Counting Down to New State Privacy Laws
The countdown is on: In 2023, three states will enact new comprehensive data privacy laws, requiring businesses to assess (1) whether they need to comply, and (2) how to accomplish compliance. In California, the California Privacy Rights Act of 2020 (“CPRA”) will replace the California Consumer Privacy Act of 2018 (“CCPA”) beginning on January 1, 2023. Virginia’s Consumer Data Protection Act (“VCDPA”) will also be effective January 1, 2023. On July 1, 2023, Colorado’s Privacy Act (“CPA”) will take effect.
Businesses may find it challenging to determine how to most efficiently abide by the new laws, given the differing components of each. Below is a comparison of some of the key provisions in the CPRA, VCDPA, and the CPA.
A Comparison of the New Data Privacy Laws in Colorado, Virginia, and California
Scope
- All three Acts will apply to businesses that control or process the personal data of 100,000 or more consumers per year.
- The CPA will also apply to businesses that control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data. In slight contrast, Virginia’s Act will apply to businesses that control or process the personal data of 25,000 or more residents and derive more than 50 percent of their gross revenue from the sale of personal data.
- California’s Act will also apply to businesses that have an annual gross revenue exceeding $25 million or that derive 50 percent or more of their annual revenues from selling or sharing consumers’ personal information.
- Note that all three Acts provide exemptions for certain businesses that are already regulated under other federal laws.
Consumer Rights
- All three Acts provide similar consumer rights and include many new rights for consumers, including special protections for “sensitive” personal information like race, religion, and sexual orientation. Virginia and Colorado’s Acts require covered entities to obtain a consumer’s consent before processing sensitive personal information. This “opt-in” provision is not included in California’s law.
- Colorado’s mandatory “user-selected universal opt-out mechanism” is not required by either the California Act or the Virginia Act.
- All three Acts provide consumers with the right to request a business that maintains inaccurate personal data about them to correct the inaccurate personal data.
- All three laws require a business to respond to a consumer’s request for information within 45 days, though a 45-day extension is possible.
Enforcement
- Virginia’s Act and Colorado’s Act do not provide for a private right of action.
- California’s Act, however, does provide a private right of action, and the CPRA creates a new state agency, the California Privacy Protection Agency, to enforce the Act. There is no cure period (unlike the CCPA).
- The Virginia Attorney General has exclusive authority to enforce the VCDPA. The AG must provide a 30-day cure period prior to initiation of any action under the Act.
- The Colorado Attorney General and Colorado district attorneys have exclusive authority to enforce the CPA. Through January 1, 2025, a 60-day cure period must be provided prior to initiation of any action under the Act.
Compliance
- Businesses covered by the new data privacy laws should:
- Implement cybersecurity safeguards;
- Create and communicate to consumers a process by which consumers may submit a request regarding their personal data and subsequently appeal a decision;
- Provide a clear and conspicuous notice informing consumers that they have the right to opt out of targeted advertising and sales of their personal data;
- Establish a user-selected universal opt-out mechanism by July 1, 2024;
- Update their Privacy Policy to explain their collection and use of data;
- Update their contracts with third parties to ensure that they comply with the laws;
- Obtain consumers’ informed consent before collecting sensitive data; and
- Establish a procedure to determine when to conduct a data protection assessment.
Although the new data privacy laws do not go into effect until 2023, it is never too early to start assessing your company’s data privacy obligations and begin working toward compliance. Koley Jessen will continue to monitor developments related to the new laws and advise as updates become available. If you have questions on whether your business needs to comply with the new data privacy laws and what steps you must take to comply with the new laws, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.
Special thanks to Kayla Sullivan, Koley Jessen Summer Associate, for her contributions to this article.
This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.