BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer look at recent updates to the privacy law compliance landscape in the United States.
On May 10, Connecticut Gov. Ned Lamont signed SB 6, the Connecticut Data Privacy Act, which will become effective July 1, 2023. The statute is similar to other statutes enacted last year by Virginia and Colorado.
The law applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and either (1) process the personal information of 100,000 or more Connecticut consumers or (2) process the personal information of 25,000 Connecticut residents and derive 25 percent of their revenue from selling personal data.
The law creates rights for consumers to confirm whether a business is processing their personal data, obtain a copy of the personal data, correct inaccuracies in their personal data and request that their personal data be deleted. The law also creates a right to opt out of the processing of personal information for advertising, selling or consumer profiling, with some exceptions.
Data controllers subject to the law must conduct and document a “data protection assessment” of each of the controller’s data processing activities that may create a heightened risk of harm to a consumer (e.g., processing personal data for the purpose of targeted advertising, selling personal data, processing sensitive personal data and processing personal data for profiling). The assessment must weigh the purported benefits of the processing against the risk to the rights of consumers.
Controllers also must take reasonable measures to ensure de-identified data cannot be associated with an individual, publicly commit to maintaining and using de-identified data without attempting to reidentify the data, and impose contractual obligations on any recipient of personal data to comply with the act.
The law includes exemptions for certain entities, including state and local government entities, nonprofit organizations, institutions of higher education, national securities associations, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA).
Exemptions also exist for compliance with other laws, data subject to HIPAA and other statutory regimes, and uses of data for some other lawful purpose. There is also an exemption for employees or others acting in an employment context. The statute also does not hold a controller liable for violations of a processor as long as the act is complied with and the controller is unaware of any failures of the processor to comply with the act.
The Connecticut attorney general (AG) is responsible for enforcement; the law does not include a private right of action.
The law creates a task force that will include representatives from businesses, academia, consumer advocacy groups, the AG’s office and privacy law attorneys that will study several aspects of data collection and privacy, with a particular focus on minor children. The task force is set to convene no later than Sept. 1 and will submit a report of its findings no later than Jan. 1.
The Colorado Privacy Act (CoPA) was passed July 7, 2021. It will go into effect July 1, 2023.
Like the Connecticut law, CoPA applies to any legal entity that conducts business in Colorado or produces or delivers products or services that are intentionally targeted at Colorado residents and either (1) controls or processes personal data of 100,000 or more Colorado residents or (2) derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado residents.
CoPA provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data and certain types of profiling. Residents also have the right to access, correct and delete their personal data as well as the right to data portability.
Businesses subject to the law must enter into data processing agreements with entities that process personal data they control. They also must undertake a data protection assessment of each of their processing activities that presents a heightened risk of harm to consumers, including targeted advertising, selling personal data, processing sensitive data, and certain profiling activities that create a foreseeable risk of unfair treatment of consumers, financial or physical injury, or intrusion upon the solitude or seclusion of the private affairs of consumers.
Additionally, on July 1, 2024, Colorado will become the first state to explicitly require that businesses honor universal opt-out signals for targeted advertising and the sale of personal data.
This law also includes exemptions for certain entities, including state and local government entities, nonprofit organizations, institutions of higher education, national securities associations, financial institutions subject to the GLBA, and covered entities or business associates under HIPAA. Like the other statutes, there is an exception for personal data of individuals acting in a commercial or employment context.
The Colorado AG and district attorneys have exclusive authority to enforce the law. Noncompliance is considered a deceptive trade practice and is subject to a $20,000 civil penalty per violation under the Colorado Consumer Protection Act. There is no private right of action.
In March, Utah’s governor signed into law the Utah Consumer Privacy Act (UCPA), which will go into effect on Dec. 23, 2023.
The UCPA applies to any entity that (1) conducts business in Utah or produces products or services that are targeted at Utah residents, (2) has annual revenue of $25 million or more, and (3) annually controls or processes the personal data of at least 100,000 Utah residents or controls or processes the personal data of at least 25,000 Utah residents and derives more than 50 percent of its gross revenue from the sale of personal data.
Under the UCPA, Utah consumers have the right to confirm whether a controller is processing their personal data, access such personal data, request deletion of their personal data and obtain a copy of their personal data in a usable format. The law also creates a right to opt out of targeted advertising and sales of personal information.
Controllers subject to the law are required to provide consumers with a clear and accessible privacy notice, and they must establish, implement and maintain reasonable administrative, technical and physical data security safeguards. In addition, controllers may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing.
The UCPA does not apply to data subject to HIPAA, GLBA, and other state and federal statutory regimes. The law also explicitly permits internal operations that otherwise might be subject to regulation if the processing activity is reasonably aligned with the consumer’s expectations based on the consumer’s existing relationship with the controller.
The UCPA does not create a private right of action for consumers and is enforceable only by the Utah AG.
On March 2, 2021, Virginia became the second state, after California, to enact a comprehensive state privacy law, the Virginia Consumer Data Protection Act (VCDPA). It will come into effect on Jan. 1, 2023.
The VCDPA applies to entities that conduct business in Virginia or produce products/services targeted to Virginia residents and either (1) control or process the personal data of at least 100,000 consumers during a calendar year or (2) control or process the personal data of at least 25,000 consumers and derive at least 50 percent of their gross revenue from the sale of personal data.
Similar to the other state laws, the VCDPA grants consumers rights to access, correct, delete and obtain a copy of their personal data; it further includes the right to opt out of the sale of personal data and the processing of personal data for targeted advertising and profiling.
Entities subject to the law are required to provide consumers with a reasonably accessible, clear and meaningful privacy notice, and they must limit their collection of personal data to that which is adequate, relevant and reasonably necessary. Controllers also must establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.
Businesses subject to various sector-specific privacy laws (such as HIPAA and the GLBA) are exempt from the VCDPA’s requirements.
In addition, individuals acting in a commercial or employment context are excluded from the definition of consumers whose personal data is protected by the VCDPA.
There is no private right of action. The VCDPA will be enforced by the Virginia AG’s office, which can seek civil penalties (including injunctive relief and damages of up to $7,500 for each violation).
States with Active Legislation Addressing Comprehensive Privacy Laws
Numerous other states have proposed comprehensive state privacy legislation; many of these bills failed to advance in the most recent legislative session. At the time of this writing, Massachusetts, Michigan, New Jersey, North Carolina, Ohio and Pennsylvania have laws currently under consideration.
- Massachusetts. The Massachusetts Information Privacy Act is similar to the California Privacy Rights Act (CPRA), though it does not provide a 30-day cure period. If passed, it would establish a state information privacy commission to handle enforcement. There are bills pending in both the Senate and the House; as this bill came close to passing last year, it is considered the most likely of the state privacy laws still in play to pass in 2022.
- Michigan. The Consumer Privacy Act has CPRA-like provisions but does not create a private cause of action. The bill is currently being debated in the Michigan Legislature.
- New Jersey. A bill that is pending in both legislative chambers would require Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allow consumers to opt out of such collection. A separate bill that mirrors a 2021 proposal also currently is pending; it would establish certain requirements for disclosure and processing of personally identifiable information and create an Office of Data Protection and Responsible Use in the Division of Consumer Affairs. Notably, the law includes a private right of action and creates an opt-in (rather than the more common opt-out) regime for certain types of marketing.
- Ohio. Ohio is once again considering the Ohio Personal Privacy Act (OPPA), which would give Ohio residents privacy rights similar to those provided under California law. The law would be enforced by the AG and does not provide a private right of action. There is an affirmative defense to any claims made against an entity under the OPPA if the entity has created its own data privacy program that meets the standards specified in the latest version of the NIST Privacy Framework.
- Pennsylvania. Pennsylvania is considering a comprehensive data protection law similar to the CPRA. It does not include a private right of action, but it does provide the right to opt out of processing for targeted advertising and profiling purposes. It also requires affirmative opt-in consent for marketing to minors.
The trend toward comprehensive state privacy laws that has emerged in the four years since the passage of the California Consumer Privacy Act in 2018 seems likely to continue unless and until the U.S. Congress acts to pass a federal privacy law.