Editor’s Note: WRAL TechWire is starting a 5-part series on data privacy law to bring some clarity to one of the fastest-growing and most complex areas of technology law. This post was written by Steve Britt, Cyber, Data Privacy and Technology Advisor (CIPP/E, CIPM), Parker Poe and Sarah Hutchins, Cyber, Data Privacy and Technology (CIPP/US) Partner, Parker Poe.
Our previous articles in this series laid the groundwork for what lies ahead – a clear increase in legislative action in many states, with even whispers of significant progress in congressional committees with jurisdiction over data privacy.
We will have five new state laws take effect in 2023, and they tell an important story about how far this movement has come. We already covered the California Privacy Rights Act (CPRA), which went into effect on January 1, 2023, in Part 3 of this series. Below is a complete list of new state laws and their effective dates:
- California Privacy Act: January 1, 2023
- Virginia Consumer Protection Act: January 1, 2023
- Colorado Privacy Act: July 1, 2023
- Connecticut Privacy Act: July 1, 2023
- Utah Consumer Privacy Act: December 31, 2023
Let’s first discuss what they have in common, which is far greater and far more important than what separates them. This is the key to understanding the need for early action. All five of these new laws contain the following provisions:
- They apply only to commercial companies and exclude educational and government organizations. Colorado may be an exception because the Colorado Attorney General has stated that the Colorado Privacy Act should apply to nonprofit organizations, and the language allows for an interpretation that
- They include broad definitions of personal information and, apart from the CPRA, exclude applications to employee and B2B data,
- Following California’s lead, they all include a new definition of confidential information (or confidential data) that
- All of them actually contain the same broad rights of data subjects,
- They require detailed privacy notices and employee training,
- They require detailed record keeping and have an extended right of refusal,
- They require data processors with whom the data is provided to enter into restrictive contracts with specified terms
- They are enforced only by their attorneys general and exclude a private cause of action for violation of the statute.
However, there are some very important differences. For example, Virginia, Colorado, and Connecticut require affirmative consent or separate consent for the collection and processing of sensitive data. They also require mandatory Data Protection Assessments (DPAs) for any of the following activities: (i) selling data, (ii) targeted advertising, (iii) consumer profiling or (iv) processing sensitive data.
Previous posts in this series
California is leading the way in data privacy (again) – here’s how
Guest Opinion: The General Data Protection Regulation, or GDPR, is where it all started
Data privacy and you: What you really need to know from a legal perspective
The data protection assessment shall analyze all elements of data processing that may adversely affect data privacy, applying reasonable mitigation measures where appropriate, with such reports available to regulatory authorities as part of an audit or investigation.
California and Utah provide consumers with the right to opt out of the sale of data and the processing of sensitive information, but do not mandate DPAs, at least not yet. However, data protection assessments are included in the list of potential regulations for California’s new data privacy regulator (CPPA). Given GDPR’s data protection impact assessment requirements, we can expect the DPA to be added to California’s requirements in the future.
Utah’s new law only applies to companies with $25,000,000 in annual revenue that also process data on 100,000 Utahns or derive 50% of their revenue from the sale of data and process data on 25,000 Utahns.
Connecticut’s new law makes enforcement of the parental consent rules under the federal Children’s Online Privacy Protection Act (COPPA) consistent with the Connecticut Act’s parental consent rules. Protecting children’s privacy has become the focus of a possible federal privacy law, and hopefully the connection is consistent with the lines drawn by Connecticut.
Several conclusions can be drawn from these new laws. We will discuss these findings in our final article:
- These laws are almost 85% identical, which simplifies the task of complying with the legislation for covered enterprises,
- The most important similarity is the exclusion of private causes of action only for breach of the statute, which is a huge advantage, although some jurisdictions allow data breach claims,
- However, compliance will not be quick, easy or cheap,
- Requirements for positive consent to perform certain actions will complicate the collection and processing of data,
- Restrictions on targeted advertising and profiling will also require close attention
- All of these laws target “dark patterns,” which are online navigation designs that cause users to make unintended, involuntary, and potentially harmful decisions about their personal information.
Several bills have been referred to committee this year, and there is still a chance that one or two more bills will pass this year. However, the effective date of any new laws is likely to be pushed back to 2024, with 2023 already enough.
About the authors
Steve Britt, CIPP/E, CIPM, is a cyber, data privacy and technology attorney at Parker Poe Law Firm. He focuses his practice on cybersecurity and data privacy laws and regulations. Britt advises clients on the full range of data protection laws. He can be contacted at firstname.lastname@example.org.
Sarah Hutchins, CIPP/USA, is a cyber, data privacy and technology attorney at Parker Poe Law Firm. She helps clients navigate business litigation, government investigations, data privacy and cybersecurity. Hutchins can be reached at email@example.com.