US Private Sector Privacy Chapter 06 State Comprehensive Privacy Laws PDF

Summary

This academic document examines the state-level comprehensive privacy laws in the US, emphasizing California's significant role and the evolution of the legislative landscape. It highlights the absence of a federal privacy law, discusses key terms and consumer rights, and examines the obligations placed on businesses to comply with varying state-level privacy regulations.

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP CHAPTER 6 State Comprehensive Privacy Laws As of the writing of this book, 13 states have adopted comprehensive privacy laws and numerous other states have considered legislation with comprehensive privacy requirements. The path to U.S. states adopting comprehensive privacy laws, which provide similar protections for data to those provided in the EU and other parts of the world, is a long and complex one. As discussed in Chapter 1, the majority of countries in the world have adopted a comprehensive approach to privacy. Many of the laws around the world are modeled on the EU’s General Data Protection Regulation (GDPR) and its comprehensive approach to privacy — or data protection, as it is termed in many parts of the world. As of this writing, the U.S. lacks a federal law that addresses privacy for all types of personal data. Much of the material presented in other chapters of this book will focus on the federal regulation of privacy in certain sectors, such as HIPAA (see Chapter 8), the GLBA (see Chapter 9), and COPPA (see Chapter 5). Over the years, there have been numerous attempts at the federal level to enact a comprehensive approach to privacy in the U.S. In recent years, pressure has mounted in the U.S. to adopt such legislation both to better protect individual’s personal information and to require companies to comply with privacy rules in the U.S. that are similar to those they comply with in other parts of the world. As the federal government in the U.S. has been unable to respond to these calls for regulation by enacting a comprehensive privacy law, states examined these issues. California was the first state in the U.S. to pass a state comprehensive privacy law. The history of the California privacy framework, as it stands at the writing of this book, is worth mentioning. The California Consumer Privacy Act (CCPA) was enacted in 2018, with an effective date of January 1, 2020. The CCPA provides a number of consumer privacy rights, such as those found in data protection laws outside the United States—most prominently the GDPR. 1 Almost immediately after passage of the CCPA in 2018, efforts began to amend the law. The ballot initiative known as the California Privacy Rights Act (CPRA) passed in late 2020. The CPRA amended and extended the CCPA, in some respects to be even more similar to the protections provided under the EU’s GDPR. 2 The CPRA became effective January 1, 2023. California’s enactment of comprehensive privacy requirements is seen as impactful for numerous reasons. The saying “as California goes, so goes the nation” is one such reason. Looking at trends in the privacy space, California was the first state to enact a state data breach notification law in 2003. All 50 states have now enacted state data breach notification laws. In 2004, California was also the first state to enact a state data security law; as of the writing of this book, approximately two-thirds of states in the U.S. have adopted data security laws. 3 Many believe that a similar trend could emerge over time with comprehensive state privacy laws. The size and influence of the California economy also mean that the state’s comprehensive privacy requirements affect a substantial number of consumers and businesses. California’s gross domestic product (GDP) ranks it as the fifth largest economy in the world—behind the U.S., China, Japan, and Germany, respectively. Predictions are that California will soon take Germany’s spot as 1 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP the fourth largest economy in the world. 4 Notably, California’s population is approximately 40 million people. 5 In addition, California is home to many of the world’s largest technology companies as well as to Silicon Valley. After California enacted its comprehensive privacy requirements, numerous other states either considered or enacted state comprehensive privacy laws. At the writing of this book, more than half the states in the U.S. have considered legislation with comprehensive privacy requirements and twelve additional states have passed laws with comprehensive privacy requirements. This chapter will focus on California and the four other laws that were in effect in 2023, rather than the laws that have passed in 2023. These laws are the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act. Before continuing, it is important to point out that this chapter will use the name of the state, such as California, when discussing the state’s comprehensive privacy framework in an effort to avoid confusion. The reason for this naming convention can be illustrated by focusing on what would be the acronyms for these laws — many are similar to one another. This chapter begins with a discussion of the lack of a federal comprehensive privacy law in the United States. The chapter then moves to a focus on the state comprehensive privacy laws. The first topic from these laws is key terms, such as “business” and “consumer.” Next, the discussion moves to consumer rights, such as the right to access and the right to correction. Another topic is business obligations, such as notice/transparency and risk assessments. The discussion of these laws concludes with the topic of enforcement. Realizing that additional states are expected to adopt state comprehensive privacy laws and that states can readily amend these laws and tweak their meaning through rules and regulations, this chapter focuses on trends and outliers among these state laws. Instead of detailing the requirements of each law enacted at the time of writing, the intent of this chapter is to provide the reader with an approach for examining the laws that have been enacted as well as any which may be enacted in the future. Privacy practitioners should be aware that this is a complex area of law where a lawyer would likely need to be engaged if a particular company was seeking to ensure compliance with the specific legal requirements in force. 6.1 Lack of Federal Comprehensive Privacy Law For decades, privacy advocates have encouraged Congress to implement a federal law that would generally address privacy protections for personal data. 6 Although the details of such proposals have evolved over time as technology has changed, the basic idea would be for the U.S. to adopt a comprehensive approach to privacy instead of a sector-based approach. As of the writing of this book, no federal comprehensive privacy law exists. Among numerous recent bills, one novel approach to privacy protection being considered would place fiduciary duties on those companies that handle data, based in the idea that these companies should act in good faith on behalf of consumers. 7 The passage of numerous state comprehensive privacy laws has increased interest at the federal level for enacting a general U.S. privacy law. 8 This interest is in part because of the belief that, without federal intervention, the number of state laws will continue to increase and include 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP inconsistent requirements. 9 For companies, compliance costs continue to increase, particularly as these state requirements multiply. 10 In debates about a possible national U.S. privacy statute, one of the most politically charged and complicated issues has been whether and to what extent the new statute would preempt state privacy protections. 11 Preemption occurs when a federal statute overrides an inconsistent state statute, such as the prohibition in the federal Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) law on state laws that expressly regulate the use of electronic mail to send commercial messages. The preemption debate takes place principally between industry, which generally favors broad preemption, and “privacy advocates” — meaning those public interest groups, academics, and others who generally support stricter privacy law. The latter have historically either opposed preemption or sought to narrow whatever preemption exists. 12 With the passage of state comprehensive privacy laws (discussed in Section 6.2), state officials — such as governors and state attorneys general — have publicly opposed broad preemption in a federal approach to comprehensive privacy protections. 13 For any general U.S. privacy legislation, a complex set of questions concerning preemption would have to be answered. These include: Whether state attorneys general would retain the ability to use state consumer protection law to bring civil suits to protect individuals’ privacy Whether state tort, contract, and property laws would be preempted Whether state medical privacy laws, state financial privacy laws, and state cybersecurity laws would be preempted Whether provisions in the federal wiretap law and many other federal privacy laws that permit stricter state laws would be maintained 14 A second issue has been whether a federal law would include a private right of action, allowing individuals to file suit if a violation occurred instead of simply allowing a government official to fine a company for a violation. As with preemption, the debate concerning a private right of action typically finds industry opposed to such a right for individuals and privacy advocates supporting a private right of action. 15 6.2 Overview of State Comprehensive Privacy Laws Among the state comprehensive privacy laws that have passed as of the writing of this book, there is notable variation even though the similarities can sometimes be striking. When reviewing these laws, there is a natural tendency to want to label one as the strictest and another as the weakest. This approach would oversimplify a complex web of requirements under these state laws. For privacy practitioners, a more helpful approach is to review the historical context of the implementation of these laws coupled with an examination of the types of requirements found in these laws. 16 As to historical context, it is important to remember that the EU’s GDPR became effective in 2018, which is the same year that California’s CCPA was enacted. Even though the CCPA was amended and extended in 2020 with the enactment of the CPRA, it should not come as a surprise that the individual protections and business requirements in California’s framework mirror those in the GDPR in many ways — though perhaps sometimes in spirit more than in the letter of the law. 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP Even California’s implementation of the California Privacy Protection Agency (CPPA), a newly created agency dedicated to the regulation of privacy protections, was viewed by many as an effort to match California’s approach to the practice in the EU of utilizing a data protection authority (DPA) to investigate complaints and enforce rights. 17 In both 2021 and 2022, there was a flurry of state activity that resulted in the enactment of four additional state comprehensive privacy laws. Virginia was the second state to enact such a law, and initially Virginia’s law was touted as the pro-business approach to regulation, in contrast to the California approach — viewed as the most privacy-protecting as well as the most similar to the GDPR. Once additional states enacted their laws, this distinction — if it ever existed at all — became muddied. Before looking at the distinctions in these laws, which are important to understand when practicing in this area, it is worth noting that the overall frameworks in these five states have a great deal of similarity and overlap; so much so that some commentators speak of interoperability among these state laws. Each of the laws includes core concepts that allow them to be defined as comprehensive approaches to privacy, including detailed consumer rights and business obligations. 18 That said, the numerous distinctions among these laws provide insight into understanding the intricacies of the comprehensive privacy requirements at the state level. California defines several terms using a broad brushstroke, which is indeed similar to the EU approach. When determining which entities are subject to regulation, California automatically regulates companies that do business in its state that meet a threshold for annual gross revenues, in addition to including approaches that are similar to those taken by other states. California is alone among the states in including employees in its definition of a consumer. California is also the only state to take an expansive view of regulated behavior of businesses by including both selling and sharing personal information. California provides consumer rights and imposes business obligations that are structured in a similar manner to the GDPR. Importantly, the substance of the rights and obligations in California are echoed in the four other states. Notably, however, California lacks certain rights found in Colorado, Connecticut, and Virginia, including the explicit right of appealing to the business to reconsider its decision of denying a request (Utah also lacks this right of appeal). Colorado, Connecticut, and Virginia have numerous similarities in their regulatory frameworks. These states have similar key terms, consumer rights, and business obligations. Although distinctions exist among these three states on the term “business,” the overall approach is similar with the differences found in the threshold numbers to qualify as a regulated entity. Each of these three states also provides rights not explicitly provided by California, including the right to opt in to the sale of sensitive personal information and the right to appeal. Although Utah has a regulatory framework that is akin to Colorado, Connecticut, and Virginia, its definition of business is narrower, and it provides fewer rights to consumers and puts fewer obligations on businesses. In this section, the following topics related to state comprehensive privacy laws will be discussed: key terms, consumer rights, business obligations, and enforcement. As a reminder, the approach taken in this chapter is to provide a framework to assist the reader in understanding the state laws in place at the time of the writing of this book as well as any future state laws that are enacted. 19 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP 6.2.1 Key Terms The state comprehensive privacy laws have many commonalities, such as the inclusion of similar key terms. For practitioners, it is important to note that these state laws also have subtle, and sometimes significant, differences. Critical to understanding the scope of each law is knowing which entities must comply with a particular law, which individuals are protected by the law, the type of data of “consumers” that is covered by the law, and the type of activities of “businesses” that are regulated by the law. This section reviews the following key terms: business, consumer, personal information (including sensitive personal information), and sale. 20 These state laws generally have two main types of exemptions: entity-level exemptions and data-based exemptions. Entity-level exemptions refer to a type of entity that is exempt from the laws. Non-profits, institutions of higher education, and local governments typically fall into this type of exemption under these state laws. The second type of exemption, data-based exemptions, focus on a class of data is exempt. An example would be an exemption for data that is covered by a federal law, such as the Driver’s Privacy Protection Act (DPPA) discussed in Chapter 5. It is worth noting that these state laws often acknowledge that certain data is protected by federal laws, such as HIPAA and the GLBA. The approach taken in these instances varies, with some states exempting the entity from compliance with the state law (entity-level exemptions) and other states exempting only that data which is protected by the federal law (data-based exemptions). Privacy practitioners should be aware that the result of this regulatory approach involving databased exemptions is that a business may have some data that is exempt from the state law yet hold other data, such as human resources records, that is subject to the state law. 6.2.1.1 Business The term “business” provides insight into one aspect of the breadth of state comprehensive privacy laws. California is viewed as having the broadest definition of the term, meaning the greatest number of companies subject to the requirements of its law. Of the five states with laws in effect in 2023, Utah’s definition of business has the narrowest scope among those states with comprehensive privacy laws. 21 The term business delineates which entities that conduct business in the state are subject to the requirements of the law. 22 For companies doing business in a state, the following requirements apply: In California, the size of the company alone can subject a company to regulation, as California has an annual revenue threshold that subjects an entity to the law’s requirements, regardless of the type of company. A company doing business in California with a total annual gross revenue of $25 million is subject to regulation. California, Colorado, Connecticut, and Virginia each have a separate requirement that subjects companies to regulation if they meet the threshold requirement related to the number of customers in that state whose data is processed. In these states, a company is subject to regulation if it processes the data of at least 100,000 consumers. Notably, Connecticut excludes payment transactions from its calculation. 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP In California, Colorado, Connecticut, and Virginia, companies are subject to regulation if they meet a threshold that includes gross revenues from selling or sharing data. o California’s threshold is met when a company derives at least 50 percent of their gross revenues from selling or sharing data. o In Colorado, Connecticut, and Virginia, the requirement related to gross revenues focuses only on selling data. These three states couple a threshold for processing consumer data with a threshold for gross revenues.  In Colorado, a company is subject to regulation when it processes the data of at least 25,000 consumers and derives any revenue or receives any discount on goods or services from selling personal data. 23  In Connecticut, a company is subject to regulation when it processes data of at least 25,000 consumers and derives at least 25 percent of its gross revenues from selling data. 24  In Virginia, a company is subject to regulation when it processes data of at least 25,000 consumers and derives at least 50 percent of its gross revenues from selling data. As the outlier, Utah takes a multiple threshold approach that combines a minimum annual gross revenue with other threshold requirements. In Utah, a company is subject to regulation if it has at least $25 million in annual gross revenue and meets one of the following: 1) processes the data of at least 100,000 Utah consumers; or 2) processes data of at least 25,000 Utah consumers and derives at least 50 percent of its gross revenues from selling data. 25 These states exclude numerous types of organizations from the definition of business. All five states typically exempt governments and non-profits. Connecticut, Utah, and Virginia exempt institutions of higher education. Colorado and Connecticut exempt registered national securities associations. In addition, the interaction with federal law plays into which entities are covered by these state laws. Connecticut, Utah, and Virginia exempt HIPAA entities. Colorado, Connecticut, Utah, and Virginia exempt GLBA entities. All five states exempt entities covered by the FCRA. 26 6.2.1.2 Consumer The definition of consumer in these state laws explains which individuals are covered. Note that privacy rights under these state comprehensive privacy laws are not limited to consumers commonly understood as individuals who purchase products and services for their own purposes. All five states define their own residents to be protected by their respective laws. California includes employees in its definition of consumer. Colorado, Connecticut, Utah, and Virginia exclude individuals “acting in a commercial or employment context.” 27 6.2.1.3 Personal Information With the definition of personal information (and any accompanying definition of sensitive personal information), these state comprehensive privacy laws move beyond the definition of personal information found in state data breach notification laws (Chapter 7) to protect individuals from identify theft and fraud. 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP In all five states, the definition of personal information focuses on any data that can be associated or linked with a particular individual. California extends the definition to include the information of the consumer and the consumer’s household. Note that California is the only state to include employment data in its definition of personal information. 28 California provides examples of the type of data that would generally fall within the definition of personal information in these laws: Real name, postal address, email address, Social Security number, driver’s license number, passport number Internet protocol (IP) address Characteristics of protected classifications under California or federal law (such as race, religion, disability, sexual orientation, and national origin) “Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies” Biometric information Internet and network activity, including “browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement” Geolocation information “Audio, electronic, visual, thermal, olfactory, or similar information” Professional or employment information and certain education information 29 These state laws have numerous exclusions from the definition of personal information. Although the specific definitions of these terms vary by state, the types of exclusions include: Deidentified data. The term deidentified data focuses on data that cannot reasonably fall within the definition of personal information — meaning it cannot reasonably be associated or linked with a particular individual. 30 All five states exclude data that qualifies as deidentified. 31 Data that is publicly available. The term publicly available refers to information that is lawfully made available by federal, state, or local governments. 32 All five states exclude from regulation data that is publicly available. 33 Aggregate data. The term aggregate data means information relating to a group of consumers where the identifies of individual consumers have been removed, meaning that the information is not reasonably linkable to a consumer. California, Utah, and Virginia explicitly exclude aggregate data from the definition of personal information. 34 Employee data. The term employee data refers to records kept by businesses related to applicants, employees, and contractors. Connecticut, Utah, and Virginia exclude employment data from regulation. Colorado has this exemption but limits it to employment records. 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP Data that is subject to specific federal privacy requirements. These states generally exempt data that is federally regulated, including data subject to HIPAA, the GLBA, FCRA, and the DPPA. All five states generally exempt data that is regulated under these federal laws. 35 In all five states, the definition of sensitive personal information includes citizenship; genetic and/or biometric information; physical or mental health conditions, race or ethnicity; religion; and sexual orientation. Some states include additional categories to their definition of sensitive personal information. Colorado, Connecticut, and Virginia define children’s data as sensitive data. California, Connecticut, Utah, and Virginia include geolocation as sensitive data. Notably, California includes additional categories, such as union membership, philosophical beliefs, and the content of consumer’s mail, email, and text messages. 36 6.2.1.4 Sale In examining the type of business activities that are regulated, each state focuses on the sale of personal data. California also regulates the sharing of personal information. The definition of the term sale varies by state. Utah and Virginia restrict their regulation of a sale to those transactions involving monetary compensation. The definition of sale in California, Colorado, and Connecticut includes both transactions involving monetary compensation and situations that involve bartering for the data — meaning any exchange for value. Often these laws identify those activities that are not considered to be a sale. These exclusions to the definition of sale often include: Disclosures of personal data to a processor for the purpose of processing the data for the business Disclosures of personal data to a third party for purposes of providing services or products that are requested by the consumer Disclosures of personal data where the consumer directs the business to disclose the personal data or intentionally uses the business to interact with a third party Disclosures or transfers of personal data, considered to be an asset, for purposes of a merger, acquisition or bankruptcy, where the third party assumes control of the business’s stake in the asset 37 Notably, California also regulates the sharing of personal information. In California, the term “sharing” is defined as “sharing, renting, leasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” 38 Colorado, Connecticut, Utah, and Virginia do not explicitly regulate the sharing of personal information. 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP 6.2.2 Consumer Rights The state comprehensive privacy laws in California, Colorado, Connecticut, Utah, and Virginia provide a variety of rights to consumers who are covered by these laws. These rights are similar to those found in the GDPR, described in Chapter 14. 39 Under these state comprehensive privacy laws, consumer rights include: right to access; right to correction; right to delete; right to data portability; right to opt out of sales; right to opt out of targeting/cross-contextual behavioral advertising; right against automated decision-making; right concerning sensitive personal information; and right to non-discrimination. 40 In most instances, all five states provide these rights, with Utah as the outlier in its treatment of certain rights. It is worth noting that a consumer exercises these rights by making a request of a business, such as a request to delete personal information or a request to opt out of sales. Each state provides a defined period of time for a timely response by businesses. Colorado, Connecticut, Utah, and Virginia allow businesses 45 days to respond, and permit an additional 45 days for response “when reasonably necessary.” Although California takes this approach with certain types of requests from consumers, the state alters the approach for opt-out requests. In California, when a consumer asks to opt out, the business is given 15 days to comply. 41 In addition, certain states provide consumers with the ability to ask for a reconsideration from the business for denied requests, known as the right to appeal. Colorado, Connecticut, and Virginia provide consumers with this right to appeal. Consumers in California and Utah are not explicitly afforded this opportunity. 42 This subsection provides details on these consumer rights and discusses which states provide each right, as of the writing of this book. Importantly, an individual state may provide additional consumer rights not detailed here. 6.2.2.1 Right to Access Under this right, consumers generally have the ability to access specific pieces of personal information collected or held by businesses. The details of this right vary by state, with consumers having access to the personal information or categories or personal information collected by the business; access to the personal information or categories of personal information shared with third parties; and/or access to the third parties or categories of third parties with which the personal information was shared. As part of this right, the consumer is typically able to confirm whether the business is processing the consumer’s personal data. All five states provide consumers with the right to access. 43 6.2.2.2 Right to Correction The right to collection means that consumers have the ability to correct inaccuracies in the personal information collected or held by businesses. Consumers in California, Colorado, Connecticut, and Virginia have the right to correction. Consumers in Utah lack this right. 44 6.2.2.3 Right to Delete Consumers have the right to delete the personal information held by a business, unless an exception applies. 45 The exceptions generally override the right when the personal information at issue is needed to for a specific permitted purpose. Examples of these exceptions include 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP completing a transaction requested by a consumer, detecting or protecting against security incidents, and complying with legal obligations. 46 In all five states, consumers have the right to delete. In Colorado, Connecticut, and Virginia, this right applies to all personal information held by the business. California and Utah limit this right to personal information collected from the consumer by the business. 47 California adds a requirement that the business must notify service providers, contractors, and third parties (if possible) to delete a consumer’s personal information. 48 6.2.2.4 Right to Data Portability The right to data portability means that data, which is in “a readily useable format,” should be made available to the consumer to facilitate the consumer’s ability to provide the information to another entity. This provision reflects a policy aimed to support consumers’ ability to transfer their personal information from the initial business to a different destination. 49 All five states provide consumers with the right to data portability. 50 6.2.2.5 Right to Opt Out of Sales The right to opt out of sales means that the consumer can choose to opt out of the sale of personal information held by businesses. It is important to recall that “sale” is a defined term under these laws. In all five states, the definition of a sale refers to monetary transactions. In California, Colorado, and Connecticut, the term sale is also defined to include any other exchange for value. In all five states, consumers have the right to opt out of sales. 51 California extends this right to provide consumers with the right to opt out of sharing of personal information. 6.2.2.6 Right to Opt Out of Targeting/Cross-Context Behavioral Advertising The right to opt out of targeting/cross-context behavioral advertising means that the consumer can choose to opt out of advertising selected based on personal information collected about the consumer over time from a variety of online sources. In Colorado, Connecticut, Utah, and Virginia, consumers have the right to opt out of targeting/cross-context behavioral advertising. California likely provides this protection through the right to opt out of the selling or sharing personal information. 52 6.2.2.7 Right Against Automated Decision-Making The right against automated decision-making means that the consumer can choose to opt out of automated processing of personal information that result in decisions about the consumer and/or profiling of the consumer. California, Colorado, Connecticut, and Virginia provide consumers the right against automated decision-making. Utah does not provide this right. 53 6.2.2.8 Right Concerning Sensitive Personal Information The right concerning personal information means that the consumer has a right related to how their sensitive personal information is handled by businesses. In Colorado, Connecticut, and Virginia, a business needs consent to process this data, meaning that the consumer needs to opt-in. It is worth noting that these three states define children’s data as sensitive personal information. In Utah, businesses must provide notice, and the opportunity for consumers to opt out. California’s 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP approach is more complex, with businesses either able to, in essence, self-restrict to certain uses of sensitive personal information or to provide consumers notice and an opportunity to opt out. 54 6.2.2.9 Right to Non-Discrimination The right to non-discrimination means that businesses cannot discriminate against consumers for exercising their rights under these laws. Although the specifics for each state vary, examples of prohibited activity may include: (1) businesses may not deny goods or services; (2) businesses may not charge different prices; and (3) businesses may not degrade (or provide different) quality in goods or services. All 5 state prohibit businesses from discriminating against consumers who exercise any of the rights in the respective laws. 55 6.2.3 Business Obligations The state comprehensive privacy laws in California, Colorado, Connecticut, Utah, and Virginia impose a variety of obligations on businesses that are covered by these laws. These obligations are similar to the key principles found in the GDPR. Although specific requirements vary by state, the core business obligations in these state laws are quite similar: notice/transparency requirements; opt-in default for children’s data; purpose/processing limitations; risk assessments; and security requirements. 56 In most instances, all five states impose these business obligations, with Utah as the outlier in its treatment of certain obligations. 6.2.3.1 Notice/Transparency Requirements The notice/transparency obligation means that a business is required to provide consumers with notice of certain data practices, privacy programs, and/or privacy operations. Privacy notice. All five states mandate that a business provide consumers with a privacy notice. The core requirements for the privacy notice are similar in all five states. These core requirements include explaining: categories of data; purpose for processing each category of data; any sale and how to opt out; categories of data shared with third parties; and how to exercise consumer rights. California adds additional elements that must be included in the privacy notice, such as duration of retention of each category of personal data as well as categories of sensitive personal data. 57 Notice of right to opt out. All five states require that businesses provide consumers with notice of the right to opt out and a conspicuous method to allow consumers to exercise these rights. 58 In California, businesses that sell or share personal information must provide a link on the business’s web pages that says “Do Not Sell or Share My Personal Information.” For those businesses that use or disclose sensitive personal information, California requires the businesses to have a “Limit the Use of My Personal Information” link on their websites. 59 Notice at point of collection. Notice at point of collection is required by one state. California requires that consumers be informed “at or before the point of collection” about the 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP categories of personal data collected and the purposes of their use. Colorado, Connecticut, Utah, and Virginia do not require this notification. 60 6.2.3.2 Opt-in Default for Children’s Data Opti-in default can be viewed as a type of age requirement where a business is obligated to obtain consent from a consumer under a certain age before handling their data in specific ways. The detailed implementation of these laws can be quite complicated, as parental consent is likely required for children under the age of 13. 61 California requires that businesses obtain opt-in consent to sell or share personal information of consumers under the age of 16. Connecticut requires that businesses obtain opt-in consent from consumers under the age of 16 (but at least 13 years old) to sell their personal information or to process their personal information for targeted advertising. As a reminder, Connecticut as well as Colorado and Virginia treat the personal information of consumers under the age of 13 as sensitive personal information — requiring opt-in consent from these consumers to process their data. 62 Utah requires opt-in consent for the processing of personal information of consumers under the age of 13. 6.2.3.3 Purpose/Processing Limitations Purpose/processing limitations mean that a business is prohibited from collecting and/or processing personal information except for a specific purpose. In California, Colorado, Connecticut, and Virginia, businesses are obligated to enact purpose and/or processing limitations. Typically, the terms “necessary” and “proportionate” are used in describing the restrictions related to the purpose and/or processing by the business, which is similar to the approach in the GDPR. Utah does not impose this obligation on businesses. 63 6.2.3.4 Risk Assessments Risk assessments means that a business is obligated to conduct a formal risk assessment related to privacy and/or cybersecurity. In states requiring risk assessments, businesses are required to conduct risk assessments for processing that presents a “heightened risk of harm to a consumer.” The processing activities that can trigger the need for a risk assessment include: Processing personal information for the purpose of targeting advertisement Selling personal data Processing sensitive data Processing personal data for profiling under certain circumstances California, Colorado, Connecticut, and Virginia require businesses to undertake risk assessments. Utah lacks this requirement. 64 6.2.3.5 Security Requirements Security requirements means that a business is obligated to ensure security measures are in place related to data, including “reasonable administrative, technical, and physical data security 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP practices” that are designed to protect the confidentiality and the integrity of the data. All five states require businesses to ensure security measures are in place related to data. 65 6.2.4 Enforcement Variations exist among the states for the enforcement of these state comprehensive privacy laws. This subsection examines the penalties for noncompliance; who enforces the law; and whether there is a period for a business to cure a violation. This discussion concludes by examining the absence of a private right of action in most of these state laws and briefly mentions the limited private right of action in California, noting that this right is primarily directed toward breaches. 66 6.2.4.1 Penalties Although all five states can impose penalties for noncompliance, the amount per violation varies. In California, civil penalties can be up to $2,500 for typical violations and up to $7,500 for intentional violations. 67 In Utah and Virginia, civil penalties can reach $7,500 per violation. In Colorado, violations are treated as “deceptive trade practices” under Colorado’s Consumer Protection Act, where fines can be up to $20,000 per violation. In Connecticut, violations are treated as “unfair trade practices” under Connecticut’s Unfair Protection Act, where fines can be up to $5,000 per willful violation. 68 6.2.4.2 Enforcer With regard to who enforces the state comprehensive privacy law, the state attorney general has either sole or joint enforcement power in each of these states. 69 In Virginia and Utah, the state attorney general is solely responsible for enforcement. In Connecticut, the state attorney general works in conjunction with the Division of Consumer Protection to enforce the law. In Colorado, both the state attorney general and local district attorneys have the power to enforce the law. Although the details of California’s enforcement approach are beyond the scope of this book, both the state attorney general and the CPPA have the power to enforce the requirements in California. 70 6.2.4.3 Cure Period In certain states, a business is given a specified number of days to address a violation without being subject to sanction. This is known as a cure period, where the enforcer must notify the business of the violation and permit the business a set number of days to rectify the violation. The states split on the topic of a cure period. California initially had a cure period, but it expired prior to the writing of this book. Colorado and Connecticut currently have a cure period, which is set to sunset, or expire, on December 31, 2024. Utah and Virginia have a cure period of 30 days, with no statutory date when the cure period ends. 71 6.2.4.4 Private Right of Action It is worth noting, particularly in light of the contention at the federal level over a private right of action in proposed comprehensive privacy legislation, that none of the five state comprehensive privacy laws discussed in this section have a traditional private right of action. Colorado, 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 6 – as of 02/05/2024 © IAPP Connecticut, Utah, and Virginia do not provide consumers with a private right of action as part of their laws. California does not include an expansive private right of action related to the consumer rights discussed in this chapter. Instead, California provides a limited private right of action related to security breaches that compromise personal information — as defined in California’s data breach notification law (see Chapter 7) — as well as usernames and passwords that permit access to accounts. 72 6.3 Conclusion In the absence of a comprehensive privacy law at the federal level in the U.S., more than half the states have considered legislation with comprehensive privacy protections. As of the writing of this book, 13 states have enacted these laws. Five of these laws were in effect in 2023. Although these state laws vary in their detail, each of the five this chapter looks at addresses consumer rights and business obligations that are similar to those found in the GDPR. As more of these state laws are likely to pass, commentators suggest pressure will continue to mount to enact a federal law in the U.S. that addresses comprehensive privacy protections. 1 The EU’s General Data Protection Regulation became effective on May 25, 2018, approximately one month before the passage of The California Consumer Privacy Act. It will be discussed in detail in Chapter 14—GDPR and International Privacy Issues. For a comparison of California Consumer Privacy Act requirements and General Data Protection Regulation requirements, see CCPA and GDPR Comparison Chart, Thomson Reuters, accessed February 2023, https://www.bakerlaw.com/webfiles/Privacy/2018/Articles/CCPA-GDPR-Chart.pdf; See “Comparing Privacy Laws: GDPR vs. CCPA,” DataGuidance and Future of Privacy Forum, accessed February 2023, https://fpf.org/wpcontent/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf. 2 "Comparing GDPR, CCPA, and CPRA," OneTrust DataGuidance and Newmeyer & Dillion LLP, January 2022, https://www.dataguidance.com/sites/default/files/gdpr_v_ccpa_and_cpra_v6.pdf. 3 State data breach notification laws and state data security laws are discussed in detail in Chapter 7. 4 Andrew Sheeler, "California Soon to Become the World's Fourth Largest Economy," Governing, October 25, 2022, https://www.governing.com/finance/california-soon-to-become-the-worlds-fourth-largest-economy. 5 State of California Department of Finance, "Estimates E-1: Population and Housing Estimates for Cities, Counties, and the State—January 1, 2002 and 2023," January, may 2023, https://dof.ca.gov/forecasting/demographics/estimatese1/. 6 "Reforming the U.S. Approach to Data Protection and Privacy," Council on Foreign Relations, January 30, 2018, https://www.cfr.org/report/reforming-us-approach-data-protection. 7 Müge Fazioglu, "Distilling the Essence of the American Data Privacy and Protection Act Discussion Draft," Privacy Tracker, IAPP, June 6, 2022, https://iapp.org/news/a/distilling-the-essence-of-the-american-data-privacy-andprotection-act-discussion-draft/; Neil Richards and Woodrow Hartzog, "Professors Hartzog and Richards Advocate for Data Loyalty in Privacy Legislation," Technology, Academics, Policy (blog) July 25, 2022, https://www.techpolicy.com/blog-posts/professors-hartzog-and-richards-advocate-data-loyalty-privacy-legislation. 8 Robert Gellman, “The Long and Difficult Road to a U.S. Privacy Law: Part 2,” Privacy Perspectives, IAPP, August 8, 2018, https://iapp.org/news/a/the-long-and-difficult-road-to-a-u-s-privacy-law-part-2/. 9 Travis Brennan, Raj Shukla, and Scott Schneider, “California Sets De Facto National Data Privacy Standard,” Corporate Counsel Business Journal, July 6, 2019, https://ccbjournal.com/articles/california-sets-de-facto-national-data-privacystandard; see Ian Adams and Pasha Moore, “Only the Right Kind of State ‘Techlash’ Will Lead to Meaningful Privacy Protection,” InsideSources, July 15, 2019, https://www.insidesources.com/only-the-right-kind-of-state-techlash-will- 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.