Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy’s legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement.
But while the laws may differ from place to place, one common trend is starting to emerge: individual states are taking action to fill the void left by the federal government’s lack of comprehensive data privacy regulation. California is leading this charge with its recently enacted California Consumer Privacy Act (CCPA).
Effective January 1, 2020, the CCPA is the most comprehensive data privacy law in the United States. The law gives Californians new rights concerning their personal information, including the right to know what personal information is being collected about them, the right to know whether their data is being sold and the right to opt out of the sale of their personal information. In addition, the CCPA creates new obligations for businesses handling personal information, including the requirement to provide a “Do Not Sell My Personal Information” link on their websites.
The CCPA has been described as a “game-changer” in the world of data privacy, and it is already having a ripple effect beyond California’s borders. In fact, other states are already starting to emulate California’s approach to creating their own comprehensive data privacy laws.
What you need to know about the newest proposed CCPA amendments
The California Privacy Rights Act (CPRA), which updated the CCPA in 2020, created the California Privacy Protection Agency (CPPA) to replace the state’s attorney general as the designated regulator enforcing CCPA. On July 8, 2022, CPPA issued a notice of its proposed regulations that will go into effect on January 1, 2023.
These proposed regulations, if put into effect as currently written, will significantly impact how certain companies deal with information. Some of the proposed changes include:
Data minimization and retention
The new data minimization regulations require businesses to only collect, use, retain and/or share consumers’ personal information when it is “reasonably necessary and proportionate” to the original purpose for collecting it. Anything not meeting this standard will require additional notice and the consumer’s clear agreement to the terms.
Dark patterns
The new law passed in March 2021 concerning the CCPA bans dark patterns that prevent or make it difficult to opt out. This can include using confusing language, adding more steps to opt out than opting in and requiring the submission of personal information to be removed from further solicitations.
Service provider and contractor agreements
The new regulations place different responsibilities on the service provider and the person or organization receiving the services. Some of these changes broaden which service providers are covered while exempting cross-contextual advertising services. They also institute explicit and specific requirements for contracts with service providers and contractors, such as listing the business purposes of data collection on agreements beyond a mere reference to the purpose of the contract.
Sensitive personal information
If your business manages sensitive personal information, you may need to present a notice about this type of processing. Companies that use or disclose this kind of personal data would have to propose two or more methods for requesting usage limits. At least one of these methods must correspond with how the customer typically interacts with the company — for example, by restricting processing through a “Limit the Use of My Sensitive Personal Information” link.
Learn about IBM Security Guardium Insights
How do other privacy laws compare to the CCPA?
While many current and proposed regulations surrounding the CCPA are unique to California, the law has served as a model for other states when crafting their own comprehensive data privacy laws.
Below, we’ll cover a few examples of how the CCPA has influenced other states:
Colorado Privacy Act
On September 30, 2022, the Colorado Attorney General’s Office released draft regulations for the Colorado Privacy Act (CPA). The proposed rules are primarily consistent with the California Consumer Privacy Act regulations and do not contain too many new obligations beyond the plain language of the CPA itself. However, some key differences between the CCPA and CPA include the following:
- The CPA requires disclosure of a new consumer right to appeal a data subject request decision of a company.
- There is significantly more detail regarding how companies will be expected to acknowledge and honor opt out signal technology (as of 2024) compared to CCPA regulations.
- Colorado is taking a more practical approach to loyalty programs than California, showing that companies are under no obligation to provide benefits through their programs if it is impossible to do so.
Virginia’s Consumer Data Protection Act
On March 2, 2021, Virginia passed the Consumer Data Protection Act (VCDPA), which gives Virginia consumers control over their data and introduced new regulations around how covered companies collect data, how they must protect it and with whom they can share it. The law, which applies to businesses that operate in Virginia or sell products and services to Virginia residents, has some aspects similar to the EU’s General Data Protection Regulation and California’s Consumer Privacy Act.
However, there are some critical differences between the VCDPA and the CCPA, including:
- Unlike other privacy acts, the VCDPA stipulates that the use and collection of sensitive data “must” be opted in at the outset. Simply allowing an “opt out” feature is not sufficient.
- Opt out features, while standard in other privacy acts, are not mandatory features in the CDPA.
- Businesses can only collect and retain reasonably necessary data that requires disclosure to consumers.
Connecticut Data Privacy Act
The Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023, and is similar to other laws put in place by other states. Companies with operations in Connecticut have up to two years to comply with the new data privacy rules set by the state’s legislature.
While the CTDPA shares similarities with other privacy acts in other states, it is associated with the laws set out by the VCDPA. The CTDPA applies to companies that do business in Connecticut or produce products or services targeted to Connecticut residents.
The main differentiators with this act relate to threshold requirements and levels of consent required to process collected information. These apply to companies that:
- Have overseen or collected the personal information of 100,000 people or more for anything other than completing a payment transaction.
- Reported gross revenue from the sale of personal data representing 25% of total income when controlling or processing the personal data of at least 25,000 consumers.
Utah Consumer Privacy Act
On March 24, 2022, Utah followed in the footsteps of California, Virginia and Colorado by enacting a consumer data privacy law known as the Utah Consumer Privacy Act (UCPA). The UCPA’s protections only apply to Utah residents acting as individuals and not in a commercial setting. There is an exception for employment or if you work on behalf of another business (B2B).
Similar to the regulations above, the UCPA provides Utah consumers with specific rights. These include the right to access their data, delete it if they please, receive a copy of their data in an accessible way and decline to have their “sale” data be used for targeted advertising purposes.
Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not necessitate controllers to do data protection evaluations before partaking in data processing ventures that could harm consumers. It also does not require controllers to conduct cybersecurity audits or risk assessments.
Notable dates companies should be aware of in 2023
With new regulations around the corner, companies must remain aware of upcoming deadlines to avoid penalties. Here are some notable dates companies should keep in mind:
January 1, 2023
- The CPRA amendments to the California Consumer Privacy Act go into effect
- Virginia’s Consumer Data Protection Act goes into effect.
July 1, 2023
- Enforcement of consumer rights begins for the California Privacy Rights Act
- Colorado Privacy Act goes into effect
- Connecticut Data Privacy Act goes into effect.
July 1, 2023, to December 31, 2024
- 60-day cure periods in effect for recorded Connecticut Data Privacy Act violations.
December 1, 2023
- Utah Consumer Privacy Act goes into effect.
It is clear that the CCPA is having a ripple effect on other states’ data privacy laws. As more and more states enact their own data privacy laws, it is important for companies to be aware of changing compliance requirements. Failure to comply with these laws can result in significant penalties. By staying up-to-date on the latest developments in data privacy law, companies can ensure that they are in line with the latest requirements while also redefining how they approach data privacy.