Trendsetters: The First 5 States with Their Own Data Privacy Laws
Streamowrks Blog
Previously, we covered Four U.S. Data Privacy Laws You Need To Know. In that post, we learned that data privacy laws exist to protect our personally identifiable information (PII) from malicious use, abuse, and mishandling.
We also learned that, unlike the EU's General Data Protection Regulation (GDPR), the United States doesn't have a comprehensive federal privacy law. Instead, U.S. laws seem only to protect specific industries, such as healthcare (HIPAA) and finance (GLBA).
That could explain why five states have established their own laws, and many other states are following suit.
Definitions
We'll look at what these leading states have done and what's in store for the future, but first, a few definitions are in order.
Consumer Rights
Many state privacy laws use similar terms regarding the consumer's rights. Here are a few:
Right to access - The consumer may access their data from a business/data controller, including categories of information collected, information shared with third parties, names of third parties, etc.
Right to correct - The consumer may request that outdated or incorrect personal information be updated.
Right to delete - The consumer may request data deletion under certain conditions.
Right to opt-out of sales - The consumer may opt out of selling their personal information to third parties.
Right to portability - The consumer may request that their data be delivered in a standard file format.
Business Obligations
The laws define business obligations as well. For example:
Opt-in default (requirement age) - Businesses must treat consumers under a certain age with an opt-in default for the sale of their information.
Notice/transparency requirement - Businesses must notify consumers about privacy programs, operations, data practices, etc.
Risk assessments - Businesses must conduct formal risk assessments of their security and/or privacy programs and procedures.
Now that we know some key definitions, what kinds of things are different states doing?
California Consumer Privacy Act (CCPA)
California has led the way with state privacy laws, passing two. The CCPA passed in 2018 and was the first of its kind for a state to:
• Establish stringent data security requirements for companies, and
• Protect the data privacy of its residents.
The law became effective on January 1, 2020, with a 12-month retroactive "look-back" period. The CCPA defines "consumer" as a natural person who is a California resident, and it protects "personal information," defined as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Here are a few other highlights of the CCPA:
• It gives consumers the right to access and delete data
• It gives consumers the right to portability and the right to opt out of sales
• Has an opt-in default (requirement age) of 16
• Includes a notice/transparency requirement for businesses
California Privacy Rights Act (CPRA)
The CPRA, also known as Proposition 24 and even "CCPA 2.0," expands the CCPA. California voters approved it in 2020, and its operative as of January 1, 2023.
Perhaps most noteworthy, the CPRA established the California Privacy Protection Agency, which (along with the Attorney General) has authority and enforcement power over the CCPA.
The CPRA amends the CCPA by giving consumers the right to correct and opt out of sensitive data processing. In addition, it obligates businesses with risk assessments.
Virginia Consumer Data Protection Act (VCDPA)
Virginia became the second state to pass a wide-ranging privacy act. The VCDPA gives Virginia consumers more control over their personal information. The state signed the act into law on March 2, 2021, and it went into effect on January 1, 2023.
How do you know if your company is subject to the VCDPA? If it meets these requirements:
• Conducts business in Virginia or produces products/services targeting VA residents
• Controls/processes data of at least 100,000 consumers, or
• Controls/processes data of at least 25,000 consumers and gains over 50% of gross revenues from the sale of personal data
If your business meets those criteria, you are subject to certain obligations regarding processing personal data. Here are just a few:
• Must conduct data protection assessments to evaluate risks related to data processing
• Must implement and maintain reasonable security practices to protect data
• Must get permission from the consumer before processing sensitive information
As expected, the act spells out certain privacy rights for consumers, including the right to access, delete, portability, and others.
Colorado Privacy Act (CPA)
Colorado's Privacy Act is very similar to the acts we discussed. Its effective date is July 1, 2023, and it defines a "consumer" as an individual who is a Colorado resident. Additionally, it represents personal data as "information that is linked or reasonably linkable to an identified or identifiable individual."
The CPA's consumer rights include:
• Right to access
• Right to correct
• Right to delete
• Right to portability and others
The CPA requires businesses to perform risk assessments and post notices about their data privacy practices and other similar obligations.
Connecticut Data Privacy Act (CTDPA)
The CTDPA became law in the Spring of 2022 and has an effective date of July 1, 2023, similar to the Colorado Act. Connecticut also calls it an Act Concerning Personal Data Privacy and Online Monitoring.
If your business meets these requirements, you're subject to the CTDPA:
• Conducts business in Connecticut or produces products or services targeted at CT residents and during the previous calendar year:
• Controlled or processed PII of at least 100,000 consumers,
or
• Controlled or processed PII of 25,000 or more consumers and received over 25% of gross revenue from the sale of personal data
• Provides services involving PII on behalf of covered businesses
As a Connecticut consumer, you have the right to access, correct, delete, and opt out, among others.
Utah Consumer Privacy Act (UCPA)
Utah's Act, the UCPA, is effective December 31, 2023. Like the previous laws, it borrows from the GDPR as a framework. Also, like the earlier laws, it defines personal data as "information that is linked or reasonably linkable to an identified or identifiable individual."
It provides many of the same consumer rights as the others but does not include a right to correct. There is no requirement for risk assessments for businesses, and if your business makes less than $25 million in annual revenue, you're not required to comply.
What's next?
With their laws in place, these five states are trendsetters in consumer data protection and privacy. By laying the groundwork, other states have introduced their own privacy laws.
According to the International Association of Privacy Professionals (IAPP), at least 20 states have active bills, including Streamworks' home state of Minnesota (HF1367, SF950, and HF1892).
Will this ultimately result in the United States having a wide-reaching federal data protection law like the GDPR? We'll have to wait and see, but this trend continues.