COVID-19 Insights and Information

Articles

Practice Areas

Attorneys

Preparing Your Business for Data Privacy Compliance in 2023

Ashley B. Weis
12/27/22

globe on blue background with 1s and 0s in lighter blueIn 2023, California, Colorado, Connecticut, Utah and Virginia will begin enforcement of new data privacy statutes regulating the collection, use and disclosure of consumer personal information.  These statutes, modeled in part after Europe’s General Data Protection Regulation (GDPR) and California’s original Consumer Privacy Act of 2020 (CCPA), put significant obligations on businesses that collect and use personal information about individuals for business purposes. “Personal information” in this context is broadly defined and generally includes names, addresses, phone numbers, email addresses, location and device information, browsing history/cookies (i.e., information saved by your web browser) and other types of information that can be reasonably used to identify an individual.

Why is this important for all businesses? Even though your business may not be physically located in one of these states, the statutes have a broad reach that includes many out-of-state companies, depending on their business operations.  Other states have similar legislation in process (including Ohio and Michigan), making it important to understand how these new laws may affect your existing or future business operations and start making necessary changes to your company’s data practices now. 

This article will provide a brief overview of these data privacy statutes and discuss the key compliance areas that every impacted business should review going into the new year.

Scope

In 2023, five states will have statutes in place to protect consumers’ personal data, which will apply to all businesses that (i) conduct business, produce products or provide services within the state which target the state’s residents, and (ii) which meet the numeric thresholds described in the chart below.

Chart of State Laws

California Privacy Rights Act (CPRA)

Effective:  January 1, 2023

Applies to:

Colorado Privacy Act (CPA)

Effective:  July 1, 2023

Applies to:

Connecticut Data Privacy Act (CTDPA)

Effective:  July 1, 2023

Applies to:

Utah Consumer Privacy Act (UCPA)

Effective:  December 31, 2023

Applies to:

Virginia Consumer Data Privacy Act (VCDPA)

Effective:  January 1, 2023

Applies to:


Even if not physically located in one of these states, a business still may be required to comply with one or more of these state laws if it meets these thresholds. This is more common than most might expect, because most collection of consumer personal data comes from websites, mobile applications and other digital sources which can be accessed from anywhere in the world by a consumer. The threshold requirements vary by state but tend to be similar in overall structure.

For example, consider Virginia’s statute, which applies to any business that controls or processes personal data of 100,000 or more Virginia consumers (or 25,000 or more Virginia consumers and derives over 50% of its total gross revenues from the sale of personal data). A business located in Ohio with a website accessible by Virginia consumers that collects location data and other cookies on all site visitors likely is subject to VCDPA if the threshold numbers are met. 

The CPRA (which amends and expands the original CCPA) goes a step further by also requiring compliance with respect to personal data collected in the employment and business-to-business contexts. Businesses that have employees working in California – whether working onsite at a company location or remotely from their homes - or which have contracts with California businesses related to the processing of personal data, must comply even if they do not meet the numeric thresholds for consumer data compliance.

Business Obligations

While the specifics vary slightly from state to state, businesses must generally comply with the following obligations:

Some states, such as Colorado and Connecticut, specifically invalidate consents obtained through means that are designed to influence the user to make a choice they might not normally make – referred to as “dark patterns.” In other words, the business cannot display or use tools, interfaces or other ways of manipulating the consumer into consenting to the collection of personal data. Examples of this include requiring users to scroll through a large amount of text to find the opt-out link and using confusing language in the disclosure and consent notices.

Enforcing Non-Compliance

Colorado, Connecticut, Utah and Virginia only permit enforcement of data privacy obligations through the state’s attorney general. Enforcement actions typically include an opportunity to cure, particularly during the first year of enforcing the statute.  However, attorneys general also are  authorized to seek an injunction against further violations and assess civil penalties/fines to a non-compliant business. Statutory penalties ranging from $2,500 to $20,000 can apply per violation depending on the state, the number of violations and other factors.

California is the only state that also provides a private right of action, meaning that an individual can sue the business for damages based on an alleged violation of the CPRA.

Preparing Your Business

The first and most critical step to prepare your business for compliance is to understand how the business collects, stores, accesses, shares and purges data. It also needs to catalog the sources of the data, where the data is shared and for what purpose the data is used/shared. This process can often highlight areas of potential risk exposure, such as unnecessary data being collected or stored or outdated policies.

From there, businesses should review and update their data-related documents such as website privacy policies/notices, internal IT policies/procedures and contracts with third parties. For businesses with California employees, this review process also may need to include written disclosures to employees about the handling of their employment-related data.

Some businesses may be subject to existing specific personal data regulations, such as the Health Insurance Portability and Accountability Act and the Fair Credit Reporting Act, which tend to be more restrictive than these data privacy statutes. In that case, businesses must comply with the stricter law as to the category of protected data.  However, a business may collect information which is not subject to existing regulations but may still qualify as “personal data” under the new data privacy statutes – so it is important for businesses to still review their data practices to make sure it is compliant across all data categories.

The ever-changing landscape of data privacy laws means that businesses must remain vigilant in reviewing and updating its data practices. If you have any questions regarding compliance with these new laws, please contact Ms. Weis.

Disclaimer:  The article in this publication has been prepared by Eastman & Smith, Ltd. for informational purposes only and should not be considered legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney/client relationship.