Data Privacy Laws in 2022 – What You Need to Know
In today’s world, threats to data privacy and cybersecurity continue to increase in both volume and complexity. In an effort to ensure that personal data is sufficiently protected, some states have introduced new laws focused on the protection of consumers’ personal data.
As California prepares to update its current consumer privacy laws, Colorado and Virginia are also getting ready to implement new data privacy regulations. If your company deals with the personal information of consumers, it is crucial to stay informed of the laws that affect your business and what you can expect in the near future.
The experienced data protection and privacy lawyers at Kendall PC can help your company navigate the complexities of new and emerging data privacy laws.
Before discussing the new data privacy laws that will go into effect in 2023, it is important to understand the current law in California, and how it relates to the approaching laws in other states in 2023.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and went into effect January 1, 2020. As one of the most substantial U.S. privacy laws today, the CCPA is a comprehensive consumer privacy law which grants California residents new rights regarding their personal information and imposes various data protection duties on certain business entities conducting business in California. A “business” is subject to the CCPA if it is a for-profit entity, including a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity, that;
- Directly, or by engaging others to act on its behalf, “collects” a California consumer’s “personal information”;
- Determines the purposes and means of processing that “personal information,” alone or jointly with others; and
- Meets one of the following jurisdictional thresholds:
a. Has annual gross revenues that exceed $25 million, adjusted for inflation;
b. Annually buys, receives, shares, or sells the “personal information” of more than 50,000 consumers, households, or devices for commercial purposes, alone or in combination; or
c. Derives 50% or more of its annual revenues from selling consumer’s personal information.
The CCPA defines personal information as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular household or consumer. Importantly, the CCPA protects data even if it does not relate to a specific individual because it covers devices and households, and further protects information connected to any unique identifier, rather than an individual person’s name.
A “household” is a person or group who all reside at the same address, share a common device or the business’s service, and use the same group account or unique identifier. The CCPA also provides for certain exceptions and exclusions from applicability.
Examples of personal information that is protected under the CCPA include, but is not limited to, the following so long as the data point actually identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
- Internet or other electronic network activity information, including, but not limited to:
- Browsing history
- Search history
- Information regarding a consumer’s interaction with an internet website, advertisement, or application
- Education information, as defined in the Family Educational Rights and Privacy Act (FERPA)
- Professional or employment-related information
- Audio, electronic, visual, thermal, olfactory, or similar information
- Geolocation data
- Biometric information
- Commercial information, including:
- Records of personal property, products or services purchased, obtained or considered
- Other purchasing or consuming histories or tendencies
- Identifiers such as:
- Real name
- Alias
- Postal address
- Unique personal identifier
- Online identifier
- Internet protocol (IP) address
- Email address
- Account name
- Social security number
- Driver’s license number
- Passport number
- Other similar identifiers
- Characteristics of protected classifications under federal or California law such as race, national origin, religion, gender, or sexual orientation
- Personal information categories described in the California Customer Records statute, which in addition to the identifiers included above, also lists a person’s:
- Signature
- State identification card number
- Insurance policy number
- Education
- Employment or employment history
- Bank account number, credit card number, debit card number, or any other financial information
- Medical information or health insurance information
The scope of personal information under the CCPA also extends to inferences drawn from any of the information otherwise defined as “personal information” that is then used to create consumer profiles that reflect a particular consumer’s characteristics, preferences, aptitudes, abilities, intelligence, attitudes, behavior, predispositions, and psychological trends. This means that, for example, companies that utilize artificial intelligence (AI) to assess the preferences of consumers or identify potential job candidates must examine what personal information they may collect and manage in light of the CCPA.
The CCPA grants consumers several rights, including:
- Notice and information rights
- Deletion rights
- Personal information sale prevention rights
- Freedom from discrimination
Business Obligations Under the CCPA
Businesses subject to the CCPA should take steps to address and meet its personal information protection obligations, including, at a high level, the following:
- Remaining current on the CCPA and future revisions
- Classifying personal information transfers as “sales” or “disclosures for a business purpose”
- Considering whether the business should stop selling personal information
- Implementing reasonable security practices and procedures to protect personal information
- Assessing the current state of CCPA-related business practices
- Complying with all mandatory CCPA Notice disclosure requirements, such as:
- Notice at Collections
- CCPA Privacy Policies
- Opt-Out Right Notices and links to opt out of the selling of personal information
- Financial incentive Notices, as applicable
- Developing processes for honoring CCPA consumers’ rights to receive, accept, verify, and respond to consumer rights requests
- Producing requested data in a portal format
- Enabling systems to process sales opt-out and opt-in requests
- Evaluating applicability of CCPA exceptions
- Ensuring pricing models and business practices meet CCPA non-discrimination requirements
- Complying with record-keeping and employee training requirements
- Auditing business systems for compliance
- Reviewing, analyzing, and amending third-party service provider and other third parties to ensure alignment with CCPA requirements
CCPA To Be Replaced by California Privacy Rights Act (CPRA) in 2023
The California Privacy Rights Act (CPRA) expands and amends the CCPA. Approved by California voters on Nov. 3, 2020, the CPRA will go into effect on January 1, 2023.
The CRPA is broader in scope than the existing CCPA, creating additional rights and obligations as well as establishing the first state agency dedicated to privacy – the California Privacy Protection Agency (CPPA). While the CRPA amends and extends the CCPA in numerous ways, some key changes include the following:
- Creation of the California Privacy Protection Agency (CPPA), who is charged with implementing and enforcing the CRPA including direction to adopt final CRPA regulations by July 1, 2022
- Revisions to “covered businesses” definition including the scope of jurisdictional threshold requirements
- Addition of a number of new exclusions to protect certain special interests such as for trade secrets and certain commercial credit reporting agency actions
- Creation of a new classification and definition of personal information – “sensitive personal information” – that carries additional disclosure, opt-out and use requirements.
- Creation of a “sharing” as new, separate type of “personal information” transfer
- Creation of new consumer rights to:
- Correct inaccurate personal information
- Opt-out of sharing personal information for cross-context behavioral advertising purposes
- Restrict sensitive personal information processing
- Expansion of business obligations regarding “personal information” in several ways, including:
- Imposing clear data minimization and purpose limitation requirements
- Deleting personal information after its retention is no longer reasonably necessary for its disclosed collection purpose
- Establishing audit requirements for high-risk processing activities
- Requiring written contracts containing specific provisions whenever it shares or sells personal information to a third party or discloses it to a service provider or contractor for a business purpose
- Addition of explicit data security requirements requiring businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect from unauthorized or illegal access, destruction, use, modification, or disclosure
- Expansion of private right of action for data breach liability by revising “personal information” definition to include an email address in combination with a password or security question and answer that permits access to an online account
- And more
The data protection and privacy attorneys at Kendall PC can assist businesses of all sizes transition from the compliance requirements of the CCPA to those of the CPRA.
Virginia Consumer Data Protection Act (VCDPA)
Signed into law on March 2, 2021, the Virginia Consumer Data Protection Act (VCDPA) will go into effect on January 1, 2023.
The VCDPA shares many similarities with the CPRA. However, there are also significant differences, such as:
- The VCDPA narrower scope only protects its state residents when they act in their individual or household context; it specifically excludes employees or people acting solely in a commercial context
- The VCDPA expressly prohibits processing sensitive data without the consumer’s consent, subject to some limited exceptions. In contrast, the CPRA follows a notice and opt-out system
- The CPRA’s notice requirements are broader and required more detailed and comprehensive privacy notices than the VCPDA
- The Virginia Attorney General’s Office will enforce VCDPA requirements
- The VCDPA directly requires data protection impact assessments for processing that involves sensitive data, selling personal data, processing personal data for targeted advertising, or the data processing activities pose a heightened risk of consumer harm, including for activities that present a reasonably foreseeable risk of consumer harms or disparate impacts
- The VCDPA does not include a private right of action
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) became the third comprehensive data privacy regulation adopted in the United States, after the CCPA/CPRA in California and the CDPA in Virginia. The CPA passed on May 26, 2021, was signed into law on July 8, 2021, and will go into effect on July 1, 2023.
While sharing several similarities with the CCPA/CPRA and the VCDPA, the Colorado law contains certain elements that distinguish it from the other two regulations. Additional compliance efforts are required for companies that fall within its jurisdiction. For example:
- The CPA is narrower in scope as it does not impose a revenue threshold meaning that businesses cannot become subject to the law due to annual revenue alone
- The CPA is broader in scope in that it extends applicability to businesses that processes the personal data of 25,000 consumers and receive any revenue or discount from the sale of data
- Both the Attorney General of Colorado and District Attorneys are responsible for enforcement of the CPA
- The CPA does not explicitly provide fine guidance – violations of the CPA are considered a deceptive trade practice and the penalties are governed by the Colorado Consumer Protection Act. Noncompliant entities may be fined up to $20,000 per violation
- The CPA does not provide an entity-level exemption for HIPAA-regulated entities, though it does set forth several specific exemptions for health care controllers
- The CPA provides a different opt-out procedure in that it mandates a controller provide consumers the right to opt out and a universal opt-out option so that a consumer can click one button to exercise all opt-out rights
Learn How Our Data Protection and Privacy Attorneys Can Help Your Business
The data protection and privacy attorneys at Kendall PC are passionate about providing strategic, originative, and cost-efficient legal services for emerging and established companies of all sizes. As new laws and regulations continue to emerge and evolve, our knowledgeable team can help your company mitigate risk and ensure compliance.
To learn how our data protection and privacy team can help your business, contact Kendall PC today online or at (484) 414-4093. We serve small, midsized, and emerging companies throughout the United States and across the globe.