Most are aware that in the United States, California and Virginia have general data privacy laws in effect. The Virginia law became effective 1 January 2023, and at the same time significant modifications to California’s law also went into effect. Two more states have similar laws that will become effective 1 July 2023 (Colorado and Connecticut), and more are following, including Utah and then Iowa.
The US may be newer to the concept of 'comprehensive' privacy laws (laws aimed at all types of entities and regulating all types of information and activity) but the number of these laws in the country is growing rapidly. California started the trend. Its privacy law has been in force since 1 January 2020, with a modified version effective since 1 January 2023. Virginia was next, with a law that went into effect 1 January 2023. Colorado and Connecticut will have similar laws that become effective 1 July 2023, Utah from 31 December 2023, and Iowa, on 1 January 2025. There are also pending laws in Indiana, Montana, and Tennessee, all of which are anticipated to be signed into law soon, with effective dates of 1 October 2024 (Montana), 1 July 2025 (Tennessee) and 1 January 2026 (Indiana).
None of the state laws have as broad an applicability as that of California's CCPA. The CCPA more closely tracks the GDPR, and applies to personal information about all individuals (employees, employees of other companies, consumers). The other states’ laws, on the other hand, apply only to information of consumers. All laws except California's also exempt entities that are in regulated industries like health care and financial services. (California exempts only the information that is subject to GLBA, HIPAA and a few additional, specific, regulations).
In order for a company to be subject to one of these state laws, it must do business in the particular state (typically a broad definition), and also meet certain thresholds. Again, California’s bar is the lowest. The CCPA applies to any entity that has gross annual revenues above $25 million; buys, sells, or shares the personal information of 100,000 consumers; or derives 50% of or more annual revenue from selling personal information. Utah’s bar is the highest. Its privacy law applies to companies that have both revenues above $25 million and process personal information of at least 100,000 residents. The other five states laws apply if the company processes personal information of 100,000 or more of that states’ residents or process personal data of 25,000 residents and derive any revenue (Colorado), 25% of gross revenue (Connecticut), or 50% of gross revenue (Iowa, Utah, Virginia) from the sale of personal information.
Colorado and Connecticut do not add substantively to these requirements. Thus companies which already have modified their privacy policies to address California and Virginia will need only to expand the section of rights to indicate that individuals in their states also have access to rights.
Under the privacy laws of both California and Virginia, companies are required to allow consumers to opt-out of targeted advertising, the sale of personal information, or profiling that could produce legal or similarly significant effects on the consumer. Beginning 1 July 2023, Connecticut and Colorado will also require giving consumers the ability to opt-out of the sale of personal information, targeted advertising and profiling (and moving forward, Indiana, Iowa and Utah will follow).
The laws also require choices around the processing of sensitive information. In California, the choice is an opt-out. In Virginia, it is an opt-in. Colorado and Connecticut follow the opt-in approach. Iowa and Utah will follow California’s opt-out approach. Sensitive information includes race, religion, or ethnic origin information. In California and Virginia - with Colorado, Connecticut then Iowa and Utah to follow suit - it also includes biometric information. While California also includes social security numbers, drivers’ license numbers and financial account information in its definition, Virginia does not, nor do Colorado or Connecticut.
Like the GDPR, both California and Virginia require giving consumers certain rights, namely: access rights (and in California, the specific pieces of information collected about them), correction rights, and deletion rights. Colorado and Connecticut give the same rights. Utah will not give a correction right, and Indiana’s correction right will be limited to that information which the person gave the company. Certain exceptions to these rights apply in California and Virginia. For example, deletion is not required if it is impossible or involves disproportionate effort (California) or is manifestly unfounded or excessive (Virginia). Colorado, like California, will recognize an exception to the right to deletion if there’s a good-faith claim that compliance is impossible. Connecticut, like Virginia, offers an exception if the request is manifestly unfounded or excessive.
The states vary slightly in how these rights are to be provided. California requires confirming receipt of a rights request within 10 days. Virginia and California let companies take 45 days to respond, and Colorado and Connecticut will as well. In the future, so will Indiana and Utah. Iowa, on the other hand, will give companies 90 days to reply. Colorado, Connecticut, Iowa, Utah, and Virginia allow an additional 45 days where reasonably necessary due to the complexity of the request. California and Virginia allow verifying consumers’ identity before fulfilling a request, and Colorado and Connecticut (and later Iowa) will as well. Individuals can exercise requests twice within a 12 month period in California and Virginia, but only once in Colorado, Connecticut and Utah.
Similar to the GDPR, in California and Virginia, companies must have contracts in place with service providers. Provisions include purpose of data processing, confidentiality, and proof of compliance with privacy laws. California goes further and also requires that third parties subject themselves to audits to confirm compliance. California also states that third parties must limit any processing to the specific business purpose agreed to in the contract.
Colorado and Connecticut will impose similar contractual requirements on companies. They will also require that the processor get written permission to engage sub-processors (as will Iowa).
Companies which are doing business in Colorado and Connecticut will now have two more US states to add to the patchwork of 'comprehensive' privacy law compliance. This is, of course, in addition to the rest of the US’s patchwork approach to privacy. This includes laws at both a federal and state level that regulate specific activities (the sending of emails and texts, for example) or the collection and use of information from particular individuals (children). There are also laws in the US that apply to specific industries (health care, financial services).
Moving forward, we anticipate that beyond 1 July 2023, companies operating in the US will have ongoing work to do. There will be updates to rights provision processes, contract amendments, and potentially more. While no states at this time provide a private right of action, US regulators have been known to be aggressive in this space, and are already signalling their intent to enforce these laws.
The author is grateful for the assistance of Kathryn Smith, Sheppard Mullin's Privacy Fellow, in preparing this article.
Debbie Heywood looks at the latest proposals for changing UK data privacy law following the publication of a second Data Protection and Digital Information Bill.
1 of 6 Insights
Michael Tan, Julian Sun, Paul Voigt and Wiebke Reuter look at what China's new SCCs mean for businesses looking to export personal data from China to the EU.
2 of 6 Insights
Trilegal's Nikhil Narendran and Karishma Sundara look at the changes ahead for India's data and technology regulatory framework.
4 of 6 Insights
Borden Ladner Gervais' Elisa Henry, Candice Hévin, and Marguerite Rolland look at the laws which make up Canada's data privacy regulatory framework.
5 of 6 Insights
MinterEllison's Sonja Read, Susan Kantor, Christina Graves, Helen Lauder and Paul Kallenbach look at the proposed reforms to Australia's Privacy Act 1988.
6 of 6 Insights