USA: Practical considerations for meeting opt-out requirements under US state privacy laws - Part two
In this Insight article, Bart Huffman, Wendell Bartnick, and Haylie Treas, from Holland & Knight, address opt-out rights and related requirements under certain US state privacy laws that are currently in effect and/or will take effect in 2023.
Part two analyses the processing of opt-out requests, consent and opt-in requests, other compliance considerations, and the interplay with other major federal privacy laws, whereas part one explores opt-out rights, disclosures related to these opt-out rights, and opt-out mechanisms.
These state privacy laws include the California Consumer Privacy Act of 2018 ('CCPA'), as amended by the California Privacy Rights Act of 2020 ('CPRA')1, the draft CCPA Regulations2, the Colorado Privacy Act ('CPA')3 and the draft Colorado Rules4, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA')5, the Utah Consumer Privacy Act ('UCPA')6, the Virginia Consumer Data Protection Act ('CDPA')7 (all five of these state laws jointly defined as the 'Five US State Privacy Laws'), and a Nevada privacy law8.
Please note that this article relies in part on regulatory guidance (much of it still in draft form) as of the beginning of December 2022.
In considering the various state law requirements discussed below, an organisation should first assess which state's laws apply to it (and whether it is possible to segregate data concerning one state's residents from data concerning residents of other states and countries). An organisation may not be subject to a state's law if the organisation is not 'doing business' in the state, or if the organisation does not meet a revenue or volume of processing threshold, or for some other reason. Once applicability has been determined, an organisation can make an intentional, informed decision to voluntarily comply with some, all, or none of the requirements with respect to data concerning residents of particular states (or all states).
For scoping purposes, it is important to remember that only the California law applies to employee and business contact data. Thus, for states other than California, the opt-out rights and other requirements below only apply to consumers acting in their individual capacity residing in a given state (assuming that other thresholds for applicability are met).
The Five US State Privacy Laws and the Nevada privacy law describe how organisations should respond to individuals' requests to exercise their privacy rights. Under the privacy laws, organisations are generally required to respond only to requests that have been reasonably authenticated and verified to confirm that the request is being made by, or on behalf of, an individual who is entitled to exercise such rights9.
However, in many cases (e.g. automatic collection of data by third-party cookie providers), an unidentified website user is merely attempting to exercise a right to turn off automated collection of data associated with the user and/or the user's computer systems. Accordingly, the authentication and verification requirement is relaxed under the California, Connecticut, and Colorado laws for opt-outs of the sale of personal information and use and disclosure for behaviour-based, targeted advertising (or 'sharing' under the CCPA)10. Authentication and verification for those opt-outs should not extend beyond confirming that the individual is a resident of the state and that the request is not fraudulent11.
When an organisation has received an authenticated and verified opt-out, it should promptly (without undue delay) stop the processing to which the individual opted-out and notify the individual of the successful opt-out when it occurs12. The California and Colorado draft regulations and rules require compliance with opt-outs of the 'sale' of personal information and behaviour-based, targeted advertising or 'sharing' within 15 days, while the other state privacy laws require compliance within 45 days13. The draft CCPA Regulations also require an organisation to notify and direct the third parties with which it has sold or shared personal information to comply with the opt-out request14. If an organisation does not comply with an opt-out request, it must notify the individual of the reason(s) for declining to comply15.
Organisations are generally required to maintain records of the opt-out requests they receive and their responses to such requests16. The California and Colorado draft regulations and rules require maintaining the records for at least 24 months17.
In Colorado, Connecticut, Utah (only with respect to personal information about a child known to be less than 13 years old), and Virginia, organisations may process sensitive personal information only with opt-in consent21. Further, under Connecticut, Utah, and Virginia privacy laws, an organisation may be required to obtain such consent from a parent or legal guardian in accordance with the Children's Online Privacy Protection Act of 1998 ('COPPA') before the organisation can collect information from a child less than 13 years old or process sensitive information about a known child less than 13 years old.
The CCPA expressly requires opt-in consent from a parent/guardian before 'selling' or 'sharing' the personal information of children under 13 and opt-in consent from minors between the ages of 13 and 15 (inclusive)22.
Other compliance considerations
In addition to the operational requirements described above, there are other considerations when processing personal information.
Data protection assessments
Under the privacy laws in Colorado, Connecticut, and Virginia (and probably under the draft CCPA Regulations in the future), an organisation may be required to perform a data protection assessment for certain uses of personal information for which an opt-out right is granted23. An organisation subject to those laws is required to conduct and document a data protection assessment when it processes personal information in a manner that presents a heightened risk of harm. Those laws expressly identify targeted advertising, certain profiling that has significant effects, and selling personal information as types of processing that require a data protection assessment. The assessment involves weighing the benefits and potential risks from the processing and identifying ways to mitigate risks.
Multi-state, multi-national privacy compliance programs
Similar to the US state privacy laws discussed above, privacy laws in other countries may protect information relating to individuals located in those countries regardless of where an organisation is located. Therefore, when US-based organisations collect personal information from or about individuals in other countries, privacy laws in those other countries may apply to the processing. For example, in the EU, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), and country and local privacy laws may regulate how US organisations perform targeted online advertising, online analytics, sales of personal information, and certain profiling that has significant effects that involves individuals located in the EU.
When an organisation is required to comply with privacy laws in multiple US states and countries, compliance complexity increases. The laws may conflict or require different approaches to compliance. For example, an organisation may be able sell personal information or perform certain profiling on an opt-out basis under the US state laws, but those same processing activities may be permitted only based on consent (an opt-in) or another legal basis in other countries.
To overcome this compliance challenge, an organisation should consider whether to focus its compliance program on meeting:
- all compliance requirements, including the highest legal bar where possible, regardless of the residency or location of the individual (e.g. require formal consent to certain processing even if not required in every jurisdiction);
- the applicable legal requirements based on residency of the individual, for example, by geo-fencing access to the organisation's websites and online services (e.g. obtain opt-ins where required and opt-outs where required); or
- some combination of the foregoing.
Data broker registration and opt-outs
Laws in California and Vermont require that 'data brokers' register with the state. Under those laws, a 'data broker' is a commercial entity that knowingly collects and sells or licenses to third parties the personal information of individuals with whom the entity does not have a direct relationship24. One purpose of the California law is to allow individuals to more easily identify data brokers, so that California residents can opt-out of the sale of their personal information by those data brokers under the CCPA.
Vermont does not have a corresponding, general privacy law with an opt-out right; however, the Vermont law requires data brokers to provide information in their registration submissions about any voluntarily offer to individuals to opt-out of the collection, maintenance, or sale of their personal information25.
The Nevada privacy law, as summarised above, grants Nevada residents the right to opt-out of the sale of their personal information by data brokers whose primary business is purchasing and selling for monetary consideration personal information of Nevada residents with whom they have no direct relationship26.
Interplay with other major federal privacy laws
Although the US does not have a generally applicable federal privacy law, some organisations and activities have been subject to privacy regulation for many years. Three areas of federal privacy regulation are consumer reports (subject to the Fair Credit Reporting Act of 1970 ('FCRA')), financial institutions (subject to the Gramm-Leach-Bliley Act of 1999 ('GLBA')), and certain health information (subject to the Health Insurance Portability and Accountability Act of 1996 Rules ('HIPAA')). As a general matter, the FCRA is strongly pre-emptive, while the GLBA and HIPAA are weakly pre-emptive, which means they set a floor and allow for stricter state laws.
The Five US State Privacy Laws include carve-outs for these federal laws. The carve-outs are similar, but not identical. As a quick reference, an organisation otherwise subject to the Five US State Privacy Laws is potentially exempt from their requirements as discussed below. The following summary is a general guide, and as for other matters addressed in this article, the reader should consult the actual statutory language and obtain legal counsel before making any decisions as to how and whether to comply with any of the various laws.
Financial institutions subject to the GLBA are exempt under the Colorado, Connecticut, Utah, and Virginia laws27. The California exemption is more limited - the CCPA exempts personal information that is regulated by the GLBA (or the similar California financial privacy law) from the CCPA's requirements, but not from the provisions making statutory damages available for a negligent data breach28.
The exemptions for health-related data are more detailed. The handling of HIPAA 'protected health information' by covered entities and business associates is exempt under all Five US State Privacy Laws, as is certain other information that is handled in the same manner as protected health information by eligible entities29. The laws of Connecticut, Utah, and Virginia are more lenient on their face. They offer a blanket exemption to HIPAA covered entities and business associates, although presumably such exemption only applies to the extent an organisation is acting in such capacity (so it may not add much if anything to the general exemption offered under all Five US State Laws).
As they must (given the strongly pre-emptive nature of the FCRA), the Five US State Privacy Laws exempt the processing of personal information that constitutes a 'consumer report' by consumer reporting agencies, as well as by furnishers and users of such reports30. In order to be exempt, the processing activity must be regulated by the FCRA (thus, for example, use of consumer report data for an improper purpose would not be exempt) and the processing must be performed in compliance with the FCRA (thus, for example, an entity that is effectively acting as a consumer reporting agency, but not complying with the host of associated requirements under the FCRA would not be exempt). Notably, as with personal information subject to the GLBA, the CCPA provides that the negligent data breach of such information remains eligible for statutory damages under the state law31.
Handling the various state-law requirements as to consumers' (and, in California, other individuals') preferences will not be a simple task. The challenges are amplified for organisations that are subject to federal privacy regulations, and for international companies that must comply with foreign laws and requirements. It will be interesting to see the approach taken by companies in various business sectors and multiple jurisdictions.
As with any new set of regulations, organisations will benefit from making a good faith, well-reasoned effort to comply, and to revisit the approach periodically to improve their practices as technology and activities evolve and further guidance becomes available.
1. Cal. Civ. Code § 1798.100 et seq. Available at: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
2. Cal. Code Regs. tit. 11, § 7000 et seq. Available at: https://cppa.ca.gov/regulations/pdf/20221102_mod_text.pdf
3. Colo. Rev. Stat. § 6-1-1301 et seq. Available at: https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
4. 4 CCR 904-3. Available at: https://coag.gov/app/uploads/2022/10/CPA_Final-Draft-Rules-9.29.22.pdf
5. PA 22-15. Available at: https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF
6. Utah Code § 13-61-101 et seq. Available at: https://le.utah.gov/xcode/Title13/Chapter61/13-61.html?v=C13-61_2022050420231231
7. Va. Code Ann. § 59.1-575 et seq. Available at: https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/
8. Nev. Rev. Stat. § 603A.300 et seq. Available at: https://www.leg.state.nv.us/nrs/nrs-603a.html
9. See CCPA, §§ 1798.110(b), 1798.115(b); CPA, § 6-1-1306(1); CPA Rules § 4.08(A); CTDPA, § 4(c)(4); UCPA, § 13-61-203(5); VCDPA, § 59.1-577(B)(4).
10. See CCPA Regulations, § 7026(d); CPA Rules § 5.08(D); CTDPA, § 4(c)(4).
11. See CCPA Regulations, § 7026(d); CTDPA § 4(c)(4).
12. See CCPA, § 1798.120(d); CPA, § 6-1-1306(2)(a); CTDPA, § 4(c)(1); UCPA, § 13-61-203(1-2); VCDPA, § 59.1-577(B)(1).
13. See ibid.; CCPA Regulations, § 7026(f)(1); CPA Rules § 4.03(A)(1).
14. See CCPA Regulations, § 7026(f)(1).
15. See CCPA Regulations, § 7026(e); CPA, § 6-1-1306(2)(b); CTDPA, § 4(c)(2); UCPA, § 13-61-203(3); VCDPA, § 59.1-577(B)(2).
16. See CCPA Regulations, § 7101(a); CPA Rules §§ 4.03(A)(2), 6.11(A); CTDPA, § 4(c)(5).
17. See CCPA Regulations, § 7101(a); CPA Rules §§ 4.03(A)(2), 6.11(A).
18. See CCPA, § 1798.135(c)(4); CCPA Regulations, § 7028; CPA, § 6-1-1306(1)(a)(IV)(C).
19. See CCPA § 1798.135(c)(4); CCPA Regulations, § 7028.
20. See CCPA Regulations, § 7028.
22. See CCPA, § 1798.120(c).
23. See CPA, § 6-1-1309(2); CTDPA, § 8(a); VCDPA, § 59.1-580(A).
24. See Cal. Civ. Code § 1798.99.80(d); available at: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.48 (the definition excludes consumer reporting agencies subject to the FCRA, financial institutions subject to the GLBA, and insurance companies subject to California's insurance laws); 9 V.S.A. § 2430(4)(A); available at: https://legislature.vermont.gov/statutes/section/09/062/02430
25. See 9 V.S.A. § 2446(a)(3)(B); available at: https://legislature.vermont.gov/statutes/section/09/062/02446
26. See NRS, §§ 603A.323, .333, .346. Data brokers under the Nevada law do not include consumer reporting agencies or data regulated by the federal Fair Credit Reporting Act or financial institutions or data regulated by the GLBA. NRS § 603A.338.
27. See CPA, § 6-1-1304(2)(q); CTDPA, § 3(a)(5); UCPA, § 13-61-102(k); VCDPA, § 59.1-576(B).
28. See CCPA, § 1798.145(e). As a practical matter, this means that financial institutions still must comply with the CCPA for non-customer-related data, such as marketing data and employee data.
29. See CCPA, §§ 1798.145(c), 1798.146; CPA, § 6-1-1304(2)(a-e); CTDPA, § 3(b)(1-10); UCPA, § 13-61-102(e-g); VCDPA, § 59.1-576(C)(1-9). Similar to financial institutions, a covered entity handling employee and marketing data remains subject to the CCPA as to such data.
30. See CCPA, §§ 1798.145(d)(1); CPA, § 6-1-1304(2)(i); CTDPA, § 3(b)(11); UCPA, § 13-61-102(j); VCDPA, § 59.1-576(C)(10).
31. See CCPA, §§ 1798.145(d)(3), 1798.150.