Preparing Your Business for Data Privacy Compliance in 2023
In 2023, California, Colorado, Connecticut, Utah and Virginia will begin enforcement of new data privacy statutes regulating the collection, use and disclosure of consumer personal information. These statutes, modeled in part after Europe’s General Data Protection Regulation (GDPR) and California’s original Consumer Privacy Act of 2020 (CCPA), put significant obligations on businesses that collect and use personal information about individuals for business purposes. “Personal information” in this context is broadly defined and generally includes names, addresses, phone numbers, email addresses, location and device information, browsing history/cookies (i.e., information saved by your web browser) and other types of information that can be reasonably used to identify an individual.
Why is this important for all businesses? Even though your business may not be physically located in one of these states, the statutes have a broad reach that includes many out-of-state companies, depending on their business operations. Other states have similar legislation in process (including Ohio and Michigan), making it important to understand how these new laws may affect your existing or future business operations and start making necessary changes to your company’s data practices now.
This article will provide a brief overview of these data privacy statutes and discuss the key compliance areas that every impacted business should review going into the new year.
In 2023, five states will have statutes in place to protect consumers’ personal data, which will apply to all businesses that (i) conduct business, produce products or provide services within the state which target the state’s residents, and (ii) which meet the numeric thresholds described in the chart below.
Chart of State Laws
Effective: January 1, 2023
- More than $25 million in gross annual revenue
- Buys/sells/shares personal data of 100,000 or more consumers/households.
- Derives 50% or more annual revenue from selling or sharing consumers' personal data.
Effective: July 1, 2023
- Controls/processes personal data from 100,000 or more Colorado residents or alternatively controls/processes personal data from 25,000 or more Colorado residents and derives some portion of revenue from selling personal data.
Effective: July 1, 2023
- Controls/processes personal data of 100,000 or more consumers annually (except for data used solely for purposes of completing payment transactions) or alternatively controls/processes personal data of 25,000 or more consumers and derives over 25% of gross revenue from selling personal data.
Effective: December 31, 2023
- $25 million or more in gross annual revenue
- Controls/processes personal data of 100,000 Utah consumers or alternatively controls/processes personal data of 25,000 Utah consumers and derives at least 50% of its gross revenue from selling personal data.
Effective: January 1, 2023
- Controls/processes personal data of 100,000 or more Virginia consumers or alternatively controls/processes personal data of 25,000 or more Virginia consumers and derives over 50% of its gross revenues from selling personal data.
Even if not physically located in one of these states, a business still may be required to comply with one or more of these state laws if it meets these thresholds. This is more common than most might expect, because most collection of consumer personal data comes from websites, mobile applications and other digital sources which can be accessed from anywhere in the world by a consumer. The threshold requirements vary by state but tend to be similar in overall structure.
For example, consider Virginia’s statute, which applies to any business that controls or processes personal data of 100,000 or more Virginia consumers (or 25,000 or more Virginia consumers and derives over 50% of its total gross revenues from the sale of personal data). A business located in Ohio with a website accessible by Virginia consumers that collects location data and other cookies on all site visitors likely is subject to VCDPA if the threshold numbers are met.
The CPRA (which amends and expands the original CCPA) goes a step further by also requiring compliance with respect to personal data collected in the employment and business-to-business contexts. Businesses that have employees working in California – whether working onsite at a company location or remotely from their homes - or which have contracts with California businesses related to the processing of personal data, must comply even if they do not meet the numeric thresholds for consumer data compliance.
While the specifics vary slightly from state to state, businesses must generally comply with the following obligations:
- Honor a consumer’s exercise of their statutory rights to:
- Access all of their personal data collected by the business.
- Obtain a portable copy of all of their personal data collected by the business.
- Correct any of their personal data already collected by the business which is inaccurate.
- Delete their personal data from the business’s records.
- Opt-out of the sale or sharing of their personal data to third parties, or the use of such personal data for targeted advertising. This typically includes “Global Privacy Control” and similar settings on consumer browsers.
- Provide opt-in consent prior to the collection of “sensitive data” such as biometric and geolocation data, data on children under 13 years old and data about an individual’s race/origin, genetics, citizenship/immigration status, sexual orientation, mental or physical health or religious beliefs.
- Maintain reasonable data security practices, policies and procedures to protect any personal data collected.
- Maintain contractual obligations between the business and third parties for whom they process personal data or who processes personal data for the business.
Some states, such as Colorado and Connecticut, specifically invalidate consents obtained through means that are designed to influence the user to make a choice they might not normally make – referred to as “dark patterns.” In other words, the business cannot display or use tools, interfaces or other ways of manipulating the consumer into consenting to the collection of personal data. Examples of this include requiring users to scroll through a large amount of text to find the opt-out link and using confusing language in the disclosure and consent notices.
Colorado, Connecticut, Utah and Virginia only permit enforcement of data privacy obligations through the state’s attorney general. Enforcement actions typically include an opportunity to cure, particularly during the first year of enforcing the statute. However, attorneys general also are authorized to seek an injunction against further violations and assess civil penalties/fines to a non-compliant business. Statutory penalties ranging from $2,500 to $20,000 can apply per violation depending on the state, the number of violations and other factors.
California is the only state that also provides a private right of action, meaning that an individual can sue the business for damages based on an alleged violation of the CPRA.
Preparing Your Business
The first and most critical step to prepare your business for compliance is to understand how the business collects, stores, accesses, shares and purges data. It also needs to catalog the sources of the data, where the data is shared and for what purpose the data is used/shared. This process can often highlight areas of potential risk exposure, such as unnecessary data being collected or stored or outdated policies.
From there, businesses should review and update their data-related documents such as website privacy policies/notices, internal IT policies/procedures and contracts with third parties. For businesses with California employees, this review process also may need to include written disclosures to employees about the handling of their employment-related data.
Some businesses may be subject to existing specific personal data regulations, such as the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act, which tend to be more restrictive than these data privacy statutes. In that case, businesses must comply with the stricter law as to the category of protected data. However, a business may collect information which is not subject to existing regulations but may still qualify as “personal data” under the new data privacy statutes – so it is important for businesses to still review their data practices to make sure it is compliant across all data categories.
The ever-changing landscape of data privacy laws means that businesses must remain vigilant in reviewing and updating its data practices. If you have any questions regarding compliance with these new laws, please contact Ms. Weis.
Disclaimer: The article in this publication has been prepared by Eastman & Smith, Ltd. for informational purposes only and should not be considered legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney/client relationship.