changing landscape of state privacy laws | Davis Wright Tremaine LLP
State-level momentum to enact data privacy laws is at an all-time high as the internet and new technologies continue to raise privacy issues. Family businesses of all sizes depend on technology and may be regulated by national data privacy laws. Below we provide a brief overview of the comprehensive privacy laws in the United States. These laws focus on comprehensive approaches to governing the collection and use of personal data. Industry specific or narrow scope legislation is not included. We also briefly discuss the status of proposed privacy legislation in Oregon and Washington.
Five states (California, Virginia, Colorado, Utah, and Connecticut) have comprehensive data privacy laws. These laws have several key provisions in common. They require certain companies that collect personal data to do the following:
- Limit their use of personal data, and
- Provide individuals with certain rights to understand and control how their personal data is used.
Although there are slight distinctions between states, each law generally applies to for-profit businesses (and in some cases, not-for-profit organizations) that collect, use, store or process the personal data of residents of the state. Personal data refers to any information “linked or reasonably linked” to an identified or identifiable person. For example, name, email address, telephone, credit card or home number, IP address, device ID and customer address are all personal data. Although each state has a numerical threshold that entities must meet to be subject to the law (for example“processing” the personal data of a number of state residents annually), the broad definition of personal data means that a small business or family business may fall within the scope of these laws.
Proposition 24, the California Privacy Rights Act (CPRA), amends the California Consumer Privacy Act (CCPA). In 2020, the CCPA made California the first state to implement omnibus consumer privacy legislation. The CCPA established consumer rights over personal data and imposed obligations on companies that collect and use personal data. A company falls within the jurisdiction of the CCPA if it:
- a) Had annual gross revenues greater than $25 million in the preceding calendar year;
- (b) Processes the personal data of 100,000 or more California residents or households annually; Where
- c) derives at least 50% of its annual revenue from selling (disclosing to a third party for monetary or other consideration) or sharing (disclosing to a third party for targeted advertising) personal data of California residents.
The CCPA, as amended, provides additional protections for California consumers, such as the right to correct inaccurate personal data, the requirement that businesses engage in data minimization, and the right to receive notice from a company that uses sensitive personal data. Notably, the CCPA as amended expands the scope to include employment-related and business-to-business personal data. (It’s the only state that currently applies its consumer privacy law to employment and business contact data.)
The CCPA grants consumers the right to opt out of certain disclosures of their data, referred to as “sales” or “sharing”. A company cannot discriminate against consumers who choose to opt out. Companies should adopt data governance practices, including adding specific provisions in their contracts with vendors and others who receive personal data. The CCPA also created the California Privacy Protection Agency to enforce privacy laws and impose fines. This entity recently published proposed rules for interpreting the law, providing greater clarity and precision on compliance obligations. The changes to the CCPA will come into effect on January 1, 2023.
For a more in-depth discussion of the CCPA, as modified by the CPRA, we offer this article from the DWT. In a separate DWT article, we analyzed the preliminary proposed regulations published by the California Privacy Protection Agency.
The Virginia Consumer Data Protection Act (VCDPA) applies to Virginia businesses or services directed to Virginia residents and either:
- (a) Control or process the personal data of at least 100,000 Virginia residents (“consumers”) or
- b) Obtain 50% of revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
It offers consumers the same rights as the CCPA, with several key distinctions. For example, the VCDPA imposes a broader obligation for the processing of sensitive personal data (including data revealing race and ethnic origin, health or medical information, child data and biometric data, among others ) that the CCPA by requiring opt-in consent for the use and processing of this data. The VCDPA also requires companies to engage in data governance and other internal practices, including risk assessments to analyze certain high-risk data processing activities. The effective date of the VCDPA is January 1, 2023.
We recommend this DWT article to learn more about VCDPA.
The Colorado Privacy Act (CPA) provides Colorado residents (“consumers”) similar privacy rights as the CCPA. It applies to companies and non-profit organizations that target Colorado residents and process the personal data of at least 100,000 consumers per year or derive revenue from the sale of personal data and process the data of at least 25,000 consumers. Like the VCDPA, covered companies and organizations are required to undertake certain data governance activities (including risk assessments), engage in transparency, and honor consumer rights requests. The CPA’s effective date is July 1, 2023, and the Colorado Attorney General will promulgate rules offering additional clarifications and requirements for affected entities.
To learn more about the differences between the privacy laws of Colorado, Virginia, and California, please see this article.
Utah’s Consumer Privacy Act (UCPA) applies to for-profit entities that:
- a) Doing business in Utah or targeting products and services to consumers who reside in the State,
- b) have annual revenues of at least $25 million, and
- c) Meet one of the following requirements:
- Monitor or process the personal data of 100,000 or more Utah residents each year; Where
- Generate more than 50% of your gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.
Utah residents (“consumers”) have similar rights to their personal data as in other states. While the VCDPA and CPA require consumers to affirmatively opt in to the processing of their sensitive data, the UCPA requires personal data processors to inform consumers and provide them with the opportunity to opt out before processing their data. sensitive. Data governance and contracting requirements are generally similar to other states.
The UCPA takes effect on December 31, 2023. We recommend reading this DWT article for an in-depth analysis of the UCPA, including a summary of differences from other state laws.
Connecticut recently passed the Connecticut Data Privacy Act (CTDPA), making it the fifth state to pass a comprehensive consumer privacy law. The CTDPA applies to for-profit entities that:
- a) Process the personal data of at least 100,000 consumers or
- b) Process the personal data of at least 25,000 consumers and derive more than 25% of their gross revenue from the sale of personal data.
Like other national privacy laws, the CTDPA provides consumers with the right to notice, access, portability, correction and erasure, and requires companies to undertake certain data governance. It takes effect on July 1, 2023.
To learn more about how the CTDPA is similar to and different from other national privacy laws, please see this article.
State Privacy Laws in Oregon and Washington
Neither Oregon nor Washington has comprehensive privacy laws. However, both states have data breach and data security laws that require companies to protect consumers’ personal data. Oregon’s Identity Theft Protection Act, for example, requires companies to develop, implement, and maintain reasonable safeguards to ensure the security, confidentiality, and integrity of personal data. Oregon’s Trade Practices and Antitrust Regulations also include privacy terms and consumer rights. Similarly, Washington law requires businesses, individuals, and public agencies to notify any Washington resident who may be harmed by a data breach that compromises the security, confidentiality, or integrity of personal data. of this resident.
Both states have considered comprehensive consumer privacy legislation in recent legislative sessions, but these actions have not progressed. We anticipate that privacy will continue to be a legislative priority for years to come in Washington and Oregon, as well as several other states.
We anticipate that 2023 will be a major year for state privacy, as five state laws (or their amendments) go into effect. Family businesses may find that their data practices bring them within the scope of a number of these laws, even in states where they do not have a physical presence.
Moreover, the momentum around privacy legislation shows no signs of slowing down. Several other states currently have comprehensive privacy bills in the legislative process, and Congress is considering comprehensive bipartisan federal privacy legislation. Given the changing landscape of data privacy laws, it is important that family businesses stay informed of consumer rights and business obligations.