing privacy laws.
Given the incremental obligations and the manner in which these laws apply to businesses, retailers in particular are ramping up in the new year to ensure they are ready for next year’s effective dates.
Applicability
Both the CPA and VCDPA apply to “controllers” and “processors” of personal data, borrowing these terms from the GDPR, and outline duties for both. The CPA applies to controllers that conduct business in Colorado or sell products or services that are intentionally targeted to residents of Colorado, and meet either of the following thresholds: (i) control or process personal data of 100,000 or more consumers during a calendar year or (ii) derive revenue or receive discounts from the sale of personal data and control or process the personal data of at least 25,000 consumers. The applicability of the VCDPA is very similar to the CPA, but the VCDPA also requires that businesses must derive over 50% of their gross revenue from the sale of personal data in the context of meeting the second of the two criteria set forth above. Both laws also apply directly to processors that process personal data on behalf of controllers subject to each law. Because both the CPA and VCDPA differ from the CCPA’s applicability requirements, retailers that are not subject to the CCPA may nonetheless be subject to these new laws. While the new laws include exceptions applicable in other industries, large retailers doing business in Colorado and Virginia should carefully evaluate the news to determine applicability.
Consumer Rights
Both the CPA and VCDPA provide the following rights to consumers in each state:
-
right to confirm that a controller is processing personal data about the consumer and access that data;
-
right to correct inaccurate personal data;
-
right to data portability;
-
right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer; and
-
right to appeal the business’s denial of a consumer’s rights request.
One key difference between the CPA and VCDPA is the definition of “sale.” The VCDPA is friendlier to merchants and limits the opt-out of sale right to the exchange of personal data for monetary consideration, while the CPA adopts the CCPA’s more expansive definition of “sale,” to mean the exchange of personal data for monetary or other valuable consideration. As with the CCPA, the disclosure of personal information to third parties in the ad tech context therefore may similarly qualify as a “sale” under the CPA, from which Colorado consumers would have the right to opt out.
Borrowing heavily from Europe and the GDPR, each of the new laws also requires controllers to obtain prior opt-in consent to process “sensitive data,” which includes personal data elements such as race, religion, health condition, sexual orientation, citizenship status, genetic or biometric data and data from a known child (under 13 years of age). This requirement differs from the right to limit the use or disclosure of a consumer’s sensitive personal information in California. Retailers that process this type of sensitive data will need to update their compliance programs to obtain consent in compliance with each law’s requirements, a process that is expected to be cumbersome and onerous.
Because the CCPA, CPA and VCDPA offer similar but somewhat differing rights, retailers will need to decide whether to offer these rights only to the residents of each relevant state or to more broadly offer them to all consumers, regardless of residence. As consumer interfaces and backend procedures will need to be updated, retailers have begun thinking about how to comply with these disparate consumer rights obligations.
Controller Duties
Both the CPA and VCDPA impose a number of data protection obligations on controllers, including the following:
-
Transparency: controllers must provide consumers with a privacy notice containing certain information;
-
Purpose Specification: controllers must specify the express purposes for which personal data is collected and processed;
-
Data Minimization: controllers’ collection of personal data must be adequate, relevant and limited to what is reasonably necessary in relation to the specified purposes for which the data is processed;
-
Secondary Use: under the CPA only, controllers may not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the data is processed unless consent is obtained;
-
Data Security: controllers must implement reasonable measures to secure personal data;
-
Discrimination: controllers are prohibited from processing personal data in violation of state or federal laws that prohibit discrimination;
-
Data Protection Assessment: controllers must conduct a data protection assessment for processing activities that present a heightened risk of harm, such as processing personal data for targeted advertising, profiling, sale or processing sensitive data;
-
Vendor Contracts: controllers must enter into agreements imposing certain restrictions and obligations on processors that process personal data on their behalf; and
-
Training: controllers should ensure that all relevant personnel are trained on the relevant obligations of each law.
While certain of these obligations are reflected in the CCPA, others, such as the data protection assessment and secondary use restrictions, are not. Retailers subject to all three laws therefore will need to strategize to ensure their compliance programs meet the disparate requirements of each state law.
Processor Duties
Both the CPA and VCDPA require controllers to enter into agreements with processors that impose certain restrictions and requirements on the processor. A processor must adhere to the controller’s instructions and assist the controller in meeting its obligations under each law (such as responding to consumer rights requests, ensuring personal data is securely processed, notifying individuals of data breaches (under each state’s data breach notification law) and conducting data protection impact assessments).
Under both laws, processors also must ensure that each processor enters into a written contract with each subprocessor that requires the subprocessor to meet the processor’s obligations with respect to the personal data processed. Similar to the GDPR, under the CPA (but not the VCDPA) controllers have the right to object to a processor’s use of any subprocessor.
Retailers that have already entered into CCPA-compliant contracts with vendors will need to once again strategize regarding enhancements to those contracts to comply with the content requirements of the CPA and VCDPA (as well as the new vendor contract requirements set forth in the CPRA). As this contracting process can be lengthy and require significant resources, retailers are well advised to begin planning to make these updates now.
Exemptions
Unlike the CCPA or GDPR, both the CPA and the VCDPA fully exempt from application personal data obtained in the HR context (e.g., employees, applicants) and B2B context (e.g., B2B customers, vendors). Also unlike the CCPA and GDPR, each law contains certain entity-level exemptions. For example, both laws exempt from application financial institutions subject to the Gramm-Leach-Bliley Act, and the VCDPA exempts from application HIPAA-covered entities and business associates (but the CPA exempts only protected health information governed by HIPAA). Each law also exempts from application certain data, such as children’s data governed by the Children’s Online.
Privacy Protection Act (in the CPA), deidentified data and publicly available data. The laws also contain exemptions for a number of processing activities, such as performing internal operations, protecting a consumer’s vital interests, preventing and detecting fraud or other malicious, deceptive or illegal activity, and conducting internal research to improve, repair or develop products. Certain of these exemptions are broader than the exemptions under the CCPA, which will be helpful to retailers in determining which entities, data and processing activities are in scope for purposes of CPA and VCDPA compliance.
Enforcement
Both the CPA and the VCDPA will be enforced by each state’s attorney general, and neither law provides for a private right of action. Violations of each law can bring steep penalties. For uncured violations of the VCDPA, the attorney general may seek $7,500 per violation. Under the VCDPA, a violation of the law would constitute a deceptive trade practice, with penalties of up to $20,000 per violation (and if the consumer is elderly, $50,000 per violation). Under the VCDPA, the attorney general would need to provide 30 days’ notice of any violation and allow an opportunity to cure. The CPA also provides a 60-day right to cure for potential violations. Both the CPA and VCDPA are more generous than the CPRA in this respect, which eliminates the CCPA’s existing guaranteed 30-day cure period and makes it discretionary.
We expect to see more states propose and pass comprehensive data privacy bills in 2022, lending more support to the need for an omnibus federal privacy bill in the near future. The odds of such a bill passing, however, are low. Retailers therefore should be prepared to comply with multiple complementary, but sometimes conflicting, state privacy law requirements and thoughtfully build their compliance programs accordingly.