November 27, 2022

Volume XII, Number 331


New Wave of Consumer Privacy Regulation: What Businesses Need to Know

For businesses that collect, process, and explore innovative uses of personal information, last month marked a watershed moment in the ongoing evolution of the U.S. regulatory landscape. Cracking down on the cosmetics brand Sephora, California’s attorney general announced the first enforcement settlement under the new wave of comprehensive state privacy laws that began with the California Consumer Privacy Act (CCPA) and continues with a number of new laws set to take effect across the country in 2023.

History of U.S. Privacy Regulation

Historically, U.S. privacy regulation has applied three primary frameworks:

  1. Sector-specific laws that tightly police the uses and disclosures of personal information in certain industries (think HIPAA for health care information, FERPA for education records, GLBA for financial information)

  2. Activity-specific laws that regulate certain uses of personal information considered particularly invasive (think ECPA for wiretapping, COPPA for children’s online privacy, CAN-SPAM for email marketing, and TCPA for phone and text message marketing)

  3. General prohibitions against false or misleading disclosures to consumers regarding how their information will or will not be treated.

In essence, this has meant that, unless your business operates within a heavily regulated sector or engages in fairly obviously sensitive activities, your exposure to privacy enforcement or litigation should be negligible, as long as your data operations don’t directly conflict with your express privacy notices.

But that model is rapidly changing, with California, Virginia, Colorado, Connecticut, and Utah enacting generally applicable (not industry-specific or activity-specific) laws that impose a number of affirmative obligations and substantive restrictions poised to reshape what covered businesses must and cannot do with personal data. And more such laws may be coming, including in New England and at the federal level.

Sephora's Mistakes

What did Sephora get wrong, according to California? Through its use on its website of third-party tracking technologies for analytics and advertising purposes, Sephora sold consumer personal information, failed to tell consumers it was selling their personal information, and did not allow consumers to opt out of the sale of their personal information.

This enforcement settlement, which focused on nearly ubiquitous third-party tracking technologies, is a sobering reminder that all businesses need to evaluate their compliance with the new wave of state laws – not just CCPA, which has been in effect since 2020, but also with the new laws taking effect in 2023 and beyond that build off of and extend CCPA by regulating additional categories of activity and empowering individuals with new rights.

New Consumer Privacy Series

In the weeks and months ahead, Pierce Atwood’s cross-disciplinary privacy and cybersecurity team will post a series of short articles highlighting aspects of the new laws that are particularly important to our client base, with a focus on midsize and small businesses that may be wrestling with privacy compliance and regulatory and litigation exposure for the first time.

It is important to note that whether your business is currently subject to one or more of these new state privacy laws (and we will certainly devote space in our series to the laws’ applicability), we encourage you to pay attention to the general themes we will be highlighting.

Even if your business is not subject to any of these laws today, there is a good chance it will be at some point in the near future, and knowing what these laws restrict and require can be a significant advantage in ensuring your products, services, and business operations can withstand with minimal disruption the impacts of new privacy laws sure to follow. These laws also reflect an underlying shift in how consumers expect businesses to treat their personal information, making them a useful tool for thinking about privacy-related reputational and consumer trust best practices.

©2022 Pierce Atwood LLP. All rights reserved.National Law Review, Volume XII, Number 273

About this Author

Vivek J. Rao Data Privacy Attorney Boston

Vivek Rao emphasizes client-tailored, practical approaches to helping businesses maximize the tremendous commercial opportunities and evolving legal challenges of the technology economy.

His clients range from Fortune 500 companies in highly regulated industries to family-owned New England businesses to sophisticated start-ups commercializing innovative software and data-driven services.

Vivek focuses his practice in the following areas:

  • Technology Transactions: ...

Melanie Conroy Commercial Litigation Attorney Pierce Atwood Law Firm

Melanie Conroy focuses her practice on class action defense and complex commercial litigation. She has represented clients in connection with internal, government, and regulatory investigations, and has counseled boards of directors, board committees, and senior management on a broad range of matters, including securities, corporate governance, disclosure, and regulatory issues.

Melanie represents businesses and organizations across a wide range of industries, including life sciences, financial services, insurance, private equity, real estate, energy, media, consumer electronics,...

Ariel Pardee IP Attorney Pierce Atwood Law Firm

Ariel Pardee works with the Business Practice Group on a wide range of commercial transactions, and with the IP and Data Security teams in areas including cybersecurity, privacy, intellectual property, and technology transactions.

Ariel graduated magna cum laude from the University of Maine School of Law, where she also received a Certificate in Information Privacy Law. Ariel is a Certified Information Privacy Professional in U.S. Law (CIPP/US) and European Law (CIPP/E). While in law school, Ariel received the 2018 Information Privacy and 2018 Commercial Law Awards, and was...