The California Consumer Privacy Act (CCPA) has set off a chain reaction in the rest of the states in the US, pushing them to take their citizens’ personal data protection more seriously. Consequently, 4 more US states, that is, Virginia, Utah, Connecticut, and Colorado, have introduced data privacy laws. These laws are set to enact in 2023.
Each of these legislations provides a unique framework for individual privacy rights fulfillment, consent preferences, and businesses’ obligations around data privacy and security.
Let’s take a quick look at each law, when it will take effect, the individual privacy rights it introduces, and some other important facts.
California Privacy Rights Act (CPRA)
Overview
The CPRA amends the California Consumer Privacy Act (CCPA) that came into effect on January 1, 2020. The CPRA improves consumers' data privacy rights by amending existing rights and adding new ones. Like the CCPA, the CPRA takes most of its inspiration from the GDPR, which is why it is one of the US' most comprehensive state privacy laws.
Date of Enactment
The CPRA was proposed in the 2020 US General Election as the ballot Proposition 24. The legislation is set to enact on January 1, 2023, but the actual enforcement of its provisions will take effect from July 1, 2023. The CPRA will apply to personal information collected by businesses on or after January 1, 2022.
Covered Entities
The jurisdictional scope of the CPRA is similar to the CCPA but with an increased threshold. The legislation applies to ‘for-profit’ organizations that deal with the personal information of California residents. The following are the thresholds for covered businesses:
- The business shares the personal information of at least 100,000 households or consumers.
- The business has a gross annual revenue of $25 million.
- The business receives 50% or more of its gross revenue through sharing or selling consumers' personal information.
Data Privacy Rights
The CPRA amends the existing data privacy rights provided in the CCPA and introduces some new rights as well. The individual data privacy rights under the CPRA include:
- Right to delete personal information.
- Right to correct inaccurate personal information.
- Right to know what personal information is being collected.
- Right to access personal information.
- Right to know what personal information is sole or shared and to whom.
- Right to opt-out of sale or sharing of personal information.
- Right to limit the use and disclosure of sensitive personal information.
- Right of no retaliation following opt-out or exercise of other rights.
Learn More About CPRA Data Subject Rights
Regulatory Authority
The California Privacy Protection Agency (CPPA) will be the regulatory authority with administrative and jurisdictional power to implement and enforce CPRA provisions and bring enforcement actions against entities that violate the CPRA.
A five-member board, including a chairperson, will govern the CPPA. The CPPA will have an annual budget of $10 million that will be used to recruit resources and offset operational expenses associated with catching data privacy violations, issuing fines, and sending out remediation notices.
Privacy Law Violation
The CPPA is the regulatory body authorized to fine covered businesses, service providers, or contractors for violations of the CPRA. Violators will be fined up to $2,500 per violation. However, in the case of violation of provisions concerning minors, violators may receive a fine of up to $7,500 per intentional violation.
Exemptions
The CPRA section 15 (Cal. Civ. Code section 1798.145) outlines the circumstances where covered businesses are excused from complying with the obligations imposed by the CPRA. For instance, the CPRA doesn’t limit a business’s ability to comply with legal provisions, civil or criminal investigations, or when government agencies generate an approved data access request. Similarly, the restrictions imposed under the CPRA do not apply to the collection, use, retention, sale, sharing, or disclosure of consumers’ personal data that is de-identified or ‘aggregated.
Moreover, in certain cases, businesses may decline a consumer’s privacy right request where the request is deemed to be “manifestly unfounded” or “excessive,” in particular because of its repetitive character. However, businesses must prove that the request is “manifestly unfounded” or “excessive” and notify the consumer of the reason for refusing the request.
Learn More About CPRA Exemptions
CPRA Important Facts
- The CCPA mostly exempted employee data from its scope. However, the CPRA did not provide the same employee data exemption, which means that employee data will now be governed by the amended data privacy regulation.
- The CPRA introduces a new special category of personal information, “sensitive personal information”, which is subject to strict data collection and processing limitations.
- The CPRA expanded the privacy notification requirements, which now include notifications related to data retention, SPI collection, and the opt-in rights of minors.
- The CPRA now requires businesses that hold such personal information that might “present a significant risk to its consumers’ privacy or security” to conduct an annual cyber security audit and submit it to the CPPA. The CPRA also requires organizations to conduct periodic risk assessments to evaluate their processing activities.
- CPRA puts more stress on respecting users’ opt-out preferences via Global Privacy Control (GPC) or relevant signals.
Virginia Consumer Data Protection Act (VCDPA)
Overview
The Virginia Consumer Data Protection Act (VCDPA) closely follows the CPRA in terms of comprehensiveness, data privacy laws, and regulatory fines. However, there are some other significant distinctions that make VCDPA different, such as the reduced age of minors, lack of private right of action, and the lack of any requirement for re-asking for consent after it is withdrawn.
Date of Enactment
Virginia passed its comprehensive data protection regulation in 2021 by the Virginia State Governor and later proposed amendments to it in April 2022. These amendments are addressed in the VCDPA, which is set to take effect on January 1, 2023, along with another state privacy law, the CPRA.
Covered Entities
The regulations apply to all businesses that operate in the state of Virginia, along with the businesses that offer products and services to Virginia residents. The following is the threshold for covered businesses and entities:
- The business controls or processes the personal data of at least 100,000 Virginia residents, or
- The entity derives 50% of its gross revenue from the sale of personal data of at least 25,000 Virginia residents.
Data Privacy Rights
The VCDPA amends the right to delete by adding an exemption for data brokers who do not collect personal data directly from consumers. Apart from that, most of the data subject rights are similar to that of CPRA. The data subject rights under the VCDPA include the following:
- Right to confirm whether a data controller is processing consumers’ personal data.
- Right to request access to the personal data processed by the controller.
- Right to rectify any inaccurate personal data.
- Right to delete personal data stored or processed by the controller.
- Right to data portability via a technically feasible and readily usable format.
- Right to opt-out of personal data processing for targeted advertising, sale of personal data or profiling that may cause significant legal consequences for the consumers.
Requests regarding the rights of individuals must receive a response from the data controller within 45 days of receipt. If deemed reasonable, the response period may be extended by an additional 45 days, and the consumer must be informed of such as well.
Regulatory Authority
The VCDPA doesn’t establish a separate dedicated agency for regulatory enforcement. Instead, the Office of the Attorney General of Virginia (Office) will have the exclusive authority to enforce VCDPA implementation or issue a civil investigation against controllers and processors found to be engaged in regulatory violations.
Privacy Rights Violations
As mentioned above, the Office will have the authority to penalize any violators found to be violating any VCDPA provisions. However, before penalizing for violation, the Office will give the offenders a 30-day notice or cure period, allowing them to remediate violations specified in the written notice.
If after the cure period expires and the business continues to violate the provisions, the Office will seek an injunction and may impose a fine of up to $7,500 per violation. The Office can also recover any reasonable expenses incurred in investigating the alleged violations.
Exemptions
The VCDPA comes with a broad range of exemptions for businesses as well as some personal information. For instance, the VCDPA doesn’t apply to financial institutions that are regulated by the Gramm-Leach-Bliley Act, non-profit organizations, institutes of higher education, and some covered entities regulated by the security, privacy, and breach notification obligations governed under HIPAA.
Similarly, the VCDPA doesn’t apply to personal information used in employment, medical or health records protected by HIPAA regulation, de-identified data, or driver data. The VCDPA further exempts some data processed for legal obligations, security purposes, scientific research, household activity, or for a covered business's internal purposes.
VCDPA Facts
- Unlike some other state privacy laws, such as the CPRA, the VCDPA defines minors as someone aged 13 years or younger.
- VCDPA heavily emphasizes the obligations when it comes to handling the de-identified data and requires data controllers to protect it from any re-identification.
- The VCDPA amended the definition of non-profit, which now includes all political organizations.
- The VCDPA doesn’t offer any specific time limit after which businesses may re-ask for withdrawn consent.
- VCDPA requires data controllers to have a clear, concise, and easily accessible privacy policy or privacy notice on their website. Such notice must outline the categories of personal information collected, the purpose of collection and processing, how consumers can exercise their rights, and with whom personal information is shared or sold.
- Data protection assessment is a core component of the VCDPA for identifying and remediating heightened risks against personal information. These assessments must be conducted whenever there is a sale of personal data, processing of sensitive personal information, and processing for targeted advertising or profiling, etc.
- The data processor must act strictly according to the instructions given by the data controller and assist the data controller in meeting all its obligations.
Colorado Privacy Act (CPA)
Overview
The Colorado Privacy Act (CPA) was signed into law in July 2021, following the CPRA and VCDPA regulations. Hence, it is the third comprehensive state privacy law in the US. In general, the legislation is closely modeled after the VCDPA, such as the absence of any private right of action, but differs as it does not have any revenue threshold to be applicable to the businesses.
Date of Enactment
On July 8, 2021, the Colorado Governor, Jared Polis, signed the CPA into law, making it the third US state privacy regulation. The CPA will take effect on July 1, 2023, but the cure period will remain in effect until 2025.
Covered Entities
The CPA applies to businesses operating in the commercial context in the state of Colorado or producing or delivering goods and services that are intentionally targeted to the residents of Colorado and fulfills both or one of the following conditions:
- The business controls or processes the personal data of at least 100,000 consumers in a calendar year, or
- The business derives revenue or receives a discount on the price of goods and services from the sale of personal data of at least 25,000 consumers.
Data Privacy Rights
Under the CPA, consumers may exercise the following rights by sending a verified privacy rights request to the data controller:
- Right to confirm personal data.
- Right to access personal data.
- Right to rectify personal data.
- Right to delete personal data.
- Right to data portability.
- Right to opt-out from the sale of personal data, targeted advertising and profiling that may cause significant legal consequences for the consumers.
Regulatory Authority
Unlike VCDPA, the Attorney General will not have the sole authority to enforce CPA provisions but share the authority with other district attorneys. Similarly, the two attorneys may seek an injunction against the violations of any CPA provisions.
Privacy Rights Violations
Unlike the VCDPA, the CPA provides an extended 60-day cure period to the covered businesses that are found to be violating any CPA provisions. This 60-day cure period has a two-year limitation, meaning it will remain effective only until January 2025. After that, the data controller will no longer be granted any notice or cure period.
Regarding regulatory fines and penalties, the CPA deems regulatory violations as deceptive trade practices. Hence, the regulation imposes fines under the Colorado Consumer Protection Act, where each violation may translate into a fine of up to $20,000.
Exemptions
The CPA exempts the following entities from compliance:
- Financial institutions that are regulated by the GLBA;
- Controllers and processors that comply with the Children’s Online Privacy Protection Act (COPPA) regulations;
- Air carriers that are regulated by 49 U.S.C. SEC. 40101 ET SEQ and 49 U.S.C. SEC. 41713;
- State institutions;
- National securities associations regulated by the Securities Exchange Act of 1934, and 15 U.S.C. SEC. 78o-3;
- Public authorities.
Similarly, the CPA exempts the following personal data processing activities:
- Employee data processing;
- Certain health data (Public health, identifying patient information, protected health information) processing;
- Personal data processed pursuant to the Driver's Privacy Protection Act of 1994 and the Educational Rights and Privacy Act of 1974;
- Data processing for legal obligations;
- Data processing for the protection of the vital interest of a natural person.
CPA Facts
- The CPA requires opt-in consent for the processing of sensitive personal information, processing of a minor’s PI, or the processing of any PI beyond the initial consented purpose.
- The CPA emphasizes the principles of data minimization, purpose limitation and security.
- As per CPA, data controllers are required to provide accessible, clear, and meaningful privacy notices, conduct data protection assessments and protect de-identified data in the same way as stipulated under VCDPA.
- The CPA requires businesses to fulfill data subject requests within 45 days. The time period can be extended to additional 45 days due to the complexity or the volume of DSRs.
- Similar to the VCDPA, there’s no 12-month requirement for businesses to re-ask for consent that has been withdrawn.
- Data processors must adhere to the data controller’s instructions and assist the data controller in meeting its obligations under the CPA.
- The requirement for conducting DPIA applies to processing activities created or generated after July 2023.
Learn more about the Colorado Privacy Act (CPA)
Utah Consumer Privacy Act (UCPA)
Overview
The Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer Cox in March 2022, making Utah the fourth US state to pass a data privacy legislation. Unlike other state privacy legislations, the UCPA is a more business-friendly legislation. However, it is substantially influenced by the Virginia Consumer Data Protection Act (VCDPA) and California Privacy Right Act (CPRA).
Date of Enactment
The UCPA will take effect on December 31, 2023.
Covered Entities
The UCPA applies only to for-profit businesses that:
- Operate in Utah or offer products and services targeted to the residents of Utah,
- Have an annual revenue of $25,000,000 or more, and
- Control and process the personal data of at least 100,000 or more consumers during a calendar year,
or - Derive 50% or more gross revenue from the sale of personal data.
Data Privacy Rights
The UCPA provides the following privacy rights to consumers:
- Right to determine whether a controller is processing the consumer’s personal data.
- Right to access personal data.
- Right to delete personal data.
- Right to data portability.
- Right to opt-out of processing of personal data for targeted advertising.
Regulatory Authority
Unlike other state privacy laws, the Utah Consumer Privacy Act offers a multi-layered approach to enforcement. Although the state Attorney General (AG) has the exclusive authority to enforce UCPA provisions, the Utah Consumer Protection Division is empowered under the UCPA to accept consumer complaints, investigate them, and refer actionable matters to the AG.
Privacy Rights Violations
In case of any UCPA violation, the AG will provide a written notice to the controller or processor explaining the alleged violations. The controller or processor will have a 30-day cure period following such notice. The AG may not initiate action against the controller or processor if they cure the violation within the cure period and provide an express written statement to the AG specifying that the violation has been cured and no further violation will occur.
If the data controller fails to remediate the violation within the cure period or continues to violate the UCPA after curing a noticed violation and providing a written statement in that respect, the UCPA authorizes the AG to recover from such controller or processor actual damages incurred to the consumer and an amount up to $7,500 per violation.
Exemptions
The UCPA comes with its own set of limitations that exempt certain personal data processing activities or entities from its applicability. For instance, the CPRA does not apply to non-profit organizations, government entities, or institutes of higher education. Further, entities subject to the UCPA are also exempt from complying with its provisions in specified circumstances. For example, the UCPA does not prevent controllers or processors from complying with applicable laws or contractual obligations with the consumer.
UCPA Facts
- The processing of an individual’s data, who is acting in an employment or commercial context, is not covered under the UCPA.
- Under the UCPA, de-identified data and aggregated data are excluded from the definition of personal data.
- The UCPA doesn’t provide any opt-in consent requirement for the collection and processing of sensitive personal data. However, it requires data controllers to provide a notice at the time of collection of such, along with instructions on how consumers can opt-out of processing of their sensitive data.
- UCPA doesn’t give the right to consumers to have all their personal data deleted, but only the data that the consumer themselves have provided to the business.
Connecticut Data Privacy Act (CTDPA)
Overview
The Connecticut Data Privacy Act (CTDPA) or Senate Bill 6: ‘An Act Concerning Personal Data Privacy and Online Monitoring’ is the fifth addition to the US state privacy laws. The regulation is modeled after the Colorado Privacy Act but provides more privacy rights for minors.
Date of Enactment
The CTDPA was signed into law by Gov. Ned Lamont, D-Conn, in 2022, and it is set to take effect from July 1, 2023. The 60-day notice or the cure provisions under the CTDPA will remain effective until December 31, 2024. After that, data controllers will not be provided any cure period or notice for violation.
Covered Entities
The territorial scope of the CTDPA covers organizations that conduct business in the state of Connecticut or offer goods and services targeted to the state's residents. Organizations further need to meet the following requirements to become a CTDPA-covered business:
- The business controls or processes the personal data of at least 100,000 consumers. However, this doesn’t include personal data that is solely processed for payment transactions;
- The business controls and processes the personal data of at least 25,000 consumers and derives 25% of its gross revenue from the sale of personal information that it collects or processes.
Data Privacy Rights
The CTDPA provides up to five data privacy rights to consumers. Here are the following consumer rights:
- Right to confirm processing and accessing;
- Right to correct personal data;
- Right to delete personal data;
- Right to obtain a copy of personal data;
- Right to opt-out of targeted advertising, sale of personal data, and automated profiling.
Regulatory Authority
The state's Attorney General will act as the sole authority to enforce the CTDPA provisions and impose penalties or fines. Under CTDPA, any violation is considered as unfair trade practice and imposes a fine of up to $5,000 per willful violation.
Privacy Rights Violations
The CTDPA provides a 60-day cure period to businesses that are engaged in or found to be violating CTDPA provisions. However, if any business fails to remediate any violations within the notice or cure period, the AG will submit a report to the General Assembly detailing the number and nature of violations.
Exemptions
The CTDPA exempts the following entities from compliance:
- Public agencies or any political subdivision of the state;
- Higher education institutions;
- Non-profit organizations;
- National securities associations regulated by the Securities Exchange Act of 1934;
- GLBA-covered businesses;
- Department of Health and Human Services covered institutions.
Apart from that, the CTDPA further exempts the following data processing activities:
- Legal claims,
- Federal, state, or municipal regulatory compliance,
- Contractual obligations,
- Scientific research,
- Fraud and identity theft,
- Personal data processed pursuant to the Driver's Privacy Protection Act of 1994, the Educational Rights and Privacy Act of 1974, the Fair Credit Reporting Act, and the Farm Credit Act,
- Health information covered under HIPAA and patient identifying information.
CTDPA Facts
- The CTDPA prohibits businesses from using any dark patterns to obtain consumer consent;
- The CTDPA provides a detailed set of provisions for conducting data protection assessment to identify and remediate “heightened risks”;
- The CTDPA requires a 12-month period before the business can re-ask any consumer for consent;
- Businesses compliant with verifiable parental consent requirements of COPPA shall be deemed compliant with parental consent obligations under CTDPA;
- Consumers can designate an authorized agent to act on their behalf to opt out of the processing of their personal data, and the data controllers must comply with a request coming from such a designated agent;
- Data controllers should process the sensitive personal data of children in accordance with COPPA;
- CTDPA requires businesses to provide clear, concise, and easily accessible privacy notice and conduct data protection assessment where processing poses significant harm to consumers;
- CTDPA stipulates that there should be an agreement between a controller and a processor governing the processor's data processing procedures.
Automate Compliance with Upcoming State Privacy Laws with Securiti
The complexity of addressing data privacy regulations increases for organizations with multicloud data environments. Moreover, an organization may be subject to multiple legal frameworks, depending on the number of jurisdictions it is operating in.
Securiti enables organizations to comply with a myriad of data privacy legislations efficiently. With Securiti Privacy Center, organizations can streamline the mechanism of addressing their data privacy obligations via a single command center. Set up a fully functional privacy center today and automate privacy notices, consent management, cookie preferences, DSR fulfillment, and opt-out preference signals.
Sign up for Privacy Center now.