2023 State Privacy Laws: How to Assess and Ensure Readiness by July 1, 2023
Blog Consumer Privacy World

As we head into the new year, US businesses need to assess the progress they have made in preparing for sweeping changes to the California Consumer Privacy Act (CCPA) that are effective as of January 1, 2023, as well as for four new state consumer privacy laws (in Colorado, Connecticut, Utah and Virginia) that become effective throughout 2023 (collectively “2023 Privacy Laws”). The California Consumer Privacy Act (“CPRA”), which amends the CCPA, becomes enforceable on July 1, 2023, as do Colorado and Connecticut’s privacy laws, so businesses should use the July 1st date as a deadline for compliance with the 2023 Privacy Laws if they have not been able to meet Virginia’s January 1 effectiveness and enforceability date. (Some companies are not subject to the Virginia law and others deem the enforcement risk there to be acceptable, especially given the opportunity to cure under the Virginia law). To meet this deadline, businesses should conduct an audit of their current consumer rights request (“CRR”) process and cookie compliance, as well as a gap analysis of what will need to be done by July 1st, and develop a project plan to ensure compliance by that date. A comparison of these laws and a set of model workstreams to help you prepare for them is at Appendix 1 of this alert. One of the biggest changes this year is that HR and B-to-B communications data, the application of which under California’s privacy law was largely delayed until January 1, 2023, came into full scope on that date given the failure of legislative efforts to further extend that deadline. Unlike the other 2023 Privacy Laws discussed here, the HR and B-to-B extension sunset was on December 31, 2022, so CCPA rights and obligations, minus the CPRA modifications, are enforceable now. Ensuring compliance with these provisions should not wait. An explanation of these changes and guidance on how to prepare for this is at Appendix 2 of this alert. In addition to making privacy program modifications to reflect the changes required by the 2023 Privacy Laws, businesses should take note of recent CCPA enforcement actions, and particularly a recent settlement involving website analytics and advertising cookies, as well as browser privacy choice signals, that includes payment of a US$1.2 million civil penalty. Many, many websites and mobile apps will need to substantially change the way they address cookies and other tracking technologies to avoid similar penalties. In a press release announcing the settlement, the California Attorney General “CaAG”) reminded businesses that as of January 1, 2023, the CCPA’s current 30-day opportunity to cure violations and avoid civil penalties sunsets, and warned businesses not to hope for discretionary opportunities to cure. Companies should review their cookie compliance in light of the CaAG’s statutory interpretation and enforcement position and move quickly to remediate if necessary before they are caught up in ongoing enforcement sweeps. A breakdown of this case and other enforcement actions is at Appendix 3 of this alert. The final revised regulations reflecting the 2023 changes to the CCPA are not yet effective. However, the California Privacy Protection Agency (CPPA) has closed public comments to its first draft of revised regulations and has sent a proposed final draft to the Office of Administrative Law for approval and publication. A subsequent round of new rulemaking will grapple with tough issues like automated decision-making and machine learning. Before the regulations are finalized, businesses should be considering the changes they will need to make. An analysis of the current proposed regulatory changes is at Appendix 4 of this alert. Steps to Take By July 1, 2023 1. Assess readiness and conduct a gap analysis and develop a project plan 2. Update data inventory 3. Revise notices, policies and procedures 4. Refine consumer request program 5. Implement impact assessment program 6. Update data protection agreements and reassess status of data disclosures and recipients 7. Complete data retention schedule and program implementation 8. Implement reporting, record-keeping and training 9. Shore-up data security and breach preparedness 10. Determine if all US consumers will get all rights (i.e., the highest level) regardless of residency, or develop and rollout a state-by-state approach For more information, please contact any of the partners or counsel listed on the next page, or your relationship partner at the firmAppendix 1: Preparing for 2023 State Privacy Laws 5 Navigating Compliance in a Patchwork of State Privacy Laws And then there were five. In 2022, although dozens of legislatures across the country introduced omnibus privacy bills this term, Utah and Connecticut emerged as the only two to have passed and enacted comprehensive privacy laws. They joined California, Virginia and Colorado in the already vexing patchwork of state privacy laws with which organizations will have to comply in 2023. Almost certainly, a greatest common factor approach may be in order with respect to certain compliance obligations. For example, the CPRA’s privacy policy disclosure obligations would appear to subsume the more limited requirements under the other state laws. In addition, each of the 2023 state privacy laws’ requirements as to data protection assessments are materially aligned. That said, there are a number of obligations across the 2023 state privacy laws that are sufficiently dissimilar from one another, particularly when comparing CPRA to the others, that relying on a single approach may not be possible or advisable from either a business or legal perspective. This is especially true when it comes to consumer rights more generally, and also specifically with respect to digital advertising issues, where businesses are facing more than a dozen varied opt-out rights, as well as opt-in obligations for sensitive data in some states. Another ingredient in this cocktail is the lack of regulatory certainty; the California Privacy Protection Agency (CPPA) did not meet its July 1, 2022, deadline for final regulations. In May 2022, the CPPA issued a proposed first draft of regulations and an Initial Statement of Reasons, which approved the drafts. The public comment period closed at 5 p.m. on August 23. In November 2022, the modified text of proposed regulations, following a 45-day comment period, were published. The CPPA hopes to have a final rules package by early-February 2023, but it is not clear if this deadline will be met. Also, the CPPA has yet to publish proposed rules for privacy assessments and the automated decision making. Colorado is also engaged in active rulemaking. The Colorado Secretary of State published proposed draft rules for the Colorado Privacy Act (“CPA”) on October 10, 2022, and the rules were revised on December 21, 2022 in response to initial public input and are expected to be final before the end of Q1. As to the other states, it is not fully clear, as their statutes do not provide direct authority to an agency to issue regulations. That is not to say organizations should not act now. Given the expansion of consumer rights and business obligations and covered data under all laws as compared to CCPA, and the expansive proviso for regulations in the CPRA, companies should spend this time, at the very least, expanding and updating their data inventories, and understanding the new obligations these laws present. By way of example: • HR and B-to-B information comes fully into scope under CPRA. • Sensitive data is a new concept under each of the 2023 laws, requiring either opt-in consent or application of an opt-out right. • Data retention schedules must be understood on a category-by-category basis for CPRA. • Changes in the digital advertising industry (i.e., the cookieless future) will require your marketing teams to engage in more complicated and privacy-invasive advertising use cases that need to be understood sooner rather than later. • Profiling and automated decision-making will become regulated under each law, with the CPRA providing a blank slate to the CPPA on the topic to issue potentially onerous, GDPR-inspired regulations. • The GDPR-inspired controller/processor scheme in VA, CO, UT, and CT will be new for organizations who did not deal with GDPR and involves markedly different analysis than the business/service provider construct of the CCPA/CPRA, requiring significant work on the vendor management aspect of compliance. In addition, as organizations prepare for compliance with the upcoming 2023 state privacy laws, they should be cognizant of any non-compliance with the currently effective CCPA and Virginia Consumer Data Privacy Act (“VCDPA”). Among others, cookie/Do Not Sell compliance, financial incentives and technical compliance with privacy policy requirements remain as enforcement priorities for the CalAG. The Virginia AG has exclusive authority to enforce the CDPA starting January 1, 2023. Businesses should ensure compliance with the other 2023 US Privacy Laws by July 1, 2023. Below, we provide a comparative analysis of various consumer rights and businesses’ obligations – comparing the state laws as to one another and to their forerunners, the CCPA and GDPR – and a suggested roadmap toward compliance for the 2023 state privacy laws. 6 California Privacy Rights Act (CPRA) Virginia Consumer Data Protection Act (VCDPA) Colorado Privacy Act (CPA) Utah Consumer Privacy Act (UCPA) Connecticut SB6 (CTPA) Overview Amends the California Consumer Privacy Act (CCPA). Shares similarities with California’s CPRA, with additional concepts inspired by the EU’s General Data Privacy Regulation (GDPR), but is sufficiently dissimilar to require a separate compliance strategy. Largely modeled after the VCDPA, but also overlaps with California’s CCPA/CPRA, and uses categories like “controller” and “processor,” similar to the GDPR and VCDPA. Largely modeled after the VCDPA, but also overlaps with the CCPA/CPRA, and uses categories like “controller” and “processor,” similar to the GDPR and VCDPA. Largely modeled after the CPA, VCDPA and UCPA, with some similarities to the CPRA (e.g., express prohibition of “dark patterns). Effective Date (Enforcement Date and Cure) January 1, 2023 (Enforcement begins on July 1, 2023; 30-Day Notice and Cure Provision will remain in effect indefinitely for security breach violations only). January 1, 2023 (Enforcement begins on Effective Date; 30- Day Notice and Cure Provision will remain in effect indefinitely). July 1, 2023 (Enforcement begins on Effective Date; 60- Day Notice and Cure Provision will remain in effect until January 1, 2025). December 31, 2023 (Enforcement begins on Effective Date; 30-Day Notice and Cure Provision will remain in effect indefinitely). July 1, 2023 (Enforcement begins on Effective Date; 60- Day Notice and Cure Provision will remain in effect until December 31, 2024). Who Is Covered? For-profit “businesses” that meet thresholds, including affiliates, joint ventures and partnerships that do business in California and: 1. Have a gross global annual revenue of > US$25 million 2. Annually buy, sell or “share” (for cross-context behavioral advertising purposes) personal information of 100,000 or more California consumers or householdsOR 3. Derive 50% or more of annual revenues from selling or “sharing” (for cross- context behavioral advertising) California consumers’ personal information Business entities, including for-profit and B-to-B entities, conducting business in Virginia or that produce products or services that target Virginia residents and, during a calendar year, either: 1. Control or process personal data of at least 100,000 Virginia residents OR 2. Derive 50% of gross revenue from the sale of personal data AND control or process personal data of at least 25,000 Virginia residents Any legal entity that conducts business in Colorado or that produces or delivers commercial products or services that intentionally target Colorado residents and that satisfies one or both of the following: 1. During a calendar year, controls or processes personal data of 100,000 or more Colorado residents OR 2. Both derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado residents Applies to “controllers” or “processors” who: 1. Conduct business in Utah or produce a product or service targeted to Utah residents 2. Have annual revenue of US$25 million or more AND 3. (a) Control or process data of 100,000 or more Utah residents in a calendar year OR (b) derive over 50% of the entity’s gross revenue from the sale of personal data and control or process personal data of 25,000 or more Utah residents Applies to individuals and entities that do business in Connecticut, or that produce products or services that are targeted to Connecticut residents, that in the preceding year either: 1. Controlled or processed the personal data of at least 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction) OR 2. Controlled or processed the personal data of at least 25,000 Connecticut residents, if the individual or entity derived more than 25% of its annual gross revenue from selling personal data 7 Scope of Coverage The following chart demonstrates the similarities and differences of the current US consumer privacy laws of general application, and compares them to the GDPR: Consumer Right GDPR CCPA CPRA VCDPA CPA UCPA CTPA PICICA (NV) Right to access        x Right to confirm personal data is being processed  Implied Implied     x Right to data portability        x Right to delete1        x Right to correct inaccuracies/right of rectification  x    x  x Right to opt-out of sale 2 3 3 4 3 4 3 5 Right to opt-out of targeted advertising (CO, VA, UT, CT)/crosscontext behavioral advertising sharing (CA)  x6      x Right to object to or opt-out of automated decision-making  x 7 x x x x x Right to object to or opt-out of profiling8  x    x  x Choice required for processing of “sensitive” personal data? Opt-In x Opt-Out9 Opt-In Opt-In Notice + Opp. to Opt-Out Opt-In x Right to object to/restrict processing generally  x x x x x x x Right to non-discrimination10 Implied       x Notice at collection requirement    x x x x x Specific privacy policy content requirements         Purpose/use/retention limitations  Implied    x  x Privacy and security impact assessments sometimes required  x    x  x Obligation to maintain reasonable security  Implied       1 In California and Utah, deletion obligations are limited to PI collected from the consumer, but in Virginia, Colorado and Connecticut, any PI collected about the consumer is in scope of the deletion right. 2 Selling personal data under the GDPR generally would require the consent of the data subject for collection and would be subject to the right to object to processing. 3 Any consideration sufficient, but required. 4 Cash consideration required. 5 In NV, website and online service operators are required to offer an “opt-out,” but only for limited disclosures of certain information and only if the disclosure is made in exchange for monetary consideration. 6 However, certain data disclosures inherent in this type of advertising are arguably a “sale,” subject to opt-out rights. 7 Subject to substantial expansion under CPRA regulations. Based on preliminary rulemaking activities, it appears that the CPPA is contemplating a GDPR-like approach for automated decision-making and profiling. 8 CPRA’s concept of profiling subject to change under the regulations. The profiling concepts in the other 2023 state privacy laws require legal or substantially similar effects. 9 Under the CPRA, the Sensitive PI opt-out right applies to certain processing activities beyond business purposes that are to be defined in CPRA regulations. 10 The CCPA (and likely the CPRA) take a more onerous ap