Could 2023 be a landmark year for data privacy?
The California Privacy Rights Act
The California Privacy Rights Act (CPRA) took effect January 1, 2023, and amends the California Consumer Protection Act (CCPA), and adds new protections including:
The right to correct inaccurate personal information that a business has about them
The right to limit the use and disclosure of sensitive personal information collected about them
The right to request their data be deleted
Right to know what personal information is being collected, and to access that information
The right to know what information is sold or shared, and to whom
The right to opt out of the sharing of certain personal data
The CPRA does not necessarily apply to every business, there are several criteria that have to be met. The CPRA applies if a business collects personal information of California residents, AND does business in California, AND meets at least one of the following criteria.
Annual gross revenue of more than $25,000,000
At least 50% of annual revenue comes from sharing or selling California consumers' personal information
The business sells, shares, or buys the personal information of at least 100,000 California households or consumers
Virginia Consumer Data Protection Act
Similar to the CPRA, the Virginia Consumer Data Protection Act (VCDPA) gives consumers right regarding personal data. The VCDPA was effective as of January 1, 2023 and gives Virginia consumers the following rights:
To confirm whether or not a controller is processing the consumer's personal data and to access such personal data
To correct inaccuracies in the consumer's personal data
To delete personal data provided by or obtained about the consumer
To opt out of the processing of personal data for purposes of targeted advertising and the sale of personal data
The law is applicable to businesses in the Commonwealth of Virginia that produce products or services that are targeted to residents of the Commonwealth. In addition to the above criteria, at least one of the following must also be met:
In a calendar year, the business controls or processes the personal data of at least 100,000 consumers
The business controls or processes the personal data of at least 25,000 consumers AND over 50% of gross revenue comes from the sale of personal data
Colorado Privacy Act
Like the other laws, a business does not need to be located in Colorado for these rights to apply. This law is slated to take effect on July 1, 2023. Many of the provisions are similar to other established state privacy laws, and the current draft includes changes based on the public comment period that ended January 18, 2023. The most recent public comment period ended February 3, 2023, so another draft will with new changes will likely be released soon. The current draft includes the following protections:
A Controller’s privacy notice must include specific methods through which a Consumer may submit requests to exercise Data Rights
The right to opt out of the processing of personal data
The right to access the personal data a business or one of its processors has collected
The right to correct inaccuracies in their personal data or delete personal data
The right to data portability
The Colorado Privacy Act applies to businesses that conduct business in Colorado, or deliver or produce commercial products or services that are intentionally targeted toward Colorado residents and meets one of the following:
The business controls or processes the personal data of 100,000 or more Colorado consumers during a calendar year
The business gains revenue or obtains a discount on the price of goods or services from the sale of personal data AND processes or controls personal data of 25,000 or more Colorado consumers
Something to note here, even if your business doesn't meet these requirements, you must still comply with the Colorado Privacy Act if you process the data on behalf of a client that is subject to the Act. Once this act goes into effect, non-compliance can result in penalties of up to $20,000 per incident.
Utah Consumer Privacy Act
The Utah Consumer Privacy Act which will take effect December 31, 2023, protects consumers by giving them the right to:
Access and delete certain personal data maintained by certain businesses
Opt out of the collection and use of personal data for certain purposes
Request to have personal data deleted, or to stop the sale of their data
Know what personal data a business collects, how the business uses that data, and whether the business sells personal data.
Like the other laws, this applies to anyone who collects personal data of Utah residents and does business in Utah, or produces a product or service targeted to Utah residents. The entity has to have annual revenue of $25,000 and meet one of these criteria:
Controls or processes the personal data of 100,000 or more Utah residents during a calendar year
Controls or processes the personal data of 25,000 or more Utah consumers and obtains 50% or more of its annual gross revenue through the selling of personal data.
There is an exemption for nonprofits, so only this law only applies to for-profit businesses. There is a fine of up to $7500 per violation, which the state of Utah defines as per website visitor whose privacy rights have been infringed upon.
Connecticut is also joining the ranks of states enacting privacy laws. Set to take effect July 1, 2023, you will see many similarities between this bill and the others. The bill specifically mentions they will take the definition of "Child" from COPPA (Children's Online Privacy Protection Act). The bill will grant consumers the right to:
Confirm whether their personal data is being processed and access said data, unless confirmation or access would require the entity controlling the data to reveal a trade secret.
Correct inaccuracies in a consumer's personal data, and request deletion of data
Obtain a copy of personal data in a readily usable format
Opt out of the sharing of personal data for the purposes of targeted advertising or sale
Connecticut SB6 will apply to any person that conducts business in Connecticut or produces products or services that are targeted to residents of the state. One of the following would also have to be met for the law to apply:
The person/business controlled or processed the personal data of at least 100,000 consumers, excluding data that was controlled or processed solely for the purpose of completing a payment transaction.
Controlled or processed personal data of at least 25,000 consumers AND more than 25% of gross revenue was derived from the sale of personal data.
There are some notable exemptions in this bill including, any body, authority, board,
bureau, commission, district, or agency of this state or of any political
subdivision of the state, non-profit organizations, institutions of higher learning, and certain financial institutions.
While we love that the importance of data privacy is being recognized by individual states, this patchwork system of individual state privacy laws could get messy. The hope is that there will be movement on the American Data Privacy and Protection Act in the form of a comprehensive framework for data protection that gets everyone on the same page.