New data privacy laws in various US states: are you ready?
January 2023 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
January 2023 Issue
Since the European General Data Protection Regulation (GDPR) came into effect in May 2018, we have seen a wave of jurisdictions around the world introduce their own spin on a data privacy framework. For example, Brazil passed the Lei Geral de Proteção de Dados, which bears a number of similarities with the GDPR.
Within the US, California was the first state to act, and the California Consumer Privacy Act (CCPA) was born in 2018, granting California residents increased transparency and control over how businesses collect and use their personal information. As the CCPA is a state law, its protection is limited to California residents only, in the absence of a comprehensive federal legislation to cover the various aspects of data protection.
One of the key characteristics of the CCPA is the requirements it places on the ‘sale’ of personal information (i.e., the exchange of consumer information for consideration). Where an organisation covered by the CCPA ‘sells’ personal information, the organisation must mention this in its privacy notices and include a clear and conspicuous ‘do not sell my personal information’ link on its website. Importantly, the concept of ‘sale’ goes well beyond the traditional meaning of the term, and we have seen enforcement actions from the California attorney general’s office indicating that there is a ‘sale’ even if no money changed hands. Not complying with the CCPA’s requirements can be costly: on 24 August 2022, Rob Bonta, California attorney general, announced a $1.2m fine against the French global cosmetics chain Sephora. According to the attorney general, the company had failed to: (i) disclose that it was selling the personal information of California consumers; (ii) provide a ‘do not sell my personal information’ link on its website; and (iii) honour global privacy control opt-out signals for users to opt out of the sale of their personal information. In particular, the attorney general has indicated there may be a sale under the CCPA if an organisation discloses personal information to advertising networks and data analytics providers because the organisation receives a benefit in kind from these arrangements, by allowing them to target potential customers more effectively. In addition to the $1.2m penalty, the company was also required to implement a two-year monitoring and reporting programme intended to demonstrate its ongoing compliance with the CCPA.
Following the introduction of the CCPA, several other US states have introduced their own privacy laws which will come into effect throughout 2023. The California Privacy Rights Act (CPRA) is an update to the CCPA and enters into effect on 1 January 2023. The CPRA includes privacy rights that were not included in the existing CCPA, such as the right to correct inaccurate personal information and the right to limit the use and disclosure of ‘sensitive personal information’, a new category of information created by the CPRA.
Importantly, the CPRA’s concept of sensitive personal information differs from the GDPR’s concept of ‘special category data’: while it includes information such as racial or ethnic origin, religious or philosophical beliefs, or union membership as well as genetic data, the concept is far broader. In particular, ‘sensitive personal information’ also includes: (i) a social security or other state identification number; (ii) an account log-in, financial account, credit card number in combination with any required security or access code, password or credentials allowing account access; (iii) precise geolocation; and (iv) the contents of an email or text messages, unless the business is the intended recipient. Contrary to the GDPR which, by default, prohibits the processing of special category data, the CPRA provides that consumers have a right to limit the use and disclosure of their sensitive personal information to certain enumerated ‘business purposes’.
The states of Virginia, Utah, Colorado and Connecticut will also have their own comprehensive data privacy legislation in place. The Virginia Consumer Data Protection Act will come into force on 1 January 2023, whereas the Colorado Senate Bill 21-190 for the Colorado Privacy Act and the Connecticut Act Concerning Personal Data Privacy and Online Monitoring will take effect on 1 July 2023. Finally, the Utah Consumer Privacy Act will enter into force on 31 December 2023. While similarities across these laws will allow organisations to take a unified compliance approach on some topics, there are also significant differences between these laws that may require businesses to take a state-by-state approach on certain issues or to adopt the strictest requirements in order to have a single unified compliance programme within the US.
With the exception of the CPRA, these new data privacy laws borrow some terminology from the GDPR (such as the GDPR’s concept of controller and processor, instead of the CCPA and CPRA’s concept of business and service provider), so some of these terms may appear familiar. However, contrary to the GDPR, these data privacy laws do not apply to all organisations, only those exceeding certain thresholds specified in the law conducting business in the state are covered. For example, only organisations that control or process the personal information of at least 100,000 residents of such state or more during a calendar year or that derive revenue from the sale of personal data of at least 25,000 residents of such state are covered. Small businesses are therefore unlikely to be in scope of such new laws, but it is advisable in all cases to review whether such new laws impose new requirements on them.
Pursuant to these new data privacy laws, residents of these states have various rights under their state law, such as, among others, the right to know, the right of access, the right of deletion and the right to opt-out of targeted advertising, ‘sale’ or ‘sharing’ of personal data. Requirements on disclosures that must be included in privacy notices or privacy policies are listed in these new laws. Like the GDPR, consent would generally require a clear, affirmative act from an individual that evidences a freely given, specific, informed and unambiguous agreement to process such personal information. Most of these new laws explicitly prohibit the use of ‘dark patterns’ to obtain consumer consent. In addition, in-scope organisations would be required to enter into contracts with processors, as well as service providers or other third parties to which they transfer information, containing certain specific provisions, for example in relation to data security or restrictions surrounding the sale of personal information.
Due to the challenges to comply with so many laws within the US, it is not surprising that many organisations have been pushing for the introduction of a US federal data privacy framework. After years of unsuccessful attempts, the American Data Privacy and Protection Act (ADPPA) – a proposed US federal online privacy bill that would regulate how organisations keep and use consumer data – is the furthest a federal data privacy bill has managed to go so far and could be the country’s first comprehensive federal consumer privacy framework. However, the ADPPA, as currently drafted, would pre-empt most state privacy laws, which is an issue for certain states, such as California.
In short, as we move through 2023, organisations will need to review their existing data privacy documentation and processes and determine what changes may be needed to achieve compliance with the new laws that will enter into effect during the course of 2023. A thorough understanding of the similarities and differences between these laws will be necessary to achieve compliance. In addition, organisations should continue to monitor privacy developments as the legal requirements are still evolving. For example, further requirements in California and Colorado will come by way of rulemaking over the coming months. As such, a certain amount of flexibility will be needed to adapt to new requirements that may be introduced.
Paul Lanois is a director at Fieldfisher. He can be contacted on +1 (650) 313 2361 or by email: paul.lanois@fieldfisher.com.
© Financier Worldwide
BY
Paul Lanois
Fieldfisher