Last year was a busy one for data privacy legislation across the United States, and with many states’ consumer data privacy laws in effect this year, now is the time to reassess where more changes may be needed in order to prepare.
According to an analysis by the National Conference of State Legislatures (NCSL), “at least 35 states and the District of Columbia introduced or considered almost 200 consumer privacy bills in 2022.” Comprehensive (omnibus) privacy legislation was the most common type of bill considered, introduced in at 25 least states and the District of Columbia and in almost 70 bills, according to the NCSL.
Comprehensive privacy legislation, as defined by the NCSL, broadly refers to the regulation of the “collection, use, and disclosure of personal information and providing an express set of consumer rights with regard to collected data – such as the right to access, correct, and delete personal information” collected by businesses (data controllers).
To date, five states passed the following comprehensive privacy legislation:
- California Privacy Rights Act (CPRA), a modified version of the California Consumer Privacy Act (CCPA), effective Jan. 1, 2023
- Virginia Consumer Data Protection Act (VCDPA), effective Jan. 1, 2023
- Colorado Privacy Act (CPA), effective July 1, 2023
- Connecticut Data Privacy Act (CTDPA), effective July 1, 2023
- Utah Consumer Privacy Act (UCPA), effective Dec. 31, 2023
By design, these comprehensive consumer privacy laws have many similarities from a big-picture perspective, but they also have a patchwork of subtle differences that companies will need to iron out.
Below is a non-exhaustive list of some of those consumer privacy provisions and a brief overview of the similarities and differences between each state’s requirements.
Scope of coverage: Among the five states’ consumer privacy laws, Utah takes the most business-friendly approach, overall. Like other states, the UCPA applies to any business or data processor who does business in the state or produces a product or service targeted to consumers who are residents of that state.
The scope of the UCPA, however, covers only businesses or data processors that also:
- Have annual revenue of $25 million or more; and
- Satisfies one or more of the following thresholds: during a calendar year, controls or processes personal data of 100,000 or more consumers; or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Virginia, Colorado, and Connecticut establish similar 100,000/25,000 consumer thresholds, with some variance regarding the “gross revenue from the sale of personal data” threshold. What makes Utah’s multi-tier threshold more business-friendly, however, is that it ensures not only that smaller companies will not be subject to the UCPA, but also that even companies that satisfy the $25 million annual revenue threshold will not fall under the law, unless they also satisfy at least one of the other listed thresholds.
Other than Utah, California is the only other state to include a revenue threshold ($25 million in annual global revenue). Unlike the UCPA, however, the CPRA states that a business that does not make $25 million in annual global revenue can still fall under the scope of the CPRA, so long as it meets one of these other two thresholds: buys, sells, or shares the personal information of 100,000 or more California residents or households; or derives 50% or more of their annual revenue from selling or sharing California residents’ personal information.
“Consumer” defined: Subtle differences also exist between how each state defines “consumer.” Virginia, Colorado, Connecticut, and Utah define a “consumer” as an individual who is a resident of the state acting only in an “individual or household context.” The CPRA, in contrast, goes further by additionally including individuals acting in a “commercial or employment context.”
“Sale of personal data” defined: Under the various state consumer privacy laws, the “sale” of personal information triggers many of the requirements, and so understanding the definition of each state law is important. Virginia and Utah define “sale” as the exchange of personal data “for monetary consideration by a controller to a third party.” Cookie data for targeted advertising purposes, for example, may not apply. In contrast, California, Colorado, and Connecticut define “sale” more broadly as including “monetary or other valuable considerations.”
Personal data defined: Utah, Virginia, Connecticut, and Colorado define “personal data” broadly as any information that is “linked or reasonably linkable to an identifiable or identified individual.” Among these states, personal data does not include de-identified or publicly available information.
Scope of exemptions: The scope of exemptions is broad, and in some states more than others. All five states provide exemptions for government agencies, and – except for Colorado – exempt non-profit organizations. Virginia, Colorado, Connecticut, and Utah also provide exemptions for institutions of higher education, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and – again, except for Colorado – covered businesses or business associates regulated by the Health Insurance Portability and Accountability Act (HIPAA).
In addition to the type of entities subject to exemptions, exemptions are provided for certain types of data covered by other federal laws. These exemptions vary by state but generally include, for example, the GLBA and HIPAA.
Privacy notices: As companies revise their privacy notices, or create new ones, keep in mind that some states’ consumer privacy laws – like Connecticut and Utah – require businesses provide a “reasonably accessible, clear and meaningful” privacy notice. Moreover, the privacy notice must include:
- The categories of personal data that are collected or processed by the businesses
- The purposes for processing the data
- How consumers may exercise their rights, and
- The categories of personal data that’s shared with third parties, if any
Some states– for example, Connecticut and Utah – further require that where the business “sells” consumer data to a third party or processes it for targeted advertising, the privacy notice must “clearly and conspicuously” disclose how consumers can exercise their opt-out rights may opt out of such activities.
Universal opt-out mechanisms: California, Colorado and Connecticut each require businesses to recognize universal opt-out mechanisms (GPC signals), which gives consumers the ability to opt-out of the processing of their personal data across multiple websites simultaneously, rather than having to make individual opt-out requests through each website. Virginia does not include such a requirement. Each state also has varying requirements regarding consumer opt-out rights pertaining to the collection of “sensitive” data, as defined by each state, which must also be considered.
The effective date to get into compliance varies by state. Under Connecticut’s privacy law, for example, universal opt-out mechanisms must be recognized by controllers as valid consumer requests beginning Jan. 1, 2025.
Service provider agreements: Also important from a legal and compliance standpoint, all five states require businesses to impose contractual obligations on data processors with whom they share consumer data. Colorado, Connecticut, Utah, and Virginia go beyond California by requiring businesses to provide clear instructions pertaining to the processing of personal data; the nature and purpose of the processing; the type of data to be processed; the duration of the processing; and the rights and obligations of the parties.
Data protection assessments: Among the five states, Utah is the only one that does not require businesses to conduct and document a data protection assessment regarding processing activities involving personal data. The scope and level of detail required by each data protection assessment varies greatly by state.
Compliance takeaways
The provisions mentioned above provide only a high-level overview of just a few of each state’s key requirements. Using the CPRA as a benchmark when reviewing the company’s privacy compliance program, it will be important moving forward to regroup as a cross-functional team and assess where further changes may be needed, depending in which states the business operates, and where its consumers reside.
As a fundamental first step, prudent companies will want to conduct a data mapping exercise that, at a minimum, provides clarity around what personal information the business collects, and how that data is stored, shared and used.
Ensuring compliance with each state’s patchwork of consumer privacy laws also requires reviewing and, where necessary, amending privacy notices and ensuring they’re easily accessible to consumers, as well as reviewing the company’s data retention practices, contracts with third parties, and conducting and documenting a data protection assessment.
The technology-related hurdles are also immense and demand involvement of IT, data security, and cybersecurity experts to ensure do-not-sell/share links are functioning properly, GPC signals are being recognized, and that the business has robust cybersecurity practices in place. For some companies, this is going to be a lot more resource-intensive of an undertaking than for others.
Keeping on top of developments in each state as new guidance becomes available and/or as state rules are revised is important as well. On Dec. 21, 2022, the Colorado Attorney General’s office, for example, published revised rules to its consumer privacy act, which make further changes to the draft rules it published in September.
In short, absent a comprehensive federal consumer privacy law, businesses will have to continue reviewing their data privacy compliance obligations state-by-state, and day-by-day.
For more information about the various privacy laws in effect and how to stay compliant:
View GRC Solutions by Regulation