Tech Transactions & Data Privacy 2022 Report
Introduction
After the California Consumer Privacy Act passed in 2018 (CCPA), many states proposed similar comprehensive legislation to protect consumers’ data. In light of CCPA, certain states have either enhanced their privacy legislations or drafted new legislation related to consumer data. While not all bills are successfully passed others become laws. The most comprehensive data privacy laws are the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA) and Virginia’s Consumer Data Protection Act (VCDPA). The laws in these particular states have enacted comprehensive data privacy laws that are comparable
California, Colorado and Virginia Comprehensive Privacy Laws
Since the passing of the California Consumer Privacy Act in 2018 and the California Privacy Rights Act (CPRA), two additional states have followed suit with their own comprehensive privacy laws – the Colorado Privacy Act (CPA), and Virginia’s Consumer Data Protection Act (VCDPA).
The Colorado Privacy Act (CPA) will go into effect on July 1, 2023, and applies to companies that conduct business in Colorado or produces or delivers “commercial products or services that are intentionally targeted to the residents of Colorado,” and that satisfies one or both of the following thresholds: (1) controls or processes that personal data of 100,000 or more Colorado residents in a year; or (2) both derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers.
Virginia’s law becomes effective January 1, 2023, the same day as the California Privacy Rights Act (CPRA) which amends the California Consumer Privacy Act (CCPA). The VCDPA applies to businesses that conduct business in Virginia or produce products or services targeted to Virginia residents, and that control or process the personal data of at least 100,000 Virginia consumers. That bar is lowered to 25,000 consumers if over 50% of the business’s gross revenue derives from selling personal data.
The recently passed privacy laws in California, Colorado and Virginia have many similarities. For instance, the CPA, VCDPA and the CPRA grant consumers rights, such as rights to access, delete and correct their personal data, data portability, right to know as well as the right to opt-out of the processing of their personal data for certain specified purposes. Like Virginia’s CDPA, but unlike CCPA, Colorado’s CPA does not contain a private right of action and is only enforceable by the attorney general.
Exemptions
The CPA and the VCDPA adopted the CCPA/CPRA’s approach of broadly exempting information governed by the Health Insurance.
Portability and Accountability Act (HIPAA) and the Gramm-Leach-Biley Act (GLBA). The exact scope of the exemptions varies. For example, the VCDPA creates an exemption for financial institutions and their affiliates regulated under GLBA and for covered entities and business associates governed by HIPAA. This is much broader than the CCPA/CPRA’s exemptions for these laws, which apply to regulated information itself rather than to the entities that process them.
Sensitive Information Will Require Special Protection
Like the CPRA and VCDPA, Colorado’s CPA provides protection for sensitive data, such as: (1) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status; (2) genetic or biometric data that may be processed for the purpose of uniquely identifying a person; or (3) personal data from a known child – an individual under thirteen years of age. Generally, sensitive data may not be processed without consumer consent.
Opt-Out
In addition, identical to the opt-out provision in Virginia’s CDPA, Colorado’s CPA provides consumers with the right to opt out of the processing of personal data for the following purposes: (1) targeted advertising; (2) sale; and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. Beginning on July 1, 2024, controllers that process personal data for the purpose of targeted advertising or the sale of personal data must provide consumers with the ability to opt out through a “universal opt-out mechanism.”
The VCDPA also broadens the opt-out right of processing that covers not only sales of personal data but also targeted advertising and profiling. The VCDPA mandates data protection assessments for sales, targeted advertising and profiling or any other processing of sensitive personal data or personal data that presents a “heightened risk of harm to consumers.”
Targeted Advertising Growing Area of Concern
While the CCPA/CPRA does not address targeted advertising directly, the CPA and the VCDPA do directly address targeted advertising by requiring controllers to provide an opt-out option for such processing and to conduct a data protection assessment before engaging in the activity.
Obligations for Controllers
Like the CPRA, Virginia’s CDPA creates an obligation to confirm processing and broadens its deletion requirement. Unlike the CCPA/CPRA, the obligation to delete personal data covers personal information not only collected from but also collected “concerning” a consumer.
The CPA, similar to the VCDPA, creates a specific duty for controllers. The duties are the following: (1) duty of transparency; (2) duty to avoid secondary use; (3) duty of data minimization; (4) duty of purpose specification; (4) duty of care; (5) duty to avoid unlawful discrimination; and (6) duty to process sensitive data only with the consumer’s consent. In addition, similar to the CPRA, the CPA requires companies to conduct data protection impact assessments for certain use cases, including: (1) targeted advertising or profiling that may create risk for consumers; (2) selling personal data; and (3) processing sensitive data.
Conclusion
Although the CPA, VDCPA, and the CPRA privacy laws do not go into effect until the year 2023, the US privacy legislation will likely expand to other states and expand other consumer’s rights. Accordingly, businesses should act now to determine their compliance obligations by performing a comprehensive data inventory, reviewing and updating internal and external policies, and reviewing their contracts with vendors and/or other service providers.
Active Bills
As of this writing, there are currently several states with active comprehensive privacy bills. Below is a summary of each pending state bill.
Massachusetts
Bill: S.46 (Massachusetts Information Privacy Act)
The bill applies to businesses that (1) have an annual gross revenue of $10 million or more through 300 or more transactions, or (2) process the personal data of at least 10,000 Massachusetts consumers in a calendar year. Massachusetts’s proposed bill contains the following consumer rights: access, correction, deletion, restriction, portability and the right against automated decision-making. Unlike California, Virginia and Colorado, the Massachusetts bill requires opt-in consent before a business can process a consumer’s personal data. Covered businesses must provide disclosures to consumers and comply with other transparency requirements, as well as abide by processing limitation requirements. There is a private right of action.
New York
Bill: A 680/ S 6701 (New York Privacy Act)
The bill applies to businesses that (1) have annual gross revenue of $25 million or more, (2) control or process the personal data of at least 100,000 New York consumers, (3) control or process the personal data of at least 500,000 individuals nationwide and 10,000 New York consumers, or (4) derive over 50% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 New York consumers. New York’s proposed bill contains the following consumer rights: access, correction, deletion, restriction, portability and the right against automated decision-making. Like Massachusetts, the bill contains an opt-in consent requirement. Covered businesses must provide disclosures to consumers, comply with other transparency requirements, and abide by processing limitation requirements. There is a private right of action.
North Carolina (Consumer Privacy Act)
Bill: SB 569
The bill applies to businesses that control or process the personal data of (1) at least 100,000 North Carolina consumers on an annual basis or (2) at least 25,000 North Carolina consumers and derive over 50% of gross revenue from the sale of personal data. North Carolina’s proposed bill contains the following consumer rights: access, correction, deletion, restriction, portability and the right to opt out of the processing of personal data for targeting advertising, sales, or profiling. Covered businesses must provide disclosures to consumers, comply with other transparency requirements, abide by processing limitation requirements, conduct data processing assessments and enter into contracts with processors that contain specific requirements for data protection. There is a private right of action.
Ohio
Bill: HB 376 (Ohio Personal Privacy Act)
The bill applies to businesses that (1) have annual gross revenues generated in Ohio that exceed $25 million, (2) control or process the personal data of 100,000 or more Ohio consumers during a calendar year, or (3) derive over 50% of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Ohio consumers during a calendar year. Ohio’s proposed bill contains the following consumer rights: access, deletion, restriction, portability and the right to opt out of the sale of personal data. Covered businesses must provide collection notices to consumers, comply with other transparency requirements, and abide by processing limitation requirements. There is no private right of action.
Pennsylvania
Bill: HB 1126 (Consumer Data Privacy Act)
The bill applies to for-profit businesses that (1) have a gross annual revenue of $10 million, (2) annually buy, sell, or share the personal information of 50,000 Pennsylvania consumers, households, or devices or (3) derive 50% of their annual revenue from the sale of Pennsylvania consumers’ personal data. Pennsylvania’s proposed bill contains the following consumer rights: access, deletion and opt-out of the sale of personal data. Covered businesses must provide collection disclosures to consumers and comply with other transparency requirements. There is a private right of action for security violations by a business.
Failed Bills
The following comprehensive state privacy bills failed in 2021:Alabama (HB 216), Alaska (SB 116), Arizona (HB 2865), Connecticut (SB 893), Florida (SB 1734 & HB 969), Illinois (HB 3910), Kentucky (HB 408), Maryland (SB 0930), Minnesota (HF 36 & HF 1492), Mississippi (SB 2612), North Dakota (HB 1330), Oklahoma (HB 1602), Texas (HB 3741), Utah (SB 200), Washington (SB 5062 & HB 1433) and West Virginia (HF 3159).