The State of the State Privacy Laws: A Comparison
Wednesday, December 1, 2021

On July 7, 2021, Colorado became the third state to enact a comprehensive privacy law. The Colorado Privacy Act (CPA) has elements in common with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) and largely tracks the new Virginia Consumer Data Protection Act (VCDPA). Only the CCPA is currently in effect; the CPA, CPRA, and VCDPA will take effect in 2023. All these laws impose new obligations on businesses and provide residents of these states with new rights regarding the collection and use of their personal information. While there are many similarities among the laws, there are also some key differences, as set forth in the table below.

All the laws define the term “personal information” or “personal data” broadly. Unlike the CCPA, however, both the CPA and the VCDPA borrow terms and definitions from the EU General Data Protection Regulation (GDPR), such as “controller” and “processor” when referring to covered entities and their service providers, respectively, and “personal data.” In addition, the CPA and the VCDPA require covered entities to conduct data security assessments for data processing activities that present a “heightened” risk of harm, such as profiling, selling personal data, processing sensitive personal data, and engaging in targeted advertising. The CPRA adds a risk assessment requirement to the CCPA. Unlike the CCPA, which allows a private right of action for breaches of “personal information” (as that term is defined in a separate California data breach notification law and which is more narrowly defined than the term “personal information” in the CCPA), neither the CPA nor the VCDPA includes a private right of action for any type of violation. The CPRA extends the CCPA private right of action to data breaches that compromise a username and password and creates a new enforcement body, the California Privacy Protection Agency. 

Each law and its implementing regulations, when adopted, must be reviewed in detail to assess application to a specific entity’s operations, but the chart below offers a high-level comparison of key features of each law.

THIS SUMMARY IS INTENDED TO PROVIDE GENERAL INFORMATION ABOUT APPLICABLE LAWS AND DOES NOT CONSTITUTE LEGAL ADVICE REGARDING SPECIFIC FACTS OR CIRCUMSTANCES.  

 

 

California Consumer Privacy Act (CCPA)

California Privacy Rights Act (CPRA)

Virginia Consumer Data Protection Act (VCDPA)

Colorado Privacy Act (CPA)

Effective Date

January 1, 2020 (12-month lookback period)

January 1, 2023 (12-month lookback period, but for personal information collected after 1/1/2022, consumers may request information beyond 12-month period)

January 1, 2023

July 1, 2023

Covered Entities

Businesses; requires contracts between Businesses and Service Providers

No change to CCPA 

Controllers and Processors;

requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations 

Controllers and Processors; 

requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations 

Threshold Requirements

Any legal entity organized or operated for the profit or financial benefit of its shareholders/owners that does business in CA and:

(1) Has annual gross revenues > $25 mil; 

(2) Annually buys, sells, or shares personal information of 50,000 or more consumers or households; or

(3) Derives 50% or more annual revenues from selling personal information

Same as CCPA, but increases threshold number of consumers and households to 100,000 and applies to any legal entity that derives 50% or more annual revenues from selling or sharing personal information

Person conducts business in VA or produces products or services targeted to VA residents and: 

 

(1) Processes personal data of 100,000 or more consumers during a calendar year; or

(2) Derives revenue or receives a discount on goods or services from the sale of personal data, and processes personal data of 25,000 or more consumers

Controller conducts business in CO or produces products or services targeted to CO residents and: 

 

(1) Processes personal data of 100,000 or more consumers during a calendar year; or

(2) Derives revenue or receives a discount on goods or services from the sale of personal data, and processes personal data of 25,000 or more consumers

Definition of Consumer

CA resident; most provisions pertaining to commercial contacts and employees deferred until 1/1/2023

No change to CCPA

VA resident, excluding commercial contacts and employees 

CO resident, excluding commercial contacts and employees 

Definition of Personal Information/Data

Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household

No change to CCPA

Information that is linked or reasonably linkable to an identified or identifiable individual

Information that is linked or reasonably linkable to an identified or identifiable individual

Personal Information/Data

Excludes De-Identified Data and Publicly Available Information 

No change to CCPA

Sensitive Information/Data

       
  • Ethnic/racial origin

No change to CCPA

  • Mental/physical health condition or diagnosis

No change to CCPA

  • Sexual orientation

No change to CCPA

  • Citizenship

No change to CCPA

  • Genetic/biometric information

No change to CCPA

  • Known child

X

Personal information pertaining to children is not defined as “sensitive,” but parental consent is required for the “sale” of personal information pertaining to children under 13, and teens under 16 must opt-in to a “sale” of their personal information

No change to CCPA

  • Geolocation

No change to CCPA

X

  • Email contents

No change to CCPA

X

X

  • Financial information

No change to CCPA

X

X

  • Social Security/other ID

No change to CCPA

X

X

  • Religious beliefs

No change to CCPA

Consent Required to Process Sensitive Personal Information/Data

X

Personal information pertaining to children is not defined as “sensitive,” but parental consent is required for the “sale” of personal information pertaining to children under 13, and teens under 16 must opt-in to a “sale” of their personal information

X

No, but right to limit use and disclosure of sensitive personal information

Consent required to process sensitive data, and consent from parent or guardian required to process sensitive data pertaining to a child

Consent required to process sensitive data, and consent from parent or guardian required to process sensitive data pertaining to a child

What Constitutes a Sale of Personal Information/Data 

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating personal information for monetary or other valuable consideration

Adds “sharing” to definition and clarifies that behavioral advertising constitutes a sale

Exchange of personal data for monetary consideration 

Exchange of personal data for monetary or other valuable consideration 

What Does Not Constitute a Sale

  • N/A

  • N/A

  • Disclosure of personal data to a processor 

  • Disclosure of personal data to a third party to provide a product or service requested by the consumer

  • Disclosure or transfer of personal data to an affiliate

  • Disclosure of personal data as part of a merger, acquisition, bankruptcy, or similar transaction

  • Disclosure of personal data at consumer’s direction or intentionally by consumer

  • Disclosure of personal data to a processor 

  • Disclosure of personal data to a third party to provide a product or service requested by the consumer

  • Disclosure or transfer of personal data to an affiliate

  • Disclosure of personal data as part of a merger, acquisition, bankruptcy, or similar transaction

  • Disclosure of personal data at consumer’s direction or intentionally by consumer

Privacy Notice Required

Notice required at point of collection

No change to CCPA

Consumer Rights Regarding Personal Information/Data Collected

       
  • Access

  • Right to know categories and specific pieces of personal information collected and categories of sources and parties with whom information is shared

  • Business must provide at least two methods for making requests, including toll-free number

No change to CCPA

  • Deletion

Business must provide at least two methods for making requests, including toll-free number

No change to CCPA

  • Correction

X

Business must provide at least two methods for making correction requests, including toll-free number

  • Opt-out/opt-in

Right to opt-out of sale of personal information

  • Opt-in consent for consumers under 16

  • Parental consent for consumers under 13

  • Provide at least two methods for requests

Websites must include link to “Do Not Sell My Personal Information” page 

Right to opt-out of sale or sharing of personal information

 

Websites must include "Limit the Use of My Sensitive Personal Information” link in addition to “Do Not Sell or Share My Personal Information” link

Right to opt-out of sale of personal data, targeted advertising, and profiling

Right to opt-out of sale of personal data, targeted advertising, and profiling

 

Contemplates a user-selected universal opt-out mechanism effective 7/1/2024

  • Data portability

Data should be provided in a format easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format

Timeframe for Responding

Access and Deletion Requests: Acknowledge within 10 business days; respond within 45 days

 

Opt-Out Requests: Respond within 15 business days

Adds 45 days to respond to correction requests 

45 days

45 days

Data Minimization

No change to CCPA

Non-Discrimination

No change to CCPA

Authorized Agent Can Invoke Rights on Behalf of Consumer

No change to CCPA

X

X

Parent Can Invoke Rights on Behalf of Child

No change to CCPA

Parental Consent for Collection of Personal Information/Data from Children Under 13

X

Parental consent is not required for the collection of personal information from children, but parental consent is required for the “sale” of personal information pertaining to children under 13, and teens under 16 must opt-in to a “sale” of their personal information

No change to CCPA

Written Contracts with Service Providers/Processors and Others Required

Requires contracts between Businesses and Service Providers

New defined term of “Contractor” and new requirements for contracts between Businesses and Contractors 

Requires contracts between Businesses and Processors

Requires contracts between Businesses and Processors

Recordkeeping

At least 24 months

X

X

Data Impact Assessments Required 

X

Implement and Maintain Reasonable Administrative, Technical, and Physical Data Security Practices 

No change to CCPA

Private Right of Action

Only in the event of a security breach that compromises “personal information” (as that term is defined in a separate California data breach notification law

Extends CCPA private right of action to breach of a username and password that permits access to an account

X

X

Enforcement

AG

Creates new California Privacy Protection Agency

AG

AG, District Attorneys

Opportunity to Cure

30 days

Eliminates CCPA right to cure effective 1/1/2023

30 days 

60 days (expires in January 2025)

Federal Legislation

While states forge ahead with privacy legislation, members of Congress continue to put forth their own federal privacy bills. Most recently, on November 3, 2021, Republican members of the House Energy and Commerce Committee issued a discussion draft of a national preemptive privacy bill, the Control Our Data Act.  This follows up on the introduction by Senator Roger Wicker (R-Miss.), ranking member of the Senate Committee on Commerce, Science, and Transportation, and several other Republican senators, of the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act  (SAFE DATA Act or the Act). This bill shares certain features with the Colorado and Virginia privacy laws, including the absence of a private right of action for violations and an emphasis on business transparency. The Act requires covered businesses to obtain affirmative consent from consumers before processing or transferring sensitive personal data, minimize personal data collection, provide reasonable security to protect personal data, publish user-friendly privacy policies, and perform an annual data impact assessment. The Act provides consumers with several rights, including rights to access, delete, correct, and port their personal information, and a right to opt-out of the collection, processing, or transfer of covered data – broadly defined as “information that identifies or is linked or reasonably linkable to an individual or a device that is linked or reasonably linkable to an individual” before such collection, processing, or transfer occurs. The Act excludes aggregated data, employee data, de-identified data, and publicly available data. With respect to minors, the Act prohibits businesses from processing or transferring personal data of minors absent affirmative express parental consent where the business has actual knowledge that the consumer is between 13 and 16 years old. Violations would be enforced by State Attorneys General and the Federal Trade Commission (FTC).

Other privacy bills have been introduced in Congress this year and a few include a state preemption clause. They include: the BROWSER Act of 2021, introduced by Senator Marsha Blackburn (R-TN); the Consumer Data Privacy and Security Act of 2021, introduced by Senator Jerry Moran (R-KS); and the APP Act, submitted by Senator Marco Rubio (R-FL). In contrast, four bills introduced this year include a limited private right of action: the Public Health Emergency Privacy Act, introduced by Representative Anna Eshoo (D-CA) (an identical bill was introduced in the Senate by Senator Richard Blumenthal, D-CT); the Mind Your Own Business Act of 2021, submitted by Senator Ron Wyden (D-OR); and the Facial Recognition and Biometric Technology Moratorium Act of 2021, introduced by Senator Ed Markey (D-MA). 

Both businesses and consumers would benefit from a clear, comprehensive federal privacy law. Many businesses believe it is crucial that any new federal privacy law work with existing federal privacy laws, such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the Children’s Online Privacy Protection Act, along with others. To establish the goal of a uniform national standard, most businesses agree that, like the aforementioned laws, new federal privacy legislation must explicitly preempt state and local laws. The business community also opposes creating a private right of action, favoring instead strong enforcement by a central federal agency, such as the FTC, with state Attorneys General also given enforcement authority. 

Data is the engine of a significant part of today’s economy, and the 2022 state and federal legislative landscape promises more attention on privacy and data security. Creating a common national U.S. legal standard to maintain consumer privacy and data security is critically important to promote consumer confidence and foster a competitive global economy. It is hoped that stakeholders will work together to forge federal legislation that establishes a fair and workable national privacy framework in the United States. 

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins