As more states begin to introduce or enact their own versions of data privacy and consumer protection laws, a dramatic shift has begun to take place in which the balance of power is tipping from the companies that collect and use personal data toward the data subjects themselves. For companies, however, these developments necessarily require having to reassess and enhance their data privacy and consumer protection policies and procedures, creating new obligations for chief compliance officers tasked with implementing robust data privacy compliance programs.
U.S. state data privacy laws
Five states, to date, have officially enacted comprehensive consumer privacy laws which have either gone into effect or will be in force by the end of 2023. They are:
- California’s Privacy Rights Act (CPRA) in force as of Jan. 1, 2023
- Virginia’s Consumer Data Privacy Act (VCDPA) in force as of Jan. 1, 2023
- Colorado’s Privacy Act (CPA) in force as of July 1, 2023
- Connecticut’s Data Privacy Act (CTDPA) in force as of July 1, 2023
- Utah’s Consumer Privacy Act (UCPA) will enter into force Dec. 31, 2023
While different in many ways, all address consumer rights and the obligations of businesses to satisfy those new consumer rights, as follows.
Both regulate the collection, use, and disclosure of personal information, providing consumers greater rights to access, correct, or delete personal information collected by businesses, commonly referred to as “data controllers.”
Both also address the regulatory obligations of data controllers regarding the collection, storage, use, and retention of consumer data. These requirements vary state to state, making this an area where the compliance obligations of companies operating in the United States – whether based within or outside of the US – can be tricky.
State-by-state requirements: A summary
Each state’s data privacy legislation applies to businesses or data processors that do business in that state, or that produce a product or service that targets consumers who are residents of that state. Certain other exemptions apply for non-profits and institutions of higher education, with variances in each law requiring a close examination of each.
| California (CPRA) | Virginia (VCDPA) | Colorado (CPA) | Connecticut (CPDTA) | Utah (UCPA) |
|---|---|---|---|---|
| Applies to businesses that: Have $25 million in annual gross revenue OR Process data of at least 100,000 consumers OR Derive at least 50% of gross revenues from selling or sharing data |
Applies to businesses that: Process data of at least 100,000 consumers OR Process data of at least 25,000 consumers and derive at least 50% of gross revenues from selling data |
Applies to businesses that: Process data of at least 100,000 consumers OR Process data of at least 25,000 consumers and derive revenue or receive a discount on goods or services from selling personal data |
Applies to businesses that: Process data of at least 100,000 consumers (excluding purely payment transactions) OR Process data of at least 25,000 consumers and derive at least 50% of gross revenues from selling personal data |
Applies to businesses that: Have $25 million in annual gross revenue and process data of at least 100,000 consumers OR Process data of at least 25,000 consumers and derive at least 50% of gross revenues from selling personal data |
Key terms
Subtle differences also exist between how each state’s data privacy law defines certain key terms, including “consumer,” “sensitive personal data,” “de-identified data,” and what constitutes the “sale” of personal data. Some of those key terms are discussed below.
Consumer: The states all define a “consumer” as a state resident acting in an “individual or household context” though California additionally protects individuals acting in a “commercial or employment context.”
Sensitive personal data: More stringent protections exist for “sensitive” personal information e.g., social security numbers, geolocation data, racial or ethnic origin, and there are variances between the states as to what qualifies as sensitive personal data.
De-identified data: Personally identifiable information (PII) is protected. From a compliance standpoint, the responsibility rests with the data controllers to put measures in place ensuring the data cannot be linked back to an individual.
Sale of personal data: Subtle differences also exist in how each state defines “sale” of personal data. The UCPA and VCDPA data privacy laws define “sale” as the exchange of personal data “for monetary consideration by a controller to a third party.” Cookie data for targeted advertising purposes, for example, does not apply. In contrast, the CPRA, CPA, and CTDPA define “sale” more broadly to include “monetary or other valuable considerations.” Under the CPRA, data can neither be sold nor shared.
Data controller requirements
As discussed above, Data Controllers are defined as businesses that collect, use, and disclose consumers’ personal information that will need to comply with new requirements, such as:
Opt-in/opt-out consent: The CPA, VCDPA, and CTDPA require opt-in consent for the collection and processing of sensitive data. By comparison, the CPRA and UCPA require opt-out consent, requiring that consumers be provided the option to opt-out of their data being processed.
Universal opt-out mechanisms: The CPRA, CPA, and CTDPA require businesses to recognize universal opt-out mechanisms (GPC signals), providing consumers the ability to opt-out of the processing of their personal data across multiple websites simultaneously, rather than having to make individual opt-out requests through each individual website. Virginia does not have such a requirement.
Children’s personal data: Stronger restrictions apply to the processing and sharing of children’s data. Under the VCDPA, CPA, and CTDPA, the data of minors constitutes “sensitive” data, in which children are defined as under age 13. Parental or guardian consent is required to process children’s data, in accordance with the Children’s Online Privacy Protection Act (COPPA). Comparably, the CPRA divides children into two age groups, both of which require consent for their information to be sold or shared. However, only children under age 13 require parental or guardian consent, while children between the ages of 13 and 15 may provide their own consent.
Privacy notices: All businesses must have in place a privacy notice that generally covers the categories of personal data that are collected or processed by the data controller or data processor; the purpose for the collection, sharing, or selling consumers’ personal information; an explanation of methods for which consumers may exercise their rights, such as opt-out rights; the categories of third parties with whom the data controller shares personal data; and the categories of personal data being shared with third parties.
Data protection assessments: Except for the UCPA, the four other U.S. states with comprehensive consumer privacy laws currently in place require data controllers to conduct and document a data protection assessment to identify and mitigate potential risks posed to consumers in connection with the processing of their personal data.
Using the VCDPA as a framework, businesses should, at a minimum, assess the following five types of processing activities:
-
The processing of personal data for purposes of targeted advertising.
- The sale of personal data.
- The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical, or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers.
- The processing of sensitive data.
- Any processing activities involving personal data that present a heightened risk of harm to consumers.
Because data protection assessments vary state-by-state, companies should refer to the language in each law to determine how best to conduct a data protection assessment in compliance with all other relevant state law requirements.
Compliance lessons
As more U.S. states consider or enact consumer data privacy laws, it will be prudent for companies to reevaluate their data collection, data minimization, and data retention policies and procedures, and privacy notices, if they have not begun this process already. Privacy notices should also be revisited and revised, ensuring they provide consumers with the appropriate opt-in/opt-out rights. It is worth noting that five other states – Indiana, Iowa, Montana, Tennessee and Texas – have also signed laws that will come into force in 2024 or later, all with their own thresholds and requirements.
Additionally, it’s important to have in place contractual safeguards with relevant service providers, contractors, and other third parties. Alongside these measures, the business should also be conducting regular data protection assessments that holistically align with all the relevant U.S. state data privacy laws for which the business must comply.
All these compliance measures will require a cross-functional team—including compliance, risk, legal, finance, HR, senior leadership, and IT/cyber security—working alongside the IT team, as technical mechanisms will now need to be implemented that provide consumers with opt-out controls.