New State Law Data Regulations
The task of complying with Privacy laws keeps getting more complicated. Over the past year, California, Colorado, Connecticut, Utah and Virginia, have enacted new comprehensive data privacy regulations that will impact many business with customers in these states (collectively, the “State Data Regulations”). These new laws create complex new privacy obligations and increased fines and penalties for the failure to comply.
- California has enacted the California Privacy Rights Act (the “CPRA”), effective January 1, 2023, which amends and replaces the California Consumer Privacy Act of 2018 (the “CCPA”).
- Virginia has enacted the Virginia Consumer Data Protection Act (the “VCDP”), effective January 1, 2023.
- Colorado has enacted the Colorado Privacy Act (the “CPA”), effective July 1, 2023.
- Connecticut has enacted the Connecticut Data Privacy Act (the “CDPA”), effective July 1, 2023.
- Utah has enacted the Utah Consumer Privacy Act (the “UCPA”), effective December 31, 2023.
While businesses familiar with the European Union General Data Protection Regulation (the “GDPR”) and California’s CCPA (predecessor to the CPRA), will see similar requirements under these new State Data Regulations, , there are important differences that must be planned for.
Who Needs to Comply With the State Data Regulations?
Each State has their own thresholds that must be met before a business is subject to its State Data Regulation, and some states require a business to meet all thresholds, and other States laws are triggered if you meet just one element of the law. In general, the typical applicability thresholds involve the following:
- A minimum annual gross revenue (e.g., $25,000,000).
- Conducting business in the State and/or providing products or services that are targeted to the residents of the State.
- Processing, purchasing, selling or sharing personal data of a minimum number of individual consumers or households within the State (e.g., 100,000 consumers or households).
- Generating a certain percentage of profits or revenue (typically 50%) from the sale or, under California’s CPRA, the sharing, of personal data, or, specifically under Colorado’s CPA, receiving discounts on the price of goods or services from the sale of personal data.
Each State has varying exceptions and exemptions for some aspects of the State Data Regulations that should be reviewed to see if they apply to your business
Key Terms - Selling & Sharing
“Sales” of Personal Data
The “sale” of data is covered under all of the State Data Regulations, and is critical in (1) determining whether a business could be subject to a State Data Regulation based on revenue generated from the sale of data; and (2) complying with specific opt-out or opt-in and disclosure requirements related to the sale of personal data.
Note that a “sale” can occur even where there is no actual exchange of money. A “sale” can involve any exchange of valuable consideration. For example, in the landmark enforcement action brought by the California Attorney General against Sephora for violations of California’s current CCPA, Sephora engaged in a “sale” of personal data by permitting third party advertisers to place tracking cookies & technologies on Sephora’s website to deliver targeted ads of Sephora’s products to website visitors, while failing to ensure that the third party advertisers were not repackaging and selling Sephora consumer data to other third parties. Sephora was fined $1.2 million dollars for violations of the CCPA.
“Sharing” Personal Data
Under California’s new CPRA, the concept of “sharing” is introduced, and applies to the “sharing” of personal data for purposes of cross-contextual behavioral advertising (which includes, tracking a user across the internet to build a behavioral profile for advertising purposes). Like the “sale” of personal data, “sharing” personal data an important part in (1) conducting the analysis of whether a business could be subject to the CPRA based on revenue generated from the sharing of data; and (2) complying with specific opt-out or opt-in and disclosure requirements under the CPRA related to the sharing of personal data.
Key Consumer Rights Under the State Data Regulations
Under the State Data Regulations consumers of the applicable States have the following core rights:
- Right to Access Personal Data
- Right to the Correction of Personal Data
- Right to the Deletion of Personal Data
- Right to Data Portability
- Right to Opt-Out of:
Targeted Advertising
Sale of Personal Data (currently, only under California, Colorado, and Virginia State Data Regulations)
Sharing for Cross Contextual Behavior Advertising (currently, only under California’s CPRA)
Profiling/Automated Decision Making (currently, only under Colorado, Connecticut, and Virginia State Data Regulations)
Processing Sensitive Data (currently, only under Utah’s UCPA; however, note, that some States (e.g., Colorado and Virginia require a business to obtain opt-in consent from consumers before processing sensitive data in the first place)
- Right Against Discrimination or Retaliation for exercising any of these rights
- Right to Limit use of Sensitive Data (currently, only under California’s CPRA; however, each State Data Regulation has limitations and restrictions on how a business can use a consumer’s personal data, sensitive or not).
Key Obligations and Requirements for Compliance
Online Privacy Policy
Businesses must have a public-facing transparent privacy policy describing consumers rights and disclosing its data collection and processing activities, including, without limitation, what information is collected, how information is used, and how that information is shared.
California’s CPRA maintains the requirement under the CCPA that the privacy policy must specifically disclose in its privacy policy whether personal data has been sold or disclosed to third parties for business purposes or commercial purposes, and added the requirements to disclose whether a business has shared personal data with a third party for cross contextual behavior advertising.
For California a business must update its privacy policy every 12 months.
Required Opt-Ins, Universal Opt-Outs & Responding to Global Privacy Controls
Under certain State Data Regulations, businesses are required to obtain opt-in consent from consumers prior to processing certain personal data or engaging in certain activities with respect to the consumer. For example:
- Colorado and Virginia require a business to obtain opt-in consent from consumers before processing sensitive data of the consumer for any purposes.
- California requires businesses to obtain opt-in consent to consent to sell personal data of consumers under the age of 16, and for consumers under the age of 13, the child’s parent or guardian must affirmatively authorize the sale of the child’s personal data.
In addition, California, Colorado and Virginia each have specific requirements for universal opt-outs mechanisms (for example, a consent pop-up mechanism that deploys when a consumer visits a website) that must be provided to consumers to exercise their opt-out rights described above.
The CPRA also requires business to honor Global Privacy Controls (GPC), a browser setting that notifies websites of a consumer’s privacy preferences, such as not to share or sell personal data without their consent, by sending a signal to each website a consumer visits.
Dark Patterns Void Consent
California, Colorado and Connecticut all include prohibitions on the use of “dark patterns” (i.e., a user interface that has been crafted or designed to trick or manipulate users into doing things, for example, making the “reject all cookies” button a neutral color and the “accept all cookies” button a bright color, or including language intended to guilt a user into providing personal data). Any consent obtained through the use of dark patterns is void in its entirety.
Responding to Consumer Requests
Each State Data Regulation has specific requirements for responding to consumers exercising their rights, including, specific response times, requirements for the methods a business must provide to consumers to submit their requests, prohibition on charging consumers a fee to exercise their rights, and how the information requested must be provided to the consumer.
Vendor Requirements & Diligence
The State Data Regulations require that a written agreement be in place between businesses that control personal data and their vendors and service providers, and require businesses to conduct initial and continuing diligence on its vendors and service providers to ensure they are complying with the applicable State Data Regulations.
Vendors and service providers have their own obligations under the State Data Regulations to assist businesses with their compliance obligations, and to implement appropriate security, organizational, technical and administrative measures to protect against unauthorized access, use, disclosure or processing of personal data.
Records; Internal Training & Policies
The State Data Regulations all require businesses to document their processing activities with respect to personal data, and must ensure individuals who are responsible for handling consumer inquiries about the business’ privacy practices or compliance with the applicable State Data Regulations are informed of all the requirements under those State Data Regulations, and how to direct consumers to exercise their rights.
Consequences for Non-Compliance
- Violation of California’s CPRA imposes penalties and fines of up to (1) $2,500 per unintentional violation, or (2) $7,500 per intentional violation or any violation involving personal data of children under 16 years of age.
- A Violation of Colorado’s CPA imposes civil penalties up to $20,000.
- A violation of Connecticut’s CTDPA amounts to an unfair trade practice under the Connecticut Unfair Trade Practices Act, imposing penalties of up to $5,000 per violation. Equitable remedies, such as restitution and injunctive relief, are also at the Attorney General’s disposal.
- A violation of Utah’s UCPA could result in actual damages to the consumer, and up to $7,500 per violation, which can be recovered by Utah’s Attorney General.
- A violation of Virginia’s VCDP imposes civil penalties up to $7,500 per violation and the Virginia Attorney General may seek injunctions against violations and recover reasonable expenses (incl. atty fees) in investigating and preparing for case.
Actions to Take Now
- Determine whether any of State Data Regulations apply to your business (including any parents or subsidiaries), and if any applicable exceptions or exemptions apply to personal data collected by your business.
- Determine whether your business engages in any “selling” or “sharing” of data, or the collection of sensitive data, each of which may impose additional requirements related to the collection and use of personal data in those contexts under applicable State Data Regulations.
- Review and update consumer-facing Privacy Policies to include required disclosures under the applicable State Data Regulations, including, clear description of a consumer’s rights under the State Data Regulations.
- Implement, or review existing, consumer opt-out mechanisms required under the State Data Regulations, including, any required universal opt-out mechanisms.
- Review the methods the business uses to obtain consent to ensure dark patterns are not utilized to obtain the consent.
- Review and implement appropriate responses to Global Privacy Control signals as required by applicable State Data Regulations.
- Review current internal policies and procedures regarding response and management of consumer data right requests.
- Review and update contracts with vendors and third parties with whom personal data is shared to ensure appropriate mechanisms are in place to comply with disclosure requirements within the scope of the State Data Regulations.
The Paradigm Privacy Health Check Service. Paradigm is offering a streamlined fixed fee Privacy Health Check Service to enable our clients to create a plan to comply with the new State Data Regulations, and conduct a Privacy Health Check with respect to the most prominent data protection regulations, including, the CCPA/CPRA, CPA, CTDPA, UCPA, VCDP and GDPR. If you would like to learn more regarding the Paradigm Privacy Health Check, or sign up for the service, please contact us.
© Paradigm Counsel, LLP (2022)
Paradigm Counsel is a California-based limited liability partnership. The materials contained herein are intended for marketing and educational purposes only and do not constitute legal advice. They are not a substitute for legal advice from qualified counsel on specific legal matters. You should not rely on these materials as a source of legal advice, and your use of the materials does not create any attorney-client relationship between you and Paradigm Counsel. For more information about the firm please visit us at www.paradigmcounsel.com.