May 26, 2022

Volume XII, Number 146

Advertisement
Advertisement

May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis

Countdown to State Law Privacy Compliance: 10 Months to Go | New Rules for Sensitive Personal Data

As noted in our intro alert for this series, new omnibus privacy laws are coming to Virginia and Colorado and California’s existing comprehensive privacy law has been further modified by the CPRA. Don’t wait to implement your compliance updates as it could require changes to your operations. These state privacy laws can even apply to businesses that do not have offices or employees in that state. The new laws can also reach activities conducted outside of the applicable state. See our prior alert to see if these state laws apply to your business.

California’s, Virginia’s and Colorado’s state privacy laws have broad definitions of personal information and special rules for the subcategory of sensitive personal information or sensitive personal data (for purposes of this alert, all referred to as “SPI”).  In general, personal information means information that can, directly or indirectly, link or be linked to a specific individual (and in the case of California, a household).  The laws also introduced the concept of “sensitive” personal information, but the states define SPI differently as noted in the chart below. 

An organization needs to understand where it holds and how it uses this new subcategory of personal data because each state gives its consumers choices related to use of this data.  California gives consumers the right to limit sensitive data processing.  California does not have an “opt-in” model in contrast to Virginia and Colorado’s treatment of SPI.  Virginia gives consumers the right to opt-in before companies can collect SPI.  Virginia also requires companies to conduct risk assessments prior to processing SPI.  An amendment to Virginia’s law has been proposed to carve out requirements for opt-in if the data is being using purely for marketing or other related purposes (meaning not something that could produce a legal, discriminatory decision).  Colorado also gives consumers the right to opt-in before companies can collect SPI, but the definition of what “consent” means is different in Colorado and Virginia.  Colorado also requires companies to conduct risk assessments prior to processing SPI.  All three laws require companies to be transparent regarding their processing of SPI.

In addition to locating SPI across operations in order to better address data subject requests, companies should also appropriately secure SPI to help mitigate other compliance risks. For example, while the CDPA and CPA define SPI more closely to concepts under European law, many of the SPI data elements defined by the CPRA overlap with categories of data that can trigger California’s breach notification law.  California has a private right of action if a company fails to maintain reasonable security measures to protect this data and it leads to a compromise of the data, which also opens the door to broader CPRA compliance scrutiny and liability.  

Sensitive Personal Information Defined

Sensitive Personal Information Defined

Notwithstanding the broader definitions of personal data and SPI under these laws, certain types of information are excepted from the laws as noted below (exempted entities are separately addressed in our prior alert).

Data Exceptions to SPI

Data Exceptions to SPI

The information contained in the tables above is a condensed summary and is not exhaustive of all legal requirements, potential exceptions or variables under the referenced laws. This overview does not substitute for considering the legal requirements in their entirety or in light of facts specific to a particular organization.

Footnotes

1 Under CPRA, “deidentified” means “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that the business using the deidentified information: (1) takes reasonable measures to ensure that the information cannot be associated with a consumer or household; (2) publicly commits to maintain and use the information in deidentified form and not attempt to reidentify the information, except the business may attempt to reidentify the information solely for the purposes of determining whether its deidentification processes satisfy the requirements of this part; and (3) contractually obligates any recipients of the information to comply with all provisions of this section.” Cal. Civ. Code § 1798.140(m).

2 Under CDPA, “deidentified” means “data that cannot reasonable be linked to an identified or identifiable natural person, or a device linked to such person.” Va. Code Ann. § 59.1-575.  

3 Under CPA, “deidentified” means “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data: (a) takes reasonable measures to ensure that the data cannot be associated with an individual; (b) publicly commits to maintain and use the data only in a deidentified fashion and not attempt to re-identify the data; and (c) contractually obligates any recipients of the information to comply with the requirements of this subsection (11).” Colo. Rev. Stat. Ann. § 6-1-1303(11)

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume XII, Number 55
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Tara Cho CIPP/US CIPP/E Data Security Attorney Womble Bond
Partner

Tara focuses her practice on privacy and data security issues across multiple industries such as technology, retail, e-commerce, and life sciences, with an emphasis on compliance risks and regulatory requirements affecting the healthcare sector. Tara became certified as a legal specialist in Privacy and Information Security Law by the North Carolina State Bar Board of Legal Specialization in 2018 as part of the inaugural class of specialists in this field – one of just 10 attorneys in the state to hold this certification.

She helps clients with all aspects of privacy and data...

919-755-8172
Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.

...

704-331-4910
Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Of Counsel

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...

919-755-2119
Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm
Associate

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.

Education

J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude

919-484-2306
Christine Xiao Attorney Intellectual Property Womble Bond Dickinson Raleigh
Associate

Christine Xiao focuses her practice on intellectual property transactions, privacy and cybersecurity, and technology commercialization. She has experience performing claims analysis for pending patents on new technologies, reviewing foreign third-party vendors to ensure compliance with anti-corruption statutes, and collaborating to assess risks related to customer and employee data use.

Prior to join the firm, Christine worked as a research technician for Duke University Medical Center in the Department of Pharmacology and Cancer Biology.

919-755-2143
Advertisement
Advertisement
Advertisement