CCPA

The Utah Consumer Privacy Act is the final state data privacy law to be coming into effect this year. It will become effective at the tail end of the year on December 31st, 2023. Enforcement will begin on the same day. However, one of the unique features of UCPA as it stands now, is that the Utah Attorney General and the Division of Consumer Protection will be required to submit a report evaluating the effectiveness of the statute by July 1st, 2025.Amendments  should be expected to be derived from that report to augment the effectiveness of the current statute. UCPA is one of the more unique state data privacy laws and is considered to be the most business friendly to come into effect this year. It is heavily modeled after VCDPA, but with more scope and more leniency towards violations.

The Utah law extends consumer privacy rights similar to those found in VCDPA and the other laws modeled from it. However, unlike VCDPA and CPA, UCPA does not afford consumers the right to rectify their personal data, nor does it allow consumers to opt out of data profiling. Notably, UCPA does not provide consumers a right to request a data controller to delete all personal data collected on a consumer. The data controller is only obligated to delete personal data the consumer has provided the data controller.

Another way in which UCPA differs from VCDPA and CPA is that data controllers or processors  are not required to establish an appeal process if they deny requests to exercise consumer rights. However, similarly to VCDPA and CPA businesses must respond to these data privacy right requests free of charge to the consumer, but have protections against “excessive, repetitive, technically infeasible, or manifestly unfounded.” Another area where UCPA separates itself from VCDPA and CPA is that not only does it exclude deidentified data, and publicly available information from its definition of personal data, but it also excludes aggregated data as well.

One of the parts of UCPA that separates it from its peer consumer privacy laws is the multi-layered enforcement approach. UCPA gives the Utah Attorney General exclusive enforcement authority, however that is not the first stage of enforcement. The Division of Consumer Protection is obligated to create a “system to receive consumer complaints.” If after investigating consumer complaints they believe there is “reasonable cause to believe that substantial evidence (of a violation) exists,” the director of the Division of Consumer Protection may submit a referral to the Utah Attorney General. The attorney general may then decide to take action, by notifying the offending party. The offending party then has 30 days to cure the violation or be subject to fines up to $7,500 per violation.

With the level of leniency provided in this first iteration of UCPA there are real questions about how effective the enforcement arm of law will be and whether it will provide sufficient motivation to businesses subject to the law. Activity out of the Division of Consumer Protection and the Office of the Utah Attorney General will certainly be something to compare against the California Privacy Protection Agency and the Colorado and Virginia Attorneys General.

The next data privacy law coming into effect this year will be the Connecticut Data Privacy Act (CTDPA). The CTDPA  comes into effect on July 1st, 2023, with enforcement beginning on the same day. Like the remaining data privacy laws that we’ll discuss, CTDPA was largely modeled after the Virginia Consumer Data Protection Act (VCDPA) with influences from the California Privacy Rights Act (CPRA). However, the cure provision that allows organizations the opportunity to cure a violation before the Attorney General takes action will end on December 31st, 2024.

The guiding influence of VCDPA on the creation of CTDPA is apparent when you look at the privacy rights protected by CDPA. CDPA protects a consumer’s right to access, right to data portability, right to delete, right of rectification, right to opt-out of sale, right to opt-out of profiling, and the right to opt-out of targeted advertising. However, unlike CPRA, CTDPA does not protect the right to opt out of automated decision-making. This means if you do not opt out of profiling an organization can make choices based on that profile without human input. An area where CTDPA has superior consumer privacy protections over CPRA is with processing sensitive personal data. CTDPA requires opt-in for data processors to process a consumer’s sensitive personal data, whereas CPRA allows consumers to opt-out. Sensitive personal data for CTDPA is defined as “personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.”

Much like CPRA and VCDPA, CTDPA will require data protection assessments under certain circumstances. Fortunately, CTDPA states that if a data controller conducts a data protection assessment for the purpose of complying with a similar regulation, that assessment will satisfy the CTDPA requirements as long as it is similar in scope and effect. Therefore, conducting a thorough data protection assessment is critical as it will eliminate the need for redundant assessments. Additionally, it would be advisable for any organization subject to CTDPA to conduct a privacy impact assessment. A PIA assesses how an organization handles personal data and will tell whether the organization will be in compliance with new state data privacy laws or not.

Next up in our 2023 data privacy laws series is the California Privacy Rights Act or CPRA. CPRA amends the California Consumer Privacy Act (CCPA) to add protection for consumers. It was passed as a ballot initiative in November 2020 and took effect on January 1st, 2023. Enforcement is said to begin on July 1st of this year, but recent modifications to the draft regulations show that there may be some flexibility with early enforcement. The California Consumer Privacy Agency (CPPA), the body responsible for enforcing the CPRA, may take into account the time between the publication of the final regulations and the enforcement date, as well as “good faith efforts to comply with those requirements.”

California previously had a recent data privacy law known as CCPA, but CPRA expands the volume of data that falls within its scope. CPRA also expanded upon the data privacy rights that were in the CCPA. In addition to the right to know, the right to access, the right to deletion, the right to portability, and the right to opt-out of sale, CPRA will add the right to rectification and the right to opt-out of targeted advertising. A change that may catch some off-guard is that CPRA clarifies that a cookie banner is not an acceptable mechanism for handling opt-out requests for targeted advertising or data sales. Other meaningful changes made by CPRA are the significantly increased fines for data breaches of children’s data and breach liability for disclosure of credentials that could compromise a consumer’s account.

An addendum that CPRA brings to California’s data privacy landscape is the creation of a new privacy regulator in the California Privacy Protection Agency (CPPA). The CPPA will begin enforcement on July 1st and the sole mission will be to protect consumer privacy in accordance with California data privacy laws. However, they will have the additional charge of preparing new rules and regulations in the consumer data privacy space. The CPPA will be a well-funded and well-resourced agency for enforcing data privacy laws while taking some of the burdens off the office of the California Attorney General.

Comparatively, this means that CPRA will likely be the most comprehensive data privacy law in the US and will have teeth to back it up. Businesses that are subject to CPRA should already be preparing for enforcement to begin. An essential part of preparing for CPRA should be creating a data map and understanding what data you actually process. From there, you should conduct a gap analysis to find where to make changes to comply with CPRA data privacy mandates. Those subject to CCPA should already be familiar with the ability to opt out of the sale of personal information; However, they should now prepare to provide the ability to opt out of targeted advertising by sharing personal information with third parties. While it can be a heavy lift getting compliant with CPRA, doing so should bring businesses in compliance with other state data privacy laws and will be a solid foundation for future state or national data privacy laws.

First in our 2023 data privacy laws series is the Virginia Consumer Data Protection Act (VCDPA). The VCDPA effective date was January 1st, 2023, with enforcement beginning the same day. VCDPA, sometimes referred to as just CDPA, is somewhat of a mixture of the EU’s GDPR (General Data Protection Regulation) and California’s CPRA (California Consumer Privacy Rights Act). While it shares similarities with each, it is sufficiently dissimilar as it likely will require its own compliance considerations. Much like CPRA, VCDPA will apply to any business that processes the data of over 100,000 of the state’s residents or processes the personal data of over 25,000 and derives 50% of their gross revenue from the sale of personal data.

Much like GDPR and CPRA, VCDPA introduces numerous consumer data privacy rights. These rights include the right to access personal data, the right to know personal data is being processed, the right to data portability, the right to deletion, the right to rectification, and the right to opt out of targeted advertising or the sale of personal data.

One of the most substantial differences between CPRA and VCDPA is how VCDPA treats the processing of sensitive data. While CPRA allows consumers to opt out of processing their sensitive data, VCDPA requires a data process to get opt-in consent to process a consumer’s sensitive data. Additionally, VCDPA defines sensitive data as any data that includes demographic information, geolocation data, or data from a known child. Another difference is in how VCDPA treats employee and business contact data. VCDPA does not classify employees as consumers, nor does it consider personal data processed in a business-to-business context in scope. VCDPA also has blanket exemptions for government agencies, businesses subject to HIPAA, institutions of higher education, and Gramm-Leach-Bliley subject financial institutions, while CPRA does not.

Outside of CPRA, other state laws going into effect in 2023 are modeled after VCDPA, and thus understanding VCDPA and what goes into a compliance strategy for it will go a long way in reaching compliance with the other laws. When building a compliance strategy for VCDPA, you should first map what data you store or process. Additionally, it would be helpful to conduct a readiness assessment to identify where the gaps in compliance are. Once you’ve located the gaps, you can prepare a remediation plan and develop controls to bring the business into compliance before sanctions incur.