Most are aware that in the United States, California and Virginia have general data privacy laws in effect. The Virginia law became effective 1 January 2023, and at the same time significant modifications to California’s law also went into effect. Two more states have similar laws that will become effective 1 July 2023 (Colorado and Connecticut), and more are following, including Utah and then Iowa.
When do the laws apply and who will they impact?
The US may be newer to the concept of 'comprehensive' privacy laws (laws aimed at all types of entities and regulating all types of information and activity) but the number of these laws in the country is growing rapidly. California started the trend. Its privacy law has been in force since 1 January 2020, with a modified version effective since 1 January 2023. Virginia was next, with a law that went into effect 1 January 2023. Colorado and Connecticut will have similar laws that become effective 1 July 2023, Utah from 31 December 2023, and Iowa, on 1 January 2025. There are also pending laws in Indiana, Montana, and Tennessee, all of which are anticipated to be signed into law soon, with effective dates of 1 October 2024 (Montana), 1 July 2025 (Tennessee) and 1 January 2026 (Indiana).
None of the state laws have as broad an applicability as that of California's CCPA. The CCPA more closely tracks the GDPR, and applies to personal information about all individuals (employees, employees of other companies, consumers). The other states’ laws, on the other hand, apply only to information of consumers. All laws except California's also exempt entities that are in regulated industries like health care and financial services. (California exempts only the information that is subject to GLBA, HIPAA and a few additional, specific, regulations).
In order for a company to be subject to one of these state laws, it must do business in the particular state (typically a broad definition), and also meet certain thresholds. Again, California’s bar is the lowest. The CCPA applies to any entity that has gross annual revenues above $25 million; buys, sells, or shares the personal information of 100,000 consumers; or derives 50% of or more annual revenue from selling personal information. Utah’s bar is the highest. Its privacy law applies to companies that have both revenues above $25 million and process personal information of at least 100,000 residents. The other five states laws apply if the company processes personal information of 100,000 or more of that states’ residents or process personal data of 25,000 residents and derive any revenue (Colorado), 25% of gross revenue (Connecticut), or 50% of gross revenue (Iowa, Utah, Virginia) from the sale of personal information.
Privacy notices
The laws all require specific content be included in their privacy policies, and that the policies be accessible and understandable. For those entities already complying with the requirements of California and Virginia, they know that this means - as with the GDPR - that the privacy policy must detail whether your business collects personal information, the categories of personal information collected, how the information is used, whether the information is shared and with whom, what rights consumers have, and how to exercise those rights. California businesses must also state whether they collect sensitive information and offer an opt-out option, explain their retention policies, and allow consumers to restrict the sharing of their information with third parties.
Colorado and Connecticut do not add substantively to these requirements. Thus companies which already have modified their privacy policies to address California and Virginia will need only to expand the section of rights to indicate that individuals in their states also have access to rights.
Choice and rights
Under the privacy laws of both California and Virginia, companies are required to allow consumers to opt-out of targeted advertising, the sale of personal information, or profiling that could produce legal or similarly significant effects on the consumer. Beginning 1 July 2023, Connecticut and Colorado will also require giving consumers the ability to opt-out of the sale of personal information, targeted advertising and profiling (and moving forward, Indiana, Iowa and Utah will follow).
The laws also require choices around the processing of sensitive information. In California, the choice is an opt-out. In Virginia, it is an opt-in. Colorado and Connecticut follow the opt-in approach. Iowa and Utah will follow California’s opt-out approach. Sensitive information includes race, religion, or ethnic origin information. In California and Virginia - with Colorado, Connecticut then Iowa and Utah to follow suit - it also includes biometric information. While California also includes social security numbers, drivers’ license numbers and financial account information in its definition, Virginia does not, nor do Colorado or Connecticut.
Like the GDPR, both California and Virginia require giving consumers certain rights, namely: access rights (and in California, the specific pieces of information collected about them), correction rights, and deletion rights. Colorado and Connecticut give the same rights. Utah will not give a correction right, and Indiana’s correction right will be limited to that information which the person gave the company. Certain exceptions to these rights apply in California and Virginia. For example, deletion is not required if it is impossible or involves disproportionate effort (California) or is manifestly unfounded or excessive (Virginia). Colorado, like California, will recognize an exception to the right to deletion if there’s a good-faith claim that compliance is impossible. Connecticut, like Virginia, offers an exception if the request is manifestly unfounded or excessive.
The states vary slightly in how these rights are to be provided. California requires confirming receipt of a rights request within 10 days. Virginia and California let companies take 45 days to respond, and Colorado and Connecticut will as well. In the future, so will Indiana and Utah. Iowa, on the other hand, will give companies 90 days to reply. Colorado, Connecticut, Iowa, Utah, and Virginia allow an additional 45 days where reasonably necessary due to the complexity of the request. California and Virginia allow verifying consumers’ identity before fulfilling a request, and Colorado and Connecticut (and later Iowa) will as well. Individuals can exercise requests twice within a 12 month period in California and Virginia, but only once in Colorado, Connecticut and Utah.
Contracts
Similar to the GDPR, in California and Virginia, companies must have contracts in place with service providers. Provisions include purpose of data processing, confidentiality, and proof of compliance with privacy laws. California goes further and also requires that third parties subject themselves to audits to confirm compliance. California also states that third parties must limit any processing to the specific business purpose agreed to in the contract.
Colorado and Connecticut will impose similar contractual requirements on companies. They will also require that the processor get written permission to engage sub-processors (as will Iowa).
Next steps
Companies which are doing business in Colorado and Connecticut will now have two more US states to add to the patchwork of 'comprehensive' privacy law compliance. This is, of course, in addition to the rest of the US’s patchwork approach to privacy. This includes laws at both a federal and state level that regulate specific activities (the sending of emails and texts, for example) or the collection and use of information from particular individuals (children). There are also laws in the US that apply to specific industries (health care, financial services).
Moving forward, we anticipate that beyond 1 July 2023, companies operating in the US will have ongoing work to do. There will be updates to rights provision processes, contract amendments, and potentially more. While no states at this time provide a private right of action, US regulators have been known to be aggressive in this space, and are already signalling their intent to enforce these laws.
Contact:
The author is grateful for the assistance of Kathryn Smith, Sheppard Mullin's Privacy Fellow, in preparing this article.
