As technology advances and more personal information is shared online, new state privacy laws are becoming increasingly important. In 2023, several states in the US are implementing new laws to protect consumer privacy. These laws are aimed at giving consumers more control over their personal information and ensuring businesses handle it responsibly. In this blog post, we will take a closer look at these privacy laws and what they mean for businesses and consumers.
A broader scope of application: The CPRA applies to for-profit businesses that collect personal information from California residents and determine the purpose of processing in California. Businesses that fall under this threshold include those with gross annual revenues of over $25 million, those that buy, sell, or share the personal information of 100,000 or more California residents or households, and those that derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.
New and expanded consumer rights: The CPRA grants consumers the right to rectification and the right to limit use and disclosure of sensitive personal information.
Limitations on data use: The collection, retention, and use of personal data should be limited to what is necessary to provide goods and services, and there are specific requirements for the processing of sensitive personal information.
New obligations for businesses: The CPRA requires businesses to conduct an annual cybersecurity audit if their data processing presents a significant risk to consumer privacy or security. Additionally, the California Privacy Protection Agency (CPPA) was established to enforce and provide guidance on data protection matters.
Fines: Companies may face automatic fines of $7,500 for violations involving the personal information of minors.
Companies are urged to prioritize any unfinished CCPA-related tasks and proceed on a brisk path of prioritized compliance with CPRA in order to be compliant in time or at least demonstrate to a regulator that they were doing their best to comply. Businesses should also ensure that their existing disclosures (privacy notices) meet the heightened transparency requirements of the CPRA and are easily understood by consumers. Furthermore, the CPRA requires companies to adopt new processes to facilitate employee data rights.
CDPA: Consumer Data Protection Act (Virginia)
The Consumer Data Protection Act (CDPA) came into force on January 1st, 2023 in the state of Virginia. The CDPA applies to companies or individuals that do business in the Commonwealth of Virginia, or produce products or services that are targeted towards residents of the Commonwealth, and control or process personal data of at least 100,000 consumers, or control or process personal data of at least 25,000 consumers and derive 50% of gross revenue from the sale of personal data.
Under the CDPA, residents of Virginia have been granted new rights, such as:
The right to access their personal data
The right to request corrections to their personal data
The right to request the deletion of their personal data
The right to request the portability of their personal data
The right to opt-out of the processing of their personal data for targeted advertising, sale of personal data, or profiling that could have legal or similarly significant effects on the consumer.
Additionally, the CDPA imposes several obligations on data controllers such as the requirement to have a contract in place with any processors outlining the instructions for processing, the type of personal data subject to processing, and requirements regarding the duty of confidentiality. Controllers also need to conduct data protection assessments for processing activities that present a heightened risk of harm to consumers, including targeted advertising, sale of personal data, and processing sensitive data.
It’s important to note that the CDPA’s requirements differ from other state legislation, such as California’s CCPA. Businesses should ensure they are familiar with and adhere to any state-specific requirements to avoid any non-compliance issues.
CTPDA: Connecticut Personal Data Authority
The Connecticut Personal Data Authority (CTPDA) goes into effect on July 1st, 2023, with a grace period for enforcement lasting until December 31st, 2024. It also allows additional delay for the establishment of controls for collection of consent and responding to consumer opt-out requests ending on January 1st, 2025.
The key points of the CTPDA include:
Controllers must provide clear and easy-to-understand privacy notices to consumers, detailing the categories of data processed, the purpose of processing, and any third-party sharing of personal data.
Controllers must conduct risk assessments for activities that present a potential harm to consumers, such as targeted advertising, the sale of personal data, profiling, and processing of sensitive data.
The Connecticut Attorney General’s office is given enforcement authority under the CTPDA, though there is no private right of action as in other legislation.
During the enforcement grace period, the AG will issue a notice of violation to the controller before taking any action if a solution is possible.
The CTPDA sets out principles for controllers such as data minimization, purpose limitation, and the requirement for contracts between controllers and processors.
CPA: Colorado Personal Information Protection Act
The Colorado Personal Information Protection Act (CPA) will take effect on July 1st, 2023. This law provides new rights for consumers, such as the right to access, correction, deletion, and data portability, as well as the right to opt-out of targeted advertising or the sale of personal data. Additionally, it imposes a range of obligations on data controllers.
Some of the important points of the CPA include:
Obligation for data controllers to obtain consent from data subjects before processing sensitive personal information or from a child’s parent or guardian in the case of a known child.
Limitation of the collection, retention, and use of personal data to what is necessary for providing goods and services and for processing sensitive personal information.
Prohibition of using personal data for purposes that are not compatible with the initial specified purpose unless the data controller obtains the consumer’s consent.
Requirement for data controllers to implement reasonable measures to secure personal data and not to process personal data in violation of laws that prohibit discrimination against consumers.
Contracts between data controllers and data processors outlining the instructions for processing, the nature and purpose of processing, the type of data subjected to processing, the duration of processing, and the rights and obligations of both parties.
Data protection assessments for processing activities that present a heightened risk to consumers, such as targeted advertising, selling personal data, profiling, and processing of sensitive data, must be conducted by data controllers and made available to the Colorado AG upon request.
In addition to the above, businesses should also ensure they have solid privacy foundations in place such as updated disclosures and notices at collection, processes in place for the exercise of privacy rights, and updated contracts with vendors or service providers.
UCPA: Utah Consumer Privacy Act
The Utah Consumer Privacy Act (UCPA) will come into effect on December 31st, 2023. It establishes new rights for consumers, such as the right to access, delete, and transport their personal data and the right to opt out of targeted advertising or the sale of their personal data.
The important points of the UCPA include:
Data controllers and processors are required to provide clear and meaningful privacy notices, as well as establish, implement, and maintain reasonable security measures to protect personal data.
The UCPA also regulates the processing of sensitive, de-identified, or pseudonymous data.
Data protection assessments are not required under the UCPA.
The UCPA regulates vendor relationships by requiring a contract between controllers and processors that lays out the instructions for processing, the nature and purpose of processing, the type of data being processed, and the rights and obligations of both parties.
Additionally, all parties involved in processing personal data must be bound by a duty of confidentiality, and any subcontractors engaged must also meet the same obligations as the processor.
The UCPA sets out various requirements on data controllers and processors to meet data security standards and ensure that consumer’s data protection rights are met.
As these new state privacy laws take effect in 2023, it is crucial for businesses to understand and comply with them in order to protect consumer privacy and avoid penalties. The laws vary in their scope and requirements, but they all share the common goal of giving consumers more control over their personal information and ensuring businesses handle it responsibly. Businesses should take this opportunity to review their data collection and processing practices, update their privacy notices, and establish processes for handling consumer rights requests. By taking these steps, businesses can ensure they are compliant with the new laws and build trust with their customers.