Privacy Laws - Here, There and Everywhere (and All Different)
Website privacy laws are constantly changing. Are you affected by California’s recent amendments? What about Virginia? New Jersey? Connecticut? To find out if these laws have affected you, or will affect you, consult an attorney. We here at Temple Law are happy to help.
Whether these new laws affect you depends on several factors, including the size of your operation in a particular state, the number of residents with information you process, etc. So, even if you don’t have an office in CA, CA’s website privacy laws may still impact you.
Some Background and How We Got Here
What is driving this wave of new regulations? An IAPP panel discussed this in a recent webinar. Elizabeth Denham, International Advisor at Baker McKenzie, believes people worldwide are developing “rights envy,” stemming from privacy rights enacted in Europe in 2018, coupled with the issues surrounding Cambridge Analytica. In addition, more countries are ensuring regulations are being enforced and protecting their citizen’s rights from big businesses.
Faith Myers, Chief Privacy Officer and Senior Vice President, McKesson Corporation, added that the United States is in a legislative session, so state privacy laws are changing almost daily. But that also means that the United States, unlike other countries (or regions – I’m looking at you, Europe), does not have a national policy. So that means there could be potentially 50 different breach rules, 50 different cure periods, and 50 different methods to opt out. Generally, the rights granted under these laws apply to those who live there, not where your company is located. Therefore, if you meet the requirements in California, the state with the strongest privacy protections in the United States, you must ensure your standard is at least this protective.
What About AI?
Gartner also reported that AI capabilities are used to build smart products and are often “integrated into a vendor offering, or a discrete platform managed by an in-house data science team.” This means that when (not if) AI is regulated, it may be near impossible to separate it from other core business operations or systems. This same issue could destroy data you worked so hard to collect if you are required to delete or disgorge information. You want to ensure you can return to a place before the bad data was entered; otherwise, you risk having to delete it all.
Finally, make sure your privacy professional, chief privacy officer, or other executive is working with your IT teams because executive liability is appearing more often as an enforcement tool. If you are asking your general counsel to tighten their belt, this is one area probably not worth the risk.
So, What Do Some of These New Laws Require?
California (California Privacy Rights Act (“CPRA”))
The CPRA went into effect on January 1, 2023. The new law will apply to you if you: (1) process the data of 100,000 or more California residents, or (2) 50% of your revenue is derived from the sale or sharing of personal data of California residents, or (3) have over $25MM in worldwide revenue. California is stepping up residents’ rights by including the right to access, correct, delete and opt out of sharing and selling their data. Additional changes include expanding the look-back period, adding links to allow consumers to opt-out of selling and sharing personal data, and instituting special rules surrounding children’s data. To ensure your full compliance with this California law, you must confirm that any agreements you hold with vendors or contractors bind them to the same requirements.
Virginia (Virginia Consumer Data Protection Act (“VCDPA”))
The VCDPA went into effect on January 1, 2023, and will apply to you if you (1) control or process the personal data of more than 100,000 Virginia residents in a calendar year; or (2) control or process the personal data of 25,000 or more Virginia residents and over 50% of your gross revenue is from the sale of personal data. The VCDPA has some exemptions: (1) HIPAA and GLBA-regulated entities, and (2) some non-profits and higher education institutions. Consumers have the right to access, correct, and delete their data, along with the right to opt out of sales and certain processing. Fines can be as high as $7,500 per violation, but there is a 30-day cure period to correct violations.
Colorado (Colorado Privacy Act (“CPA”))
The CPA is effective July 1, 2023. This law will apply to you if you: (1) control the personal data of more than 100,000 Coloradans in a calendar year or (2) sell any personal data of more than 25,000 Colorado residents. But the CPA has some exemptions like Virginia above: HIPAA-covered entities and FCRA and GLBA-regulated entities, along with de-identified data and publicly available information. Consumers have the right to access, correct, and delete their data, along with opting out of sales and the processing of certain data. Fines can range from $2,000 up to a total of $500,000.
Connecticut (Connecticut Data Privacy Act (“CTDPA”))
The CTDPA goes into effect on July 1, 2023 and will apply to businesses that control or process the personal data of 100,000 or more Connecticut residents in a calendar year; or control the personal data of 25,000 or more Connecticut residents and have over 25% of gross revenue from the sale of personal data (but data used for payment processing is excluded from these thresholds). Consumers will have the right to access, correct, and delete data and may opt out of sales and processing certain data. Starting in 2025, there will be a global opt-out requirement, which allows a consumer to opt-out of all websites by browser extension or global device setting. Fines start at $2,000 to $10,000. Until 2025, companies will have up to 60 days to cure violations.
Utah (Utah Consumer Privacy Act (“UCPA”))
The UCPA will take effect on December 31, 2023, but will apply to fewer businesses than in the states above. That’s because the UCPA will apply to companies that have annual revenue of $25 million and either process the personal data of 100,000 Utah residents or more than 50% of revenue is from the sale of personal data and processing personal data of at least 25,000 Utah residents. Utahans have the right to access and delete their data, and may opt out of sales and the processing of certain data. The fines are set at $7,500 per violation, but companies will have 30 days to cure. Finally, the Attorney General cannot start enforcement proceedings on its own: the Department of Commerce receives the complaints, and only if they find evidence of a violation will it be referred to the Attorney General.
 See Cambridge Analytica, GDPR - 1 year on - a lot of words and some action, 2019, https://privacyinternational.org/news-analysis/2857/cambridge-analytica-gdpr-1-year-lot-words-and-some-action