For businesses that collect, process, and explore innovative uses of personal information, last month marked a watershed moment in the ongoing evolution of the U.S. regulatory landscape. Cracking down on the cosmetics brand Sephora, California’s attorney general announced the first enforcement settlement under the new wave of comprehensive state privacy laws that began with the California Consumer Privacy Act (CCPA) and continues with a number of new laws set to take effect across the country in 2023.
History of U.S. Privacy Regulation
Historically, U.S. privacy regulation has applied three primary frameworks:
Sector-specific laws that tightly police the uses and disclosures of personal information in certain industries (think HIPAA for health care information, FERPA for education records, GLBA for financial information)
Activity-specific laws that regulate certain uses of personal information considered particularly invasive (think ECPA for wiretapping, COPPA for children’s online privacy, CAN-SPAM for email marketing, and TCPA for phone and text message marketing)
General prohibitions against false or misleading disclosures to consumers regarding how their information will or will not be treated.
In essence, this has meant that, unless your business operates within a heavily regulated sector or engages in fairly obviously sensitive activities, your exposure to privacy enforcement or litigation should be negligible, as long as your data operations don’t directly conflict with your express privacy notices.
But that model is rapidly changing, with California, Virginia, Colorado, Connecticut, and Utah enacting generally applicable (not industry-specific or activity-specific) laws that impose a number of affirmative obligations and substantive restrictions poised to reshape what covered businesses must and cannot do with personal data. And more such laws may be coming, including in New England and at the federal level.
What did Sephora get wrong, according to California? Through its use on its website of third-party tracking technologies for analytics and advertising purposes, Sephora sold consumer personal information, failed to tell consumers it was selling their personal information, and did not allow consumers to opt out of the sale of their personal information.
This enforcement settlement, which focused on nearly ubiquitous third-party tracking technologies, is a sobering reminder that all businesses need to evaluate their compliance with the new wave of state laws – not just CCPA, which has been in effect since 2020, but also with the new laws taking effect in 2023 and beyond that build off of and extend CCPA by regulating additional categories of activity and empowering individuals with new rights.
New Consumer Privacy Series
In the weeks and months ahead, Pierce Atwood’s cross-disciplinary privacy and cybersecurity team will post a series of short articles highlighting aspects of the new laws that are particularly important to our client base, with a focus on midsize and small businesses that may be wrestling with privacy compliance and regulatory and litigation exposure for the first time.
It is important to note that whether your business is currently subject to one or more of these new state privacy laws (and we will certainly devote space in our series to the laws’ applicability), we encourage you to pay attention to the general themes we will be highlighting.
Even if your business is not subject to any of these laws today, there is a good chance it will be at some point in the near future, and knowing what these laws restrict and require can be a significant advantage in ensuring your products, services, and business operations can withstand with minimal disruption the impacts of new privacy laws sure to follow. These laws also reflect an underlying shift in how consumers expect businesses to treat their personal information, making them a useful tool for thinking about privacy-related reputational and consumer trust best practices.