While the United States has typically taken a more hands off approach to data privacy than other countries such as those in the EEA, that is beginning to change. Historically, US privacy regulators and legislators have taken a sectoral approach, regulating specific types of data, particularly sensitive data, such as health data and financial data. Three states, however, have now passed comprehensive privacy regimes similar to GDPR. They are California, Virginia, and Colorado. It is fully expected that other states will follow.
California, as usual, led the charge on passing a GDPR-style, comprehensive privacy law when it passed the California Consumer Privacy Act (CCPA) in 2018. CCPA has been in force since 1 January 2020.
Late last year, by ballot initiative, California residents approved the California Privacy Rights Act (CPRA), with approximately 56% voting in favor. CPRA significantly amends the existing CCPA by expanding individual rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency (among other things). Importantly, CPRA does not replace or repeal CCPA, but rather augments it. Further, no new private right of action will be added by CPRA. The substantive provisions of CPRA do not take effect until 1 January 2023.
The thresholds to qualify as a "business" under CCPA have been revised to:
CPRA retains the CCPA's exceptions for personal information collected in the employment and business-to-business contexts and extends their sunset provisions to 1 January 2023.
CPRA introduces a new storage limitation requirement. Personal information is not to be retained for longer than is "reasonably necessary" for the specific, disclosed purposes. A data minimisation principle is also included. Collection, use, retention, and sharing of personal information should be limited to what is "reasonably necessary" to achieve the specified purposes.
Among some modifications to the right to know, deletion, and do-not-sell rights, CPRA includes a new right to "correction". There are also certain rights for "sensitive personal information" (a new category of information introduced).
A new California Privacy Protection Agency would replace the Attorney General's Office as the regulator implementing CPRA rules and enforcing its requirements against violators. Enforcement will begin on 1 July 2023, and applies to violations occurring on or after that date.
Virginia is the second state, after California, to pass a comprehensive privacy law. The Consumer Data Protection Act (CDPA) will come into effect on 1 January 2023 (the same time as CPRA). Although this new Virginia law has been compared by many to California's current CCPA and the EU's GDPR, there are some differences. Businesses will find most of the differences a relief, although the law does introduce a few new concepts.
Virginia's law applies more narrowly than CCPA and GDPR. The law covers information about "consumers" which are people acting in their personal capacity, not employees (so unlike CCPA and GDPR). It applies to companies that conduct business in Virginia and meet one of the following:
Virginia also exempts financial institutions (subject to GLBA) and health care covered entities and business associates (subject to HIPAA). This is unlike CCPA, where the exemptions largely apply to types of information subject to other regulated laws, but not the entities subject to those other laws altogether. That said, Virginia also exempts several types of information. Nonprofits are also exempt.
Virginia provides for individual rights similar to those found under CCPA, and also adds some found in GDPR. The process for responding to rights requests appears simpler than CCPA and GDPR, however unlike those two laws, in Virginia there are fewer exceptions to honoring rights requests.
Virginia also goes beyond CCPA and includes GDPR's rectification right, and GDPR's right to object to automated decision making and profiling. Like CCPA, there is a right to opt out of selling information, but Virginia adds a right to opt out of targeted advertising. While the latter is not contained in CCPA, this concept is already addressed by those who follow the DAA and FTC self-regulatory schemes. This addition appears to be designed to help clarify some of the different interpretations under CCPA about whether targeted advertising is a "sale."
Although the CDPA rights process is generally more straightforward than CCPA, Virginia does add an appeals process. At the conclusion of that process, companies must direct consumers to the AG for any unresolved issues. The Virginia law also includes some of GDPR's "sensitive information" concepts, requiring opt-in consent to process any such information.
Virginia goes beyond CCPA by mirroring GDPR's collection and use limitations; it contains data security obligations similar to many jurisdictions. Like certain concepts in GDPR, under the new Virginia law, companies should only collect information needed for the purposes of the processing. Further, information should only be used for the purposes reasonably necessary and compatible with a company's stated disclosures.
This is unlike CCPA, and one area where companies may need to focus their efforts. A related concept under CDPA is to protect what information a company does maintain. This is similar to that which exists in many other US states as well as GDPR, and requires companies to implement and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These practices should be appropriate to the volume and nature of the personal data at issue.
Virginia's law goes beyond CCPA in including certain GDPR-like accountability and governance requirements. CDPA calls for the documentation of data protection assessments, similar to GDPR, but unlike CCPA. These assessments are to be conducted for specific types of processing activities listed in the statute including targeting advertising and the sale of personal data. The Attorney General may request copies of these as part of a civil investigative demand. The assessments are to apply to processing activities created or generated after 1 January 2023, and are not retroactive.
CDPA also, like GDPR, requires agreements between controllers and processors (ie. service providers) with specific language in those contracts.
Virginia, like California, has no private right of action. The AG has exclusive enforcement authority over CDPA. Moreover, the AG is required to provide a 30-day written notice to companies it believes are in violation of the law and an opportunity to cure prior to initiating any action. If after time the violation remains, the AG may initiate an action and seek $7,500 in damages for each violation.
Finally, Colorado recently joined Virginia and California in passing a more comprehensive privacy law. The Colorado Privacy Act (CPA) will go into effect on 1 July 2023. This is six months after Virginia's CDPA and California's CPRA go into effect. The law does not have a private right of action, and the AG is to adopt regulations on certain aspects by 1 July 2023.
Like CDPA, Colorado's law covers information about "consumers" which are people acting in their personal capacity, and does not apply to information about employees. The law will apply to companies that conduct business in Colorado and meet one of the following:
Like Virginia's CDPA, the law exempts financial institutions (subject to GLBA). While other types of data, including certain health care information is exempt, covered entities and business associates subject to HIPAA are not wholesale exempt (unlike CDPA). The law does not apply to other types of data regulated by various laws (such as COPPA and FERPA, among others). Unlike in California and Virginia, non-profits are in-scope, and will not be exempt.
Colorado consumers will have rights similar to those under other US laws and GDPR (for example, a right of access and to correct). There are also rights to deletion and data portability. Like Virginia and the CCPA, there is a right to opt out of selling information. Also like Virginia, there is a right to opt out of targeted advertising and profiling. For targeted advertising, this will not be a new concept, since companies will already be addressing this by following the DAA and FTC self-regulatory schemes.
Consumers will need to be able to action their rights through a universal opt-out mechanism: the Colorado AG will issue regulations on this topic. Also like California and Virginia, these rights requests must be honored within 45 days (with an extension available in certain circumstances).
Colorado's new law, as with that of Virginia, includes some of GDPR's "sensitive information" concepts, requiring opt-in consent to process any such information.
Like Virginia and GDPR, contracts between controllers and processors should outline certain obligations. (CPA uses the "controller" and "processor" terminology, similar to Virginia and GDPR, but unlike California which refers to parties as "businesses," "service providers" and "third parties".) Contractual obligations include instructions about the nature, purpose, and duration of processing. Contracts will also need to include requirements around sub-contractors, data security, termination procedures, and cooperation (among others).
CPA introduces data minimisation concepts – ie collection of information must be limited to what is reasonably necessary for the processing. This is like CDPA, CPRA, and GDPR. While not a new concept to data use activities, CPA more explicitly introduces a duty to avoid secondary uses of data. This means that personal data should not be processed except for those purposes for which the data was collected, unless the consumer consents.
CPA also calls for the documentation of data protection assessments, similar to CPRA (but not CCPA), CDPA, and GDPR. These assessments are required for specific types of processing activities listed in the statute. Those activities include the sale of personal data and processing of sensitive data. It also includes targeted advertising where profiling may present certain risks.
There is no private right of action under this new Colorado law. The AG and district attorneys have exclusive enforcement authority. The AG is required to provide a 60-day written notice to companies it believes are in violation of the law and an opportunity to cure prior to initiating any action. However, there is a sunset provision for the cure period starting 1 January 2025.
Violations of the CPA constitute deceptive trade practices and therefore are subject to a $20,000 per violation fine pursuant to the Colorado Consumer Protection Act.
These three laws blend together concepts from existing California and EU law. While companies have until 2023 to comply, they can now begin planning and budgeting for the new requirements and consider more broadly how they will comply with these requirements across states. For those already adhering to GDPR, the additional requirements may not be burdensome, but some level of gap analysis will be needed.
Our China team looks at the impact of China's latest data security law on international businesses.
2 of 5 Insights
Chris Jeffery looks at recent developments in data protection and cybersecurity in Qatar, Saudi Arabia and UAE.
3 of 5 Insights
We look at the impact of the LGPD in its first year and at what to expect.
4 of 5 Insights
5 of 5 Insights