The DSIR is a one-of-a-kind report based on a mix of aggregated data from security incidents and insights from BakerHostetler’s services to clients across the entire data and technology life cycle. This article takes a closer look at recent updates in the world of state privacy laws.
On May 10, 2022, Connecticut Gov. Ned Lamont signed SB 6, the Connecticut Data Privacy Act, which becomes effective July 1, 2023. The statute is similar to other statutes enacted last year by Virginia and Colorado.
Not all businesses are subject to the law. Only entities that process information about 100,000 or more Connecticut consumers or that process information about 25,000 Connecticut residents and derive 25% of revenue from the activity are subject to the law.
The law creates rights for consumers to confirm whether a business is processing his or her personal data, correct inaccuracies, request data be deleted and obtain a copy of the data, and the ability to opt out of the processing for advertising, selling, or profiling of the consumer, with some exceptions.
The law creates a requirement for data controllers to conduct and document “a data protection assessment” for each of the controller’s processing activities where there is a heightened risk of harm to a consumer. A heightened risk of harm includes processing personal data for the purpose of targeted advertising, the sale of personal data, processing sensitive personal data, and processing personal data used for profiling, where profiling raises the risk of unfair or deceptive treatment of consumers; financial, physical or reputational injury to consumers; a physical or other intrusion upon the solitude or seclusion or private affairs or concerns of consumers where such intrusion would be offensive to a reasonable person, or other substantial injury. The assessment must weigh the benefits that may flow from the processing against the risk to the rights of consumers.
Controllers are required to take reasonable measures to ensure de-identified data cannot be associated with an individual, publicly commit to maintaining and using de-identified data without attempting to reidentify the data and obligate by contract any recipient of the data to comply with the act.
An exemption exists for certain entities including state and local government entities, nonprofit organizations, institutions of higher education, national securities associations that are registered under 15 USC 78o-3 of the Securities Exchange Act of 1934, financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA), and covered entities or business associates as defined under Health Insurance Portability and Accountability Act (HIPAA).
Exemptions also exist to comply with other laws, data subject to HIPAA and other statutory regimes, and uses of data for some other lawful purpose. The statute also does not hold a controller liable for violations of a processor as long as the act is complied with, and the controller is unaware of any failures of the processor to comply with the act.
Significantly, there is not a private cause of action created under the act; enforcement is left to the attorney general (AG).
Finally, the law creates a task force, comprised of representatives from business, academia, consumer advocacy groups, small and large companies, the office of the Attorney General and attorneys with experience in privacy law, to study several aspects of data collection and privacy, with a particular focus on minor children. The task force will convene no later than September 1, 2022, and will submit a report of its findings no later than January 1, 2023.
The Colorado Privacy Act (CoPA) was passed July 7, 2021. It will go into effect July 1, 2023.
The CoPA applies to any legal entity that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and either (1) controls or processes personal data of 100,000 or more Colorado residents, or (2) derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado residents. Like the Virginia Consumer Data Protection Act (VCDPA), the law does not apply to personal data of individuals “acting in a commercial or employment context.”
The Colorado Privacy Act provides Colorado residents with the right to opt out of targeted advertising, the sale of their personal data and certain types of profiling. Residents also have the rights to access, correct and delete their personal data as well as the right to data portability.
Businesses must enter into data processing agreements with entities that process personal data they control. Businesses must also undertake a data protection assessment for each of their processing activities that present a heightened risk of harm to consumers, including targeted advertising, selling personal data, processing sensitive data, and certain profiling activities that create a foreseeable risk of unfair treatment of consumers, financial or physical injury, or intrusion upon the solitude or seclusion of the private affairs of consumers.
Additionally, on July 1, 2024, Colorado will become the first state to explicitly require that businesses honor universal opt-out signals for targeted advertising and the sale of personal data.
There are exemptions for personal data regulated under other laws like HIPAA, GLBA, the Driver’s Privacy Protection Act and others.
The CoPA does not create a private right of action. The Colorado AG and district attorneys have exclusive authority to enforce the law. Noncompliance is considered a deceptive trade practice, which is subject to a $20,000 civil penalty per violation under the Colorado Consumer Protection Act.
In March 2022, the Utah governor signed into law the Utah Consumer Privacy Act (UCPA) which will go into effect on December 23, 2023.
The UCPA applies to any entity that (1) conducts business in Utah or produces products or services that are targeted to Utah residents; (2) has annual revenue of $25 million or more; and (3) annually controls or processes the personal data of at least 100,000 Utah residents, or controls or processes the personal data of at least 25,000 Utah residents and derives over 50% of its gross revenue from the sale of personal data.
This act is very similar to the California Consumer Privacy Act (CCPA) but also includes the right to opt out of certain processing and marketing activities. It also does not impose a requirement for conducting risk assessments or purpose/processing limitations.
Under the UCPA, Utah consumers have the right to confirm whether a controller is processing the consumer’s personal data, access personal data, delete personal data, obtain a copy of personal data in a usable format, opt out of targeted advertising and sales of personal information, and avoid discrimination as a result of exercising their consumer rights.
A controller shall provide consumers with a reasonably accessible and clear privacy notice, establish, implement, and maintain reasonable administrative, technical, and physical data security practices. It may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing, and a controller may not discriminate against a consumer for exercising their rights.
Exemptions exist to comply with federal, state, or local laws, data subject to HIPAA and other statutory regimes, and internal operations that can be reasonably aligned with the consumer’s expectations based on the consumer’s existing relationship with the controller.
The UCPA does not create a private right of action for consumers and is only enforceable by the Utah Attorney General.
On March 2, 2021, Virginia enacted a comprehensive state privacy law, the Virginia Consumer Data Protection Act (VCDPA), effective Jan. 1, 2023.
The VCDPA defines “consumer” to be “a natural person who is a resident of the Commonwealth acting only in an individual or household context.” Individuals “acting in a commercial or employment context” are excluded from the definition of consumers.
The law applies to entities that conduct business in Virginia or produce products/services targeted to Virginia residents and either control or process the personal data of at least 100,000 consumers during a calendar year or control or process the personal data of at least 25,000 consumers and derive at least 50% of their gross revenue from the sale of personal data.
The VCDPA grants consumers rights to access, correct, delete, and obtain a copy of their personal data and to opt out of the sale of personal data, the processing of personal data for targeted advertising, and profiling. It also requires controllers to establish and maintain “reasonable administrative, technical, and physical data security practices to protect” personal data.
Entities are required to limit the collection of personal data to what is adequate, relevant, and reasonably necessary, establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Controllers shall also provide consumers with a reasonably accessible, clear, and meaningful privacy notice.
Businesses subject to various sector-specific privacy laws (like HIPAA and GLBA) are exempt from the act’s requirements.
There is no private right of action; it will be enforced by the Office of the Virginia Attorney General, which can seek civil penalties (including injunctive relief and damages up to $7,500 for each violation) following a 30-day opportunity to cure.
States with active legislation addressing comprehensive privacy laws
Massachusetts, Michigan, New Jersey, North Carolina, Ohio, and Pennsylvania are currently considering comprehensive data privacy laws. Most notable among the bills that are up for consideration are:
- Massachusetts. The Massachusetts Information Privacy Act has CPRA-like provisions, though it provides heightened protections for biometric and location data and does not provide a 30-day cure period. Similar to the CPRA, the Massachusetts law would establish a state information privacy commission to handle enforcement. There are bills pending in both the Senate and the House, and this bill was close to being passed last year and seems like it may pass in 2022.
- Michigan. The Consumer Privacy Act has CPRA-like provisions but does not create a private cause of action. The bill is currently being debated in the Michigan Legislature.
- New Jersey. A bill is pending in both legislative chambers that would require Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out. A bill is also pending that mirrors legislation that was up for consideration in 2021 that establishes certain requirements for disclosure and processing of personally identifiable information and establishes the Office of Data Protection and Responsible Use in the Division of Consumer Affairs and has requirements similar to those of the CPRA, including a private right of action. Rather than requiring consumers to opt out of certain marketing, the NJ DaTA requires companies to obtain an opt-in from the consumer.
- Ohio. Ohio is once again considering the Ohio Personal Privacy Act (OPPA), which grants rights to residents similar to those of the CCPA, including (1) the right to know the data collected by a business; (2) the right to request access to and disclosure of personal data collected, including the categories of third parties to whom the business sells the data; (3) the right to request deletion of data, but a business may not be obligated to delete the data if it is necessary for various reasons, similar to the CCPA; (4) the right to opt out of the sale of personal data; and (5) the right to nondiscrimination of residents who exercise these rights. There is not a private right of action; instead, the AG has the exclusive authority to investigate and enforce the OPPA. There is a safe harbor rule if the business creates, maintains and complies with the National Institute of Standards and Technology’s Privacy Framework.
- Pennsylvania. Pennsylvania is considering a comprehensive data protection law similar to the CCPA and the CPRA. No private right of action is included in the current bill, but it does include a right to opt out of processing for targeted advertising and profiling purposes. It also requires an opt-in for marketing to minors.
Other states have proposed bills that were largely similar to the state laws that have passed. This is a trend that has emerged in the four years since the passage of the CCPA in 2018 and is likely to continue unless and until the federal government acts to pass a federal privacy law.