Recent Developments in the United States Consumer Privacy Landscape

The privacy landscape in the United States is rapidly evolving. State legislatures are becoming increasingly concerned with consumer privacy. In the absence of comprehensive federal legislation, states are filling the gap in a patchwork fashion. Colorado recently joined Virginia and California as the third state to pass comprehensive consumer privacy legislation, and four more states have similar bills in session.[1]

In this article, we provide a high level overview of the consumer privacy legislation in California, Virginia, and Colorado. These developments reflect a continued trend of enhanced consumer privacy protections in the United States. Businesses should take note of these privacy frameworks, as other jurisdictions are likely to draw upon them in creating their own privacy legislation.

1. California

The California Consumer Privacy Act (“CCPA”) was the first comprehensive piece of state consumer privacy legislation in the United States. It is currently in effect; however, the recently passed California Privacy Rights Act (“CPRA”) amends and expands on the CCPA, providing greater privacy rights to consumers and further regulating businesses. The majority of its provisions will take effect on January 1st, 2023.

(A) Applicability

The CCPA applies to any “business”, which is defined under the CCPA as a for-profit entity doing business in California that collects or processes consumer personal information, and that also meets one of the three following thresholds:

  • gross annual revenue over $25,000,000;
  • buys, sells, or shares the personal information of at least 50,000 consumers, annually; or
  • derives 50% or more of its annual revenue from selling or sharing consumer personal information.

Selling data is defined broadly to include communicating consumer personal information for monetary or other valuable consideration. The CPRA modifies the definition for “business” by raising the threshold for the buying, selling, or sharing of personal information from 50,000 consumers annually to 100,000 consumers annually. The California Attorney General’s Office has clarified that the $25,000,000 annual revenue threshold applies to a business’ global revenue, and not merely its revenue generated from Californian residents.

(B) Consumer Rights

Certain consumer rights under the CCPA are reminiscent of the consumer rights under the European Union's General Data Protection Regulation (“GDPR”). Under the CCPA, consumers have the right to know what personal information is being collected, the right to access, and delete personal information, and the right to data portability. They also have a right to know if personal information is sold, and a right to opt-out of the sale of personal information.

The CPRA expands on the rights under CCPA. Under the CPRA, consumers have the right to know if their information is being sold and if it is being shared, what information and to whom such information is being sold and shared, with the right for consumers to opt-out of both. The CPRA also adds a right to correct personal information and a right to limit the use and disclosure of sensitive personal information. The CPRA defines "sensitive personal information" as personal information that reveals, in respect of a consumer:

  • social security, driver’s license, state identification card, or passport number;
  • account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • precise geolocation;
  • racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • the contents of any mail, email, and text messages unless the business is the intended recipient of the communication; and
  • genetic data.

“Sensitive personal information” also includes the processing of biometric information for the purpose of uniquely identifying a consumer, and personal information collected and analyzed concerning a consumer’s health, sex life, and sexual orientation.

(C) Obligations

(i) Privacy Notices

The CCPA requires businesses to provide notice to consumers of what personal information is being collected, the purpose of collection, whether it will be sold, consumer rights, and methods for submitting rights requests. Further, the CCPA requires businesses who sell personal information to include a link titled “Do Not Sell My Personal Information” to provide a clear opt-out process for consumers. Under the CPRA, businesses must also provide a link titled “Limit the Use of My Sensitive Personal Information” that allows consumers to control how their sensitive personal information is used or disclosed.

(ii) Processes for Rights Requests

Businesses must establish processes to allow consumers to exercise their rights and must respond to a consumer rights request within 45 days. Businesses may extend the requirement by an additional 45 days where reasonably necessary, though the consumer must be notified of the extension within the original 45 day period. If no action is to be taken, businesses must provide the consumer with reasons. Neither the CCPA nor the CPRA impose a requirement to provide an appeal process if a rights request is denied.

Businesses may not charge for consumer rights requests unless a business can demonstrate that a request is unfounded or excessive.

(iii) Data Protection Assessments

Under the CCPA, businesses are not require to conduct data protection assessments; however, the CPRA creates a new administrative body, the California Privacy Protection Agency, which has the power to issue regulations that require businesses to conduct annual audits if they process consumer personal information in a manner that presents significant risk to consumers. No such regulations have been released yet.

(iv) Contract Requirements

The CCPA distinguishes between the obligations of a business who controls personal information and a “service provider”[2] who processes personal information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose. Businesses must have written contracts with any such service providers, which prohibit such service provider from retaining, using, or disclosing personal information for a commercial purpose other than providing the services specified in the contract with the business.  

The CPRA modifies the definition of “service provider” under the CCPA to “a person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer’s personal information for a business purpose pursuant to a written contract” provided that the contract prohibits the person from:

  • selling or sharing personal information;
  • retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business;
  • retaining, using, or disclosing the information outside of the direct business relationship between the service provider or contractor and the business; or
  • combining the personal information that the service provider receives from, or on behalf of, the business with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer subject to certain regulations.

The CPRA introduces a new “contractor” term, which it defines as “a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business” provided that the contract contains the same prohibitions as those required for a service provider and a certification made by the contractor that the contractor understands the restrictions and will comply with them. Unlike service providers, contractors do not process personal information.

Subject to any other agreements between a business and a service provider or contractor, any such contract between a business and a service provider or contractor may permit the business to monitor the service provider or contractor’s compliance with that contract.

If a service provider or contractor engages any other person to assist in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor or service provider engages another person to assist in processing personal information for that business purpose, it must do so pursuant to a written contract binding the person to the service provider or contractor’s same obligations under the CPRA. The service provider or contractor must also notify the business of any such subcontracting engagements.

(D) Enforcement

The CCPA provides the California Attorney General with certain enforcement rights, including the right to seek injunctions and civil penalties of up to $2,500 for each violation, and up to $7,500 for intentional violations pursuant to a civil action. The CPRA also provides the California Privacy Protection Agency with enforcement rights to assess administrative fines for violations and intentional violations, with the same limits, pursuant to an administrative enforcement action.

The CPRA and CCPA are unique from the other two statues discussed below in that they provide for a private right of action in the case of a security breach. Damages are limited to $750 per incident, per consumer, or actual damages, whichever amount is greater.

2. Virginia

Virginia’s Consumer Data Protection Act ("VCDPA") takes effect on January 1st 2023.

(A) Applicability

The VCDPA has extra-territorial reach. It applies to persons conducting business in the state of Virginia or whose products or services target Virginia residents, and who meet one of the following two thresholds:

  • control or process the personal data of at least 100,000 consumers, annually; or
  • derive more than 50% of gross annual revenue from the sale of personal data from at least 25,000 consumers.

Like the CCPA, selling data is broadly defined to include monetary and other valuable consideration.

The VCDPA uses language similar to GDPR to distinguish between requirements and obligations of a “controller” and a “processor” of personal information. A “controller” is defined as a natural or legal person that determines the purposes for and means of processing personal data, while a “processor” is defined as a natural or legal person that processes personal data on behalf of a controller.

(B) Consumer Rights

Under the VCDPA, consumers have the right to data access, correction, deletion, and portability, and the right to confirm whether their data is being processed. Consumers also have the right to opt-out of the processing of personal data for the purposes of:

  • targeted advertising;
  • the sale of personal data; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Any contract to waive or limit any such consumer rights established under the VCPDA is deemed to be void and unenforceable.

The VCDPA differentiates between personal data and pseudonymous data, by defining “pseudonymous data” as personal data that cannot be attributed to a specific individual without the use of additional information which is kept separately and securely. Consumer rights under the VCDPA do not apply to any pseudonymous data that a controller possesses, if that controller can demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

(C) Obligations

(i) Privacy Notices

Controllers must provide accessible, clear, and meaningful privacy notices to consumers that set out the categories of personal information being collected, the purpose of the collection, how consumers may exercise their privacy rights, the categories of personal data that will be shared with third parties, the category of those third parties, and whether personal information is used for targeted advertising.

(ii) Processes for Rights Requests

Controllers must provide a mechanism for consumers to exercise their rights under the VCDPA through a submission to the controller. Controllers must respond to the request of an authenticated consumer within 45 days. Controllers may extend the requirement by an additional 45 days, if reasonably necessary, but the controller must respond to the consumer within the original 45 day period. If a controller denies a consumer request, they must provide the consumer with written reasons for the denial and instructions on now to appeal the denial.

Controllers must implement an appeal process for those individuals whose rights requests are denied. If an appeal is denied, the controller must inform the consumer within 60 days, provide written reasons for denial, and provide information as to how they may contact the Virginia Attorney General if they have concerns regarding the result of the appeal.

Controllers may not charge a fee for a consumer who makes two rights requests per year. Additional requests may be charged a reasonable administrative fee.

(iii) Data Protection Assessments

Controllers must conduct and document data protection assessments when engaged in several activities:

  • processing personal data for targeted advertising;
  • selling personal data;
  • processing personal data for the purpose of profiling, where there is a reasonably foreseeable risk of (i) unfair or deceptive treatment, or unlawful disparate impact on, consumers; (ii) financial, physical or reputational injury to consumers, (iii) offensive intrusion onto the solitude, seclusion or private affairs of consumers, or (iv) other substantial injury to consumers;
  • processing of sensitive data; and
  • any processing activities involving personal data that presents a heightened risk to consumers.

Data protection assessments must be made available to the Virginia Attorney General upon an investigation.

(iv) Contract Requirements

Controllers must have written contracts with processors. Processors must follow the instructions of controllers and assist controllers in meeting their obligation under the legislation. Under the VCDPA, a contract between a controller and a processor must include obligations that the processor:

  • ensure each person processing personal data is subject to the duty of confidentiality;
  • delete or return all personal data at the end of the provision of service, as directed by the controller;
  • make available to the controller all information in processor’s possession that is necessary to demonstrate the processor’s compliance with its obligations;
  • allow for reasonable assessments of the processor’s processes, policies, and technical and organization safe guards in place to secure the data; and
  • ensure that any subcontracts engaged in by the processor are pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to personal data.

(D) Enforcement

The VCDPA is enforced by the Virginia Attorney General. The Attorney General may initiate an action and seek injunctions and civil penalties of up to $7,500 for each violation, and may recover expenses incurred in investigating and preparing a case. However, prior to initiating an action, the Attorney General must provide a 30 day period to allow the controller to cure an alleged violation.

The VCDPA specifically states that there is no private right of action for a VCDPA violation.

3. Colorado

The Colorado Privacy Act ("CPA") takes effect on July 1st, 2023.

(A) Applicability

Like the VCDPA, the CPA has extra-territorial reach. It applies to controllers of personal information that conduct business in Colorado or whose commercial products and services intentionally targets Colorado residents, and who:

  • control or process the personal data of at least 100,000 consumers, during a calendar year; or
  • control or process the personal data of at least 25,000 consumers, and derive revenue or receive a discount on goods or services from the sale of personal data.

In addition to using a broad definition for “sale” that appears in the CCPA and VCDPA, the CPA includes the receiving of discounts. The CPA does not use revenue thresholds. It also uses the language of “controller” and “processor” to delineate obligations.

(B) Consumer Rights

Consumer rights under the CPA are the same as under the VCDPA; however, in addition to the consumer rights, controllers are required to provide consumers with a universal opt-out mechanism that allows consumers to exercise all opt-out rights with the click of a button. Technical specifications of the mechanism will be provided by the Colorado Attorney General’s office at a later date and will become enforceable as of July 1st, 2024.

Like the VCDPA, consumer rights under the CPA to data access, correction, deletion, and portability do not apply to pseudonymous data, if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

(C) Obligations

(i) Privacy Notice

Controllers must provide an accessible, clear, and meaningful privacy notice to consumers that sets out similar information as the VCDPA privacy notice. In addition to notifying consumers that personal information is being sold, shared, or used for targeted advertising, controllers must inform the consumer of how to opt-out of these processes.

(ii) Processes for Rights Requests

Under the CPA, controllers must establish processes for consumers to exercise their consumer rights thereunder and appeals, with substantially similar requirements therefor as those found under the VCDPA.

(iii) Data Protection Assessments

Controllers must conduct and document data protection assessments when engaged in activities that are deemed to present a “heightened risk of harm” to consumers. These activities are the same as those outlined in the VCDPA. Data protection assessments must be made available to the Colorado Attorney General upon request.

(iv) Contract Requirements

Like the VCDPA, under the CPA, processors must follow the instruction of controllers and assist controllers in meeting their obligations. The CPA provides a comprehensive list of requirements for contracts between controllers and processors. A contracts between a controller and a processor must include:

  • instructions as to the nature and purpose of the processing;
  • the duration of processing and the type of data to be processed;
  • the requirement that every person involved in the processing of personal data be subject to a duty of confidentiality in regards to the data;
  • the requirement that the processor must inform the controller if they require the use of a subcontractor, that the controller may object to the use of a subcontractor, and that engagement of a subcontractor must be pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to personal data;
  • processes for maintaining technical and organizational safeguards over the personal information;
  • whether the processor is require to delete or return all personal information to the controller at the end of the service;
  • the requirement that the processor make all information necessary to demonstrate compliance with the act available to the controller; and
  • the requirement that the processor allow for, and contribute to, reasonable audits and inspections.

(D) Enforcement

The CPA is enforced by the Colorado Attorney General and District Attorneys by penalties and injunctions. Penalties for each violation are limited to up to $20,000 per violation, and may not exceed $500,000 for a series of related violations. For the first 18 months of enforcement, the Attorney General is required to provide a 60 day notice to cure alleged violations prior to bringing an action. There is no notice to cure period after January 1st, 2025.

The CPA specifically states that there is no private right of action for a CPA violation.

Conclusion

State privacy legislation is a rapidly changing environment in the United States. The developments in California, Virginia, and Colorado reinforce the importance of staying up to date on privacy legislation. Understanding privacy trends in other jurisdictions can ensure businesses are well prepared to adapt to changes to their own obligation.

To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.

__________________________

[1] Massachusetts, New York, North Carolina and Pennsylvania, see the International Association of Privacy Professionals, US State Privacy Legislation Tracker.

[2] The CCPA defines “service provider” as “a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.”

Authors

Subscribe

Stay Connected

Get the latest posts from this blog

Please enter a valid email address