A Coast-to-Coast Tour of U.S. State Privacy Legislation
The Quick Take
- Five U.S. states have enacted stringent data privacy and protection laws, with many more bills, including a possible federal law, pending in legislature.
- Data privacy has become an unavoidable business imperative in the U.S., driven by regulation and consumer demand.
- Organizations need flexible, proactive data privacy programs that can scale alongside the changing landscape.
In the U.S., 16 states have either passed or are legislating comprehensive consumer privacy laws. In California, CCPA is already active and will be bolstered when CPRA takes effect on January 1, 2023. Four additional states — Colorado, Connecticut, Utah and Virginia — have passed laws that will become effective in 2023. Connecticut’s recently passed law emulates many of the key principles of CPRA. Many more bills are on the way, including the recently drafted American Data Privacy and Protection Act, which was introduced in early June.
Organizations operating across state lines must now track exposure under and establish compliance with an ever-growing list of state-based data protection frameworks. The IAPP provides a tracker of state-by-state privacy legislative activity, which is a useful resource for legal, privacy and compliance teams to stay abreast of what’s happening in jurisdictions where they operate. Organizations must also ensure they understand exactly how the nuances of each law may impact their policies, practices and compliance posture. As a starting point, below is an overview of the key things teams need to understand and initial steps to take for the wave of U.S. privacy laws that will soon come into force.
California Privacy Rights Act (CPRA)
CPRA was designed to add teeth to CCPA and align it more closely with the standards of GDPR. Any company currently obligated under CCPA will be likewise impacted by CPRA. Notable CPRA updates include additional data subject rights, including the right to correct, opt out of sharing and profiling and limiting the processing of sensitive personal information; stricter definitions around what constitutes the sale of data; and the establishment of the California Privacy Protection Agency. Fellow FTI Technology privacy expert Ryan Smyth wrote a detailed article on the passage of CPRA, which provides additional insights into CPRA’s requirements and actions businesses operating in California need to consider.
Colorado Privacy Act (CPA)
The CPA, which will be effective in July 2023, applies to organizations either operating in Colorado or targeting products or services to Colorado residents and that either (1) control or process personal data of 100,000 residents or more or (2) derive revenue from the sale of personal data and control or process the personal data of 25,000 or more Colorado residents. CPA’s applicability does not include a revenue threshold and therefore may impact a wider set of businesses than some other state privacy laws. Data subject rights under CPA include the right to opt out of targeted advertising, profiling and sale of personal data. The CPA also establishes requirements to obtain consent prior to processing sensitive data and for completion of data protection assessments for certain processing activities.
Connecticut Data Privacy Act (CTDPA)
Passed in May of 2022, CTDPA will take effect July 1, 2023. Similar to CPA, the CTDPA does not include a revenue threshold. It will apply to those who either (1) control or process personal data of 100,000 Connecticut residents or more or (2) derive more than 25% of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Connecticut residents. The CTDPA provides data subject rights similar to those under the CPA and CDPA, and like each of those laws it will require controllers to complete data protection assessments for certain processing activities.
Utah Consumer Privacy Act (UCPA)
Passed in March of 2022, UCPA shares many similarities to new frameworks in Colorado and Virginia, but is less stringent in terms of the scope of data subject rights and business obligations. For example, consumers will have rights with respect to their personal data, including the rights of access and deletion and the right to opt out of sale and targeted advertising. They will not have a right to rectification or to opt out of automated decision making. Businesses must provide consumers a transparent privacy notice and the ability to opt out of processing sensitive data but the UCPA does not require consent to process sensitive data, nor will UCPA require organizations to conduct data protection assessments. Unlike the CPA and CDPA, the UCPA contains an annual revenue threshold. It will apply to data controllers and processors with annual revenue of $25,000,000 that either (1) control or process personal data of 100,000 or more Utah consumers during a calendar year or (2) derive more than fifty percent of gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah consumers.
Virginia Consumer Data Protection Act (CDPA)
Virginia’s CDPA imposes obligations on businesses to protect the personal information of residents, including securing personal data, limiting use of personal data to disclosed purposes and flow down of the law’s requirements from data controllers to processors receiving personal data. The law establishes consent requirements for processing of sensitive data and robust data subject rights similar to those under CPA. It also requires data controllers to conduct data protection assessments and maintain certain data protection agreements with third party processors. Deana Uhl and Simon Gaillard from FTI Technology’s Information Governance, Privacy & Security practice authored an article in Law Technology Today that further discusses the most significant aspects of the CDPA.
Privacy, compliance and legal teams must think strategically about data privacy as a business imperative as state requirements expand. Scalability will be a key factor in an organization’s overall data privacy “success.” Initial steps that can be taken to prepare for impending laws and establish flexible, scalable privacy programs include:
- Review of Privacy Program Scope, Framework and Notice. Determine whether new privacy laws apply to the organization by understanding the personal information collected and processed and reviewing the applicability of new laws. A governing framework should be developed to serve as a baseline for privacy program implementation and to aid in Privacy by Design sustainability.
- Create or Update the Organization’s Data Map. A current data map is essential to identify and document what personal information and sensitive data the organization is collecting, using and storing, as well as where it resides and how it flows throughout the organization.
- Update or Establish Data Protection Assessment Templates. These are critical to identifying inherent privacy risks in data processing activities and associated controls. Conduct regular data protection assessments for processing activities as prescribed in each applicable regulation and identify appropriate and timely assessment points within business processes.
- Enable Opt-Out. Develop scalable processes that make it easy for consumers to opt out of targeted advertising, profiling and sale of their data and to respond to and fulfill data subject rights requests.
- Support Training and Awareness. Privacy trainings and privacy-related job aids should be updated to account for new obligations that organizations have under emerging privacy frameworks and changes to consumer’s data subject rights.
Pressure is mounting for U.S. lawmakers to introduce a sweeping federal law that encompasses and unifies state legislation. Until then however, businesses will be faced with navigating an ever-growing patchwork of requirements. Teams should work to establish privacy programs that meet or exceed the highest level of existing obligations and are flexible enough to adapt when those obligations change or expand.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.