Editor’s note: WRAL TechWire is kicking off a 5-part series on data privacy law to bring some clarity to one of the fastest growing and most complex areas of technology law. This post was written by Steve Britt, Counsel for Cyber, Data Privacy & Technology (CIPP/E, CIPM), Parker Poe and Sarah Hutchins, Partner for Cyber, Data Privacy & Technology (CIPP/US), Parker Poe.

+++

Our prior articles in this series have laid the groundwork for what now lies before us – a clear ramping up of legislative action across many states, with even whispers of significant progress in Congressional committees with jurisdiction over data privacy.

In 2023, we have five new state laws going into effect and they tell an important story about how far this movement has come. We already covered the California Privacy Rights Act (CPRA), effective January 1, 2023, in Part 3 of this series. The full complement of new state laws and effective dates are as follows:

  • California Privacy Rights Act: January 1, 2023
  • Virginia Consumer Data Protection Act: January 1, 2023
  • Colorado Privacy Act: July 1, 2023
  • Connecticut Data Privacy Act: July 1, 2023
  • Utah Consumer Privacy Act: December 31, 2023

Let’s first discuss what they have in common, which is far greater and far more meaningful than what separates them. This is key to understanding the need for early action. All five of these new laws include the following conditions:

  • They apply only to for-profit companies and exclude educational and governmental organizations. Colorado may be an exception as Colorado’s Attorney General has stated that the Colorado Privacy Act should apply to nonprofits and the language permits that interpretation,
  • They include broad definitions of personal information and, other than CPRA, exclude application to employees and B2B data,
  • Following California’s lead, they all include a new definition of Sensitive Information (or Sensitive Data),
  • They all include effectively the same broad data subject rights,
  • They require detailed privacy notices and employee training,
  • They require detailed recordkeeping and have an expanded Right of Opt-Out,
  • They require that data processors with which data is shared to have executed restrictive contracts with prescribed terms, and
  • They are only enforced by their Attorneys General and preclude a private cause of action for violations of the statute.

That said, there are some very important differences. For example, Virginia, Colorado and Connecticut each require affirmative consent, or a specific Opt-In, to the collection and processing of Sensitive Data. They also require mandatory data protection assessments (DPA) for any of the following actions: (i) the sale of data, (ii) targeted advertising, (iii) profiling of consumers or (iv) the processing of Sensitive Data.

Previous posts in this series

California jumps out in front (again) on data privacy – here’s how

Guest opinion: General Data Protection Regulation, or GDPR – Where it all began

Data privacy & you: What you really need to know from a legal point of view

 

A data protection assessment must analyze all elements of data processing that could have an adverse effect on data privacy, employing reasonable mitigation measures when appropriate, with such reports available to regulators as part of an audit or investigation.

California and Utah give consumers a Right of Opt-Out for the sale of data and for the processing of Sensitive Information but do not mandate DPAs, at least for now. However, data protection assessments are included on the list of potential regulations for California’s new data privacy regulator (CPPA). Given GDPR’s requirements for data protection impact assessments, we can expect DPAs to be added to California’s requirements in the future.

Utah’s new law only applies to businesses with $25,000,000 in annual revenue that also process data on 100,000 Utah residents or gain 50% of their revenue from selling data and process data on 25,000 Utah residents.

Connecticut’s new law provides that satisfaction of the parental consent rules under the Federal Children’s Online Privacy Protection Act (COPPA) satisfy the parental consent rules of the Connecticut Act. Protection of children’s privacy has become a focus of a possible Federal privacy law and hopefully the connection is along the lines drawn by Connecticut.

There are several conclusions that flow from these new laws. We will expand upon these findings in our concluding article:

  • These laws are virtually 85% identical, which simplifies the compliance tasks of covered businesses,
  • The most important similarity is the exclusion of private causes of action for mere violations of the statute, a huge benefit, though certain jurisdictions authorize data breach lawsuits,
  • That said, compliance will not be quick, easy or cheap,
  • Requirements of affirmative Opt-In for certain actions will complicate data collection and processing compliance,
  • Restrictions on targeted advertising and profiling will also require close attention, and
  • All these laws target “dark patterns,” which are online navigation designs that cause users to make unintended, involuntary and potentially harmful decisions regarding their personal information.

Several bills moved in committee this year and there is still an outside chance of another bill or two passing this year. However, the effective date of any new laws is likely to carry over into 2024 and the plate is certainly full enough for 2023.

About the authors

Steve Britt, CIPP/E, CIPM, is a cyber, data privacy & technology attorney at law firm Parker Poe. He focuses his practice on cybersecurity and data privacy laws and regulations. Britt counsels his clients on the full range of data protection laws. He may be reached at stevebritt@parkerpoe.com.

Sarah Hutchins, CIPP/US, is a cyber, data privacy & technology attorney at law firm Parker Poe. She helps clients navigate business litigation, government investigations, and data privacy and cybersecurity. Hutchins may be reached at sarahhutchins@parkerpoe.com.