USA: State privacy laws entering into effect in 2023
The New Year marks the entry into effect of various privacy legislation in the US along with amendments to existing privacy legislation. In particular, the California Privacy Rights Act of 2020 ('CPRA') which amends the California Consumer Privacy Act of 2018 ('CCPA'), and Virginia's Consumer Data Protection Act ('CDPA') entered into effect at the beginning of the year alongside Kentucky's House Bill 474 for an Act relating to insurance data security ('the Insurance Act').
Later in 2023, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTPDA'), the Colorado Privacy Act ('CPA') and Utah's Consumer Privacy Act ('UCPA') will enter into effect. OneTrust DataGuidance Research provides an overview of the impact these legislation will have with comments from Starr Drum, from Maynard Cooper Gale LLC., Paul Lanois, from Fieldfisher, Odia Kagan, from Fox Rothschild LLP, and Beth Waller and John Pilch from Woods Rogers.
Lanois told OneTrust Data Guidance that, "the fact that we are seeing quite a few data privacy and security laws entering into effect during the course of 2023 is significant because it signals an increased focus on data usage from the authorities. It also raises public perception and awareness in these areas. However, the downside is that, since each state is doing its own thing, it is becoming increasingly difficult for businesses and organisations to comply with the multitude of data privacy and security laws, since the requirements in each state are slightly different."
Drum echoed such sentiments, noting that, "at first blush, the new consumer privacy laws in California, Colorado, Connecticut, Virginia, and Utah have 'big picture' similarities. For example, they generally give consumers the right to access, correct, delete, and opt-out of processing for purposes of targeted advertising or profiling. But the laws contain important differences such as the scope of exemptions, the contracting obligations between parties who exchange personal data, and the required means to effect opt-outs. The implementation of these distinctions into a comprehensive compliance program can be an intense undertaking."
The CPRA entered into effect on 1 January 2023, amending provisions of the CCPA. In particular, Waller and Pilch highlighted that, "the most substantial changes are in California, where personal information of employees, dependents, and business contacts is now covered by the privacy law."
The CPRA introduces many changes to the CCPA including an expanded scope of application. The threshold at which the state-based legislation applies to for-profit businesses that collect personal information from California residents and determine the purpose of processing in California. Specifically, these threshold requirements including, having a gross annual revenue of over $25 million or more, buying, selling, or sharing the personal information of 100,000 residents or more California residents or households, or deriving 50% or more of their annual revenue from selling or sharing California residents' personal information.
Significantly, the CPRA introduces new and expanded consumer rights, including the right to rectification, and right to limit use and disclosure of sensitive personal information. More broadly, the CPRA includes provisions on use limitation, providing that collection, retention, providing that the use of personal data should be limited to what is necessary to provide goods and services, as well as requirements associated with the processing sensitive personal information which is a new concept under the CPRA. On data usage, the CPRA introduces new definitions along with requirements for the selling/sharing personal data.
The CPRA also imposes new obligations on businesses, including an annual cybersecurity audit for businesses whose processing presents a significant risk to consumer privacy or security. Similarly, businesses whose processing presents a significant risk to consumer privacy or security must submit regular risk assessments to the CPPA. Likewise, the CPRA provides for the creation of the California Privacy Protection Agency ('CPPA') for enforcement and guidance on data protection matters. Importantly, businesses no longer have a 30-day cure period before being fined for violating data protection laws by the CPPA. On fines, an automatic fine of $7,500 may be imposed for a violation involving the personal information of minors.
On the CPRA, Kagan commented that "Companies should prioritise any CCPA-ish things that they still haven't completed, as this is enforceable now. This includes looking at disclosures and revising them for the higher transparency standard; checking that you have all notices at collection in place; checking you do not sell/share links are working; ensuring cookie compliance and recognition of GPC signals etc. In short order after that, companies should proceed on a brisk path of prioritised compliance with CPRA (and the other laws) so that you will get compliant in time or at least be able to demonstrate to a regulator that you were doing your best to be […]
The laws also impose many new obligations that companies will need to adopt. For example, many of the existing disclosures (privacy notices) do not meet with the heightened transparency requirements of the CPRA/new laws. You need to describe things in a way that people understand, not just provide lists of things you process and list of reasons and leave the mental acrobatics to the users. For the CPRA, of course, a big change is that 'employees are people (consumers) too' and they get all the rights of individuals. This will require companies to adopt new processes to facilitate this and will likely also affect how companies collect and process employee data."
The CDPA also entered into force on 1 January 2023 being incorporated into the Code of Virginia. The CDPA applies to persons or businesses that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth, and that during a calendar, control or process personal data or at least 100,000 consumers, or control or process personal data of at least 25,000 consumers and derive 50% of gross revenue from the sale of personal data.
Notably, the CDPA confers new rights on data subjects in Virginia, including the right to access, correction, deletion, and portability. More specifically, the CDPA provides for a right to opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. More pragmatically, the CDPA imposes numerous obligations on data controllers. This includes the conclusion of a contract between the controller and processor, which must govern the processor's data processing procedures in relation to the processing carried out on behalf of the controller, clearly establishing:
- instructions for processing data;
- the nature and purpose of the processing;
- the type of data subject to processing;
- the duration of processing; and
- the rights and obligations of both parties.
The CDPA also prescribes other obligations that the processor must carry out under the contract between controller and processor.
Similarly, the CDPA requires that controllers conduct a data protection assessment for processing activities including:
- the processing of personal data for purposes of targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers;
- the processing of sensitive data; and
- any processing activities involving personal data that present a heightened risk of harm to consumers.
On implementing CPDA and CPRA requirements, Paul Lanois discussed with regard to global standards that, " while these laws are based on the same underlying principles (e.g. transparency, storage limitation, purpose limitation, data minimisation, etc.), they do not impose the exact same requirements. For example, while the CPRA applies to HR or B2B data, whereas Virginia's CDPA has relatively broad exemptions which appear to exempt HR data and many types of B2B data from the scope of the CDPA. The CPRA has provisions regarding the exercise of opt-out rights via a technical signal (with specifications to be set forth in regulations), whereas Virginia's CDPA does not contain any provisions that address opt-out preference signals. Virginia's CDPA requires organisations to establish a process for a consumer to appeal the business' refusal to take action on a privacy request, whereas the CPRA does not have such requirement. The list of differences goes on. In short, it is not possible to simply take one state law and apply it as a standard across the US – businesses would still need to ensure that they do not overlook any state requirement."
In addition, Waller and Pilch provided that, "the Virginia law and major revisions to the California law are in effect now, even if enforcement is delayed. [Therefore, companies should] take decisive actions at the highest level i.e. assign responsibility to a single executive and require all other executives to support the effort [and] make this known throughout the company, [as well as] take decisive actions at lower levels; this effort will require attention from some of your best technical experts, marketing managers, and business process designers, as well as your legal team. You may need assistance from outside the company.
Following the entry into effect of the CDPA, the Virginia State Attorney General ('AG') has authority to enforce its provisions, and prior to initiating activity, must provide a controller or processor 30 days' written notice identifying the specific provisions alleged to have been or are being violated.
Notably, a bill to amend the CDPA with respect to protections for children was introduced by Emily M. Brewer on 11 January 2022 and redefines child as any natural person under the age of 18. In particular, House Bill 1688 would among other things, remove the exemption for controllers and processors that comply with the verifiable consent requirements under the Children's Online Privacy Protection Act to obtain parental consent and require operators to obtain verifiable parental consent for children's data prior to registering any child for products or services, or prior to collecting, using, or disclosing such child's personal data. Moreover, House Bill 1688 provides that controllers are prohibited from processing the personal data of a child for the purposes of targeted advertising, sale of such personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
On the sectoral level, the Insurance Act, entered into effect in Kentucky on 1 January 2023. Specifically, the Insurance Act creates a new Section of Subtitle 3 of Chapter 304 of the Kentucky Revised Statutes and is based on the National Association of Insurance Commissioners' ('NAIC') Insurance Data Security Model Law. The Insurance Act provides definitions for consumer, cybersecurity event, encryption, information system, publicly available information, among other things.
More significantly, the Insurance Act imposes obligations on 'licensees' under the Insurance Act. This includes the designation of one or more employees, an affiliate, or an outside vendor, as responsible for the information security programme of the licensee. Other data security obligations under the Insurance Act include risk assessments on an annual basis to assess the effectiveness of key controls, systems, and procedures.
Generally, the Insurance Act also prescribes that licensees develop an information security programme, including an incident response plan, investigate cybersecurity events, and establish recordkeeping and reporting requirements relating to cybersecurity events.
With regard to the laws that enter into force later in 2023, Drum commented "Having some additional time to 'test' updated privacy compliance programs, gives companies the opportunity to identify and resolve gaps before enforcement takes effect. However, since regulations and rules that supplement the CPRA and CPA are still being revised, and may not be finalised for several more months, this 'testing' window will be practically non-existent for certain obligations. Companies will need to be prepared to make quick adjustments before enforcement begins in those states."
On 1 July 2023, the CTPDA becomes effective, with an enforcement grace period lasting until 31 December 2024, and a further delay for the establishment of controls for collection of consent and responding to consumer opt-out requests ending on 1 January 2025.
In particular, the CTPDA provides that controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notices, including, among other things, the categories of data processed, the purpose of processing, and categories of personal data shared with third parties, if any. More generally, the CTPDA sets out a series of data processing principles for controllers, including data minimisation, purpose limitation, and the conclusion of contracts between data controllers and data processors.
Furthermore, the CTPDA outlines that controllers must conduct data protection assessments for controller's processing activities which present a heightened risk of harm to consumers, such as the processing of data for the purpose of targeted advertising, the sale of personal data, processing for the purpose of profiling, and processing of sensitive data. These data protection assessments under the CTPDA must take identify and weigh the benefits that flow, directly and indirectly, from the processing to controller, the consumer, other stakeholders, and public against the potential risks to the rights of the consumer.
Finally, the CTPDA confers the Connecticut AG Office with enforcement authority, although there is no private right of action as in the CPRA. However, the CTPDA also provides that during the grace period from 1 July 2023 ending on 31 December 2024, the Connecticut AG shall, before any action for violation of the CTPDA, issue a notice of violation to the controller if the AG determines a solution possible.
The CPA also enters into effect on 1 July 2023. Alongside providing for consumer rights to correction, deletion of personal data, access, data portability, and to opt-out of personal data processing for specific purposes, provides for a range data controllers with a range of obligations. This includes the requirement to obtain data subject consent before processing sensitive personal data, or in the case of a known child, without obtaining the consent from the child's parent or lawful guardian.
More specifically, the CPA also requires data controllers to:
- ensure the collection of personal data is adequate, relevant, and limited to what is reasonably necessary in relation to its specified purposes;
- not to process personal data for purposes not compatible with the initial specified purpose, unless the controller obtains the consumer's consent;
- ensure reasonable measures to secure personal data have been taken; and
- not to process personal data which violates laws that prohibit unlawful discrimination against consumers.
In addition, the CPA establishes processing by a processor must be governed by a contract between the controller and processor that is binding on both parties, setting out processing instructions, the type of personal data subject to processing, and requirements regarding the duty of confidentiality and potential for the data controller to object to the engagement of a subcontractor. Further, the CPA outlines in detail how processors may meet their obligations to the data controller, including taking appropriate technical and organisational measures and aiding the controller in meeting their security obligations, among others.
Similar to other state based legislation, the CPA requires controllers to conduct data protection assessments for processing presenting a heightened risk to consumers, including processing for targeted advertising, selling personal data, and processing sensitive data. Data Protection Assessments must also be made available to the Colorado AG upon request.
In relation to the draft rules implementing the CPA ('the Draft Colorado Rules ') Lanois explains, "Updated Draft Colorado Rules came out on 21 December 2022, which may also be updated over the coming months. While it is difficult of course to predict the final contents of these regulations, businesses can prepare by ensuring they have solid privacy foundations in place (e.g. updated disclosures and notices at collection, processes in place for the exercise of privacy rights, updated contracts with vendors / service providers, etc.)"
Finally, the UCPA enters into force on 31 December 2023. The UCPA establishes new rights for consumers, such as the right of access, deletion, portability, and the right to opt out of targeted advertising or the sale of personal data.
Furthermore, the UCPA outlines various controller and processor responsibilities, such as the requirement to provide privacy notices, or the requirement to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. The UCPA also contains provisions with respect to the processing of sensitive, de-identified, or pseudonymous data. Notably, data protection assessments are not required under the UCPA.
On the other hand, vendor relationships are regulated under the UCPA, requiring a contract between the controller and processor, which establishes the instructions for processing, the nature and purpose of processing, the type of data subjected to processing, the duration of processing, and rights and obligations of both parties. Further, contracts between controllers and processors must also ensure each person processing personal data is subject to a duty of confidentiality and engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor.
This year has already proven an active year for US privacy legislation. Since the beginning of 2023 seven privacy bills have been introduced in national legislatures, namely:
- House Bill 1030 for the Oklahoma Computer Data Privacy Act;
- Senate Bill 0073 for the Tennessee Information Protection Act;
- Senate Bill 15 on Consumer Data Privacy in Kentucky; and
- Senate Bill 365 for the New York Privacy Act;
- Senate Bill 2080 for Mississippi Consumer Data Privacy Act;
- Senate Bill 5 on Consumer Data Protection in Indiana; and
- Senate Bill 619 relating to Protections for the Personal Data of Consumers in Oregon.
On the new bills, Kagan stated that, "it's five days into the year and we have already seen four comprehensive privacy laws proposed: Oklahoma, Tennessee; Kentucky and New York. This will definitely be a year of active privacy legislation. I haven’t done a deep dive of these three proposals yet but the attitude is evident even from the New York Bill introduction paragraph that read: 'Privacy is a fundamental right and an essential element of freedom. New York consumers deserve more notice and more control over their data and their digital privacy'. As for the Federal front, a lot of progress has been made with the ADPPA. While there are many on both side that have substantive objections to parts of it, I believe there is a consensus among the American public that their right to privacy should be better protected in all 50 states. Hopefully this session will see discussion continue, on the merits, through serious, bipartisan negotiation. "
Correspondingly, Lanois posited that, "I think as more US states are considering introducing their own privacy laws, this will further increase the need for a federal law in order to have a single streamlined privacy framework across the United States. While most large and medium-sized organizations are able to cope with keeping up with new privacy developments, many smaller organizations and startups will struggle to keep up or will not have the resources to do so."
Along similar lines, Drum commented that, "I think every year moves us a step closer to a federal privacy law, but we may be several more state privacy laws away from a federal law passing, especially with a divided congress. Privacy is an area where both sides recognize the benefit of uniform minimum standards, but they have yet to reach consensus on two key issues: preemption and enforcement."
However, Waller and Pilch spotlighted that, "for the next two years, the House of Representatives will be controlled by Republicans, while the Senate will be controlled by Democrats. It is difficult to imagine a federal privacy law emerging during this period. We will see further attempts to pass privacy laws at the state level. It seems unlikely that a more comprehensive, California-type law will be passed, but something along the lines of Virginia’s CDPA could pass in several states."
Notably, Kagan explained that, "while the US laws are definitely not a replica of GDPR, there is a lot of evident 'cross pollination' both with them and GDPR, and as between the US laws themselves. The Draft Colorado Rules in the questions specifically refer to both the GDPR and the draft CPRA Regulations. Unlike CCPA, the new laws implement many GDPR concepts like: data minimisation; purpose specification (use for the stated purpose and secondary purposes only if compatible); retention limitation; Data Protection Impact Assessment; limitations on profiling and automated decision making. Generally, this aligns the US approach with the EU standard, which Europeans are vocal about saying is higher. This makes it easier to comply with all regimes, but there are still differences like the concept of sale/share; the fact that under the CPA sensitive data processing requires opt in consent; the fact that the list of processes for which you need to do a DPIA in the CPA is broader than that of GDPR; the differing requirements for the service provider agreement etc."
Finally, on the wider data protection landscape Waller and Pilch add that "The European Commission and the US Government have put together a new data privacy framework, Privacy Shield 2.0. Predictably, Max Schrems and his team at None of Your Business ('NOYB') think this framework is insufficient. Until the highest EU court, the Court of Justice of the European Union ('CJEU'), rules on the legality of this framework, there will be uncertainty around most transfers of personal data from the EU to the US. It is possible that such a ruling could come in 2023, but more likely that this issue will not be resolved this year."
Harry Chambers Senior Privacy Analyst
Comments provided by:
Starr Drum Cybersecurity and Privacy Lead
Maynard Cooper Gale LLC., Birmingham AL
Paul Lanois Director
Fieldfisher, Palo Alto
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia
Beth Waller Principal
John Pilch Cybersecurity/Privacy Analyst
Woods Rogers, Richmond VA