In celebration of Privacy Day, our Privacy and Data Security team wanted to provide our readers a quick synopsis of the state of consumer privacy in the United States.
While the concept of privacy as it relates to governmental interference has been around since the country’s founding, consumer data privacy is something that the United States has grappled with ever since the 1970’s when laws such as the U.S. Privacy Act (1974) first came on the scene. Since that time, additional regulatory schemes including HIPAA (1996) and COPPA (2000) have imprinted themselves on the U.S. public’s consciousness in limited ways. Perhaps ironically, the European Union’s (EU) General Data Protection Regulation (GDPR) effective in 2018, has had the biggest impact on consumer data privacy in the United States. This impact was first felt with the passing of the California Consumer Privacy Act (CCPA). As discussed below, as we start 2023, the GDPR’s influence over our consumer privacy landscape is undeniable.
The GDPR created a wide reaching and comprehensive consumer privacy framework that was rooted in transparency and the concept that an individual owns all of the data they create. The GDPR provided EU citizens specific rights (i.e. right to deletion, portability, to be forgotten, etc.), while also placing strict requirements on companies in the way they interact with the consumer data of EU citizens (i.e. breach notification protocols, proper consent for data collection, etc.). This framework is effectively the master design for consumer data privacy laws. As we prepare for the laws going into effect in 2023, and the laws that will potentially be passed into law in 2023, we see the spirit of the GDPR in all of them.
The current “big deal” in the privacy world is implementing the changes enacted by the California Privacy Rights Act (CPRA). The CPRA is an amendment to the CCPA which seeks to strengthen the previous measure. And while it went into effect on January 1, 2023, most companies are just now turning their focus to compliance ahead of the July 1, 2023 enforcement date. The CPRA amends the CCPA in many ways, but a few key focuses include: i) further expansion of the rights of California residents, ii) a new category of data called Sensitive Personal Information; and iii) the law’s failure to extend employee and business to business exemptions (which have now expired). While companies are scrambling to comply with the CPRA (the regulations implementing the law are still not final), there are several other U.S. jurisdictions with consumer privacy laws going into effect in 2023.
Virginia’s New Law
The other consumer privacy law that went into effect on January 1, 2023, was Virginia’s Consumer Data Protection Act (VCDPA). This law applies to persons that conduct business in Virginia that either: (i) control or process personal data of at least 100,000 consumers (defined as a natural person who is a resident of the Commonwealth acting only in an individual or household context) or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. Similar to the GDPR and CPRA, this law also grants consumers rights around their data (i.e. access, correct, delete, opt-out).
Additional State Laws
The next grouping of consumer privacy laws that go into effect in 2023 all have effective dates of July 1 or beyond:
- Colorado Privacy Act (effective July 1, 2023): Applies to “controllers” that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and that either (1) control or process the personal data of 100,000 or more consumers during a calendar year or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more consumers.
- Connecticut 2022 S.B. 6 (effective July 1, 2023): SB 6 applies to all individuals and organizations in Connecticut, as well as those from outside who interact with Connecticut residents for business purposes who: i) have controlled or processed the personal data of at least 100,000 Connecticut residents in the preceding year, with the exception of completing payment transactions; or ii) derive more than 25% of their annual gross revenue from selling the personal data of 25,000+ Connecticut residents.
- Utah Consumer Privacy Act (effective December 31, 2023): Applies to any entity that (1) conducts business in Utah, or produces products or services that are targeted to Utah residents; (2) has annual revenue of $25 million or more; and (3) annually controls or processes the personal data of at least 100,000 Utah residents, or controls or processes the personal data of at least 25,000 Utah residents and derives over 50% of its gross revenue from the sale of personal data.
All three of the above consumer privacy laws also give consumers rights to their data similar to the GDPR, CPRA, and VCDPA. Additionally, they also place requirements on the companies such as security standards, specific collection processes, and breach protocols.
On the Horizon
While it is important to be prepared for the laws that will go into effect in 2023, it is equally important to follow the draft legislation which may be passed into law this year. On the horizon, over a dozen different privacy laws could be passed into law this year, including but not limited to, the Massachusetts Information Privacy Act, the Ohio Personal Privacy Act, the Kentucky Consumer Protection Act, the Tennessee Information Privacy Act, the Pennsylvania Consumer Data Privacy Act, and the New York Privacy Act. All of these laws follow similar frameworks to the numerous data privacy laws going into effect in 2023, but the variations of each are important and require detailed analysis on how they will impact your business. As 2023 continues, we will continue to bring you the most up to date analysis on all things privacy and cyber security.