To avoid unnecessary fines and privacy claims, all companies need a baseline framework that can be applied across the board.
As privacy regulations evolve regularly, Pauline Egret Zimmermann and Danielle Okay, JD, CIPP/US take a look at recent developments in US privacy law, rights and resources available to American and multinational businesses.
As of November 2022, five States have passed privacy laws, namely California, Colorado, Connecticut, Virginia, and Utah.
The State of California passed the California Consumer Privacy Act (CCPA) in 2018, which became effective Jan. 1, 2020. It was then expanded upon by passage of Proposition 24, becoming the California Privacy Rights Act (CPRA) which will take effect Jan. 1, 2023.
Colorado passed their privacy act (CPA) in 2021 and Connecticut (CTDPA) in 2022, both are set to become effective July 1, 2023. Virginia passed the Virginia Consumer Data Protection Act (VCDPA) in 2021 with an effective date of Jan. 1, 2023. Utah enacted the Utah Consumer Privacy Act (UCPA) in 2022, with an effective date of Dec. 31, 2023.
There are currently four States with active bills in their respective legislatures; the States of Michigan, New Jersey, Ohio, and Pennsylvania all currently have bills in committee while 23 other States have bills introduced but inactive (see list).
Additionally, there have been recent developments around the potential of a U.S. federal privacy law since the release on June 3, 2022 of a discussion draft of the first comprehensive U.S. federal privacy bill, the American Data Privacy and Protection Act (ADPPA). If the ADPPA passes eventually, it has the potential to preempt state privacy laws.
As new privacy laws are being enacted across the United States it is necessary for companies to determine whether they are subject to those laws. While slightly different criteria apply for each law, the requirements are generally based on revenue or how many consumers data the company controls or processes annually, or how much revenue they derive from the sale of personal data they control or process. Companies also must consider what type of consumer data they possess and control, and how they interact with consumers regarding their personal data
Once companies have determined these privacy laws apply to them, the primary consideration that they need to make is what consumer data do they have and what are they doing with it. They should then limit the data collected and how it is used, implement data security practices, determine consent requirements, provide consumers with transparent privacy notices and respond to consumer requests related to what information is collected, review data processing contracts, and conduct data protection assessments when required.
Depending on the laws they are subject to they may also be required to correct or delete consumer data on request. To achieve all of this, organizations will need a well-organized privacy program with scalability to ensure consistent compliance with evolving requirements.
We have described below some of the requirements that must be included in such a program.
1.RISK OF CLAIM
Current privacy laws generally do not provide for a private right of action. However, under the CCPA and CPRA, consumers may bring a civil action in certain situations for personal information security breaches.
CPRA expanded enforcement provision of CCPA to apply to businesses, service providers, contractors, or others; whereas the CCPA only applied to businesses. Fines are also 3X higher for intentional violations.
Enforcement of privacy laws is typically vested in the state attorney general (AG). The UCPA has a more detailed enforcement approach as the law also requires the Division of Consumer Protection to establish a system for receiving consumer complaints, and the Division may also investigate and refer cases to the AG.
At this time California is the only state to have created a new agency to implement and enforce privacy laws. The California Privacy Protection Agency was created by the CPRA and the agency is currently in the rulemaking process. Under CCPA/CPRA, all consumers, B2B and employees have right to file private action when there is a data breach.
With the end of 2022 fast approaching, it is important to note that with the amendments to the CCPA, there is no longer a right to cure CCPA violations before facing fines or penalties. However, the other states still allow a 30 or 60 day cure period, but the 60 day cure period in Connecticut and Colorado will end January 1, 2025. Additionally, the CCPA and CPRA allow for retroactive effect.
Generally speaking, the duties of companies controlling the data (controllers) are similar across all the states. Controllers have the duties of transparency, purpose specification, data minimization, data security/ care, non-discrimination and avoid secondary use (with Utah being the exception not requiring this duty).
When it comes to sensitive data, California and Utah do not require expressed consent to process sensitive data and the definition of what is sensitive varies.
Although California is the only state allowing a private right of action for violations, all states allow for fines related to the violation. The AG can impose a fine of $750 per violation in California, $7,500 per violation in Utah and Virginia, $5,00 per wilful violation in CT, and up to a whopping $20,000 fine per violation in Colorado since this State considers a violation to be a deceptive trade practice under the Colorado Consumer Protection Act.
In 2021, the majority of privacy claims were filed in federal court. To quote the National Law review on December 31, 2021 “To date, over 125 cases asserting CCPA claims have been filed this year, with the vast majority (91.2%) filed in federal courts. Each quarter of 2021 has seen roughly the same number of cases filed (about 30-35 cases). Not surprisingly, about 60% of all federal cases were filed in California’s federal court.”
Therefore, It is likely we will see an increase in claims in years to come as privacy continues to be a hot topic of discussion and both state and federal legislature continue to attempt to enact additional laws.
2.BREADTH OF OPERATION
The primary criteria applied to define companies that must comply with state privacy acts are generally either gross revenue, volume of data processed or controlled, or amount of revenue derived from selling or sharing consumer information.
While most current privacy laws require only one threshold to be met, Utah requires both a revenue threshold as well as a threshold of data of volume processed or controlled, or revenue derived from sales of data.
While US federal privacy laws do not explicitly pre-empt state privacy laws, the federal laws will control where there is any contradiction, and some states have included exemptions in their laws for specific federal acts including: HIPAA, Graham-LeachBliley, Family Educational Rights and Privacy Act, and the Children’s Online Privacy Protection Act.
Privacy laws apply to businesses dealing with consumers and how each jurisdiction defines some key terms can vary. The GDPR relates to “data subjects” who are defined as identified or identifiable natural persons and have a broader scope than how the US states define consumers.
The term “consumer” generally means a natural person that is a resident of the state acting in an individual or household context, rather than in a commercial or employment context. California does not make a distinction between individual and commercial contexts.
“Personal information” or “personal data” generally means information that can be linked or can be reasonably linked to an identified or identifiable individual. California goes farther to define “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” All definitions exclude publicly available, de-identified or aggregate consumer information.
“Sensitive personal information” or “sensitive data” means personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, a person’s sex life or sexual orientation, citizenship, or citizenship status, as well as genetic or biometric data that may be processed for the purpose of uniquely identifying an individual. Any data of children is also generally considered sensitive personal data, although the age for who is considered a “child” varies by state.
The CPRA has a broader definition of sensitive personal information that also includes social security / driver’s license / state ID / passport numbers; personal account information; precise geolocation; philosophical beliefs; union membership; contents of consumers’ mail, email, or text messages.
In all states a sale is constituted of exchanging personal data for monetary consideration, although some states go further to include any form of valuable consideration. The CPRA also includes renting, releasing, disclosing, disseminating, making available or transferring of a consumer’s information for monetary or valuable consideration.
Under these privacy acts, consumers are entitled to various rights.
Under the California Consumer Privacy Act (CCPA), consumers have the right to access or delete data, to know what personal information is sold or shared, and to whom, to opt-out of sale/sharing of personal information or limit the use and disclosure of sensitive personal information, to not be retaliated against for opting out or exercising other rights. The CPRA adds more rights such as the right to rectify data, restrict sensitive personal data, and the right against automated decision-making.
Colorado, Connecticut, and Virginia are similar to the CRPA with the only differences being that there is no private right of action, consumers have a right to opt-out of certain automated decision-making, and have the right to opt-out of processing for profiling/ targeted advertising purposes.
GDPR requires expressed consent to process sensitive personal information which is not a requirement under US laws, but consumers do have rights to limit the use and disclosure of sensitive personal information and opt in or opt out of processing.
To summarize, in regards to requests from consumers concerning their rights, all of the current state privacy laws have a 45 day requirement to respond to such requests. Each state privacy law has some level of additional detail (such as no undue delay etc.) and allow for extensions (typically in the amount of 45 days) to the request if reasonably necessary.
Utah is the only state which does not require data processing/protection impact assessments.
The VA CDPA and CO CPA require data protection impact assessments when a controller is processing personal data for targeted ads, profiling, selling personal data, processing sensitive data or conducting any processing activity that presents a high risk of harm to consumers. The CPRA requires annua audits and periodic risk assessments when the data processing presents a significant risk.
Additionally, each state privacy law requires a privacy notice and the extent of the content included within the notice varies in each state. For example, California in typical fashion being the most stringent, requires notice at the point of personal information collection and adopts a standard similar to the notice requirement of GDPR; to make it clear, accessible, set apart from other information presented to the consumer at the same time, also provides specific info that needs to be included in the notice.
To be able to respond to requests from consumers regarding their personal information (usually whether to know or delete information), organizations need to have such data organized and well-structured so they can fully understand the data and the purpose for which they were collecting.
Additionally, this will allow organizations to easily respond to requests in the permitted time frame required by applicable law. This includes identifying data collected by type (sensitive, public, confidential) and also a comprehension of how the data is flowing across different systems used within the business, across departments, and countries.
Companies will need a privacy program that complies with multiple law and is easy to address violations and requests. If you are a multinational company and already complying with GDPR, you should be okay as new US privacy laws are less strict.
If you are a US company complying with certain US privacy laws and wishing to expand your scope internationally, there will be additional measures required to comply with GDPR. Satisfying each current state privacy will not obtain GDPR compliance.
To avoid unnecessary fines and privacy claims, you need a baseline framework that can be applied across the board.
It can be helpful to look to GDPR + CPRA as a start since these have the most stringent requirements. Once your framework is ready, you are ready to tackle any law that comes into effect afterwards and can expand your framework off of that to easily determine what changes need to be made in order to comply with new law. This could be especially useful if/when the US decides to pass the ADPPA.
Kalexius is experienced with GDPR and as a matter of policy we apply GDPR to all and any personal information that we process irrespective of whether the GDPR is applicable to it. We have appropriate internal policies to ensure GDPR compliance and require our local partners to comply with our policies through contractual clauses.
We are able to leverage this experience and expertise to assist you in repapering exercises to update existing contracts, develop data processing agreements, and help you in developing a privacy program with scalability to ensure consistent compliance with evolving requirements.
For further information, please contact:
Danielle Okay, Kalexius