Connecticut becomes the fifth state to pass a comprehensive privacy law. Are you prepared for state privacy law compliance required in 2023?

Despite a shifting privacy landscape and passage of the EU’s General Data Protection Regulation (GDPR) in 2016, the United States has lagged in adopting a comprehensive Federal privacy law. Nevertheless, over the past few years, particular states have prioritized consumer privacy to address growing concern regarding the unfettered and largely unregulated collection, use and disclosure of consumer personal information.¹ Following the watershed moment created through passage of the California Consumer Privacy Act (CCPA) of 2018, an increasing number of states have followed suit to pass comprehensive privacy laws. Yet, the question remains regarding how many states must pass similar laws before the Federal government takes on the charge of passing a comprehensive privacy law.

Most recently, Connecticut joins this trailblazing group with a nearly unanimous vote supporting the Connecticut Data Privacy Act (CTDPA). This law follows on the heels of Utah passing the Utah Consumer Privacy Act (UCPA), Colorado passing the Colorado Privacy Act (CPA) and Virginia passing the Virginia Consumer Data Protection Act (VCDPA). Further, the CCPA will soon be functionally replaced by the California Privacy Rights Act (CPRA). While these laws share numerous similarities, they diverge in some significant ways that will make compliance a challenge for businesses. As such, businesses are encouraged to learn more about the nuances of these laws to be better prepared for the fast-approaching compliance deadlines.

Compliance Deadlines: Get Your House in Order

States as Laboratories of Democracy: Reimagining the Privacy Patchwork

While state privacy policies often deviate based on differences in resident sensitivities, these new state laws share some salient similarities. For example, each governs businesses that conduct business in a respective state, or otherwise target consumers in such states and process and/or profit from the sale of personal data based on certain volume and dollar thresholds. Each law imposes notice and data protection obligations on businesses subject to each respective law. Each law provides certain rights to consumers to exercise rights over their personal data and enforce those rights. Each law empowers the respective state Attorney General to enforce the law.

For example, the CPA, CPRA, CTDPA, and VCDPA, much like the GDPR, impose stringent requirements on individuals and businesses that determine the purpose and means of processing personal data (referred to as “controllers”). Controllers are also required to enter into a written agreement with any third party that processes personal data at the direction of the controller (referred to as “processors”). Prior to engaging in certain activities such as targeted advertising or sale of personal data, these laws require that controllers conduct and document a data protection assessment.

Like the CCPA and GDPR, the laws in Colorado, Connecticut, Virginia, and Utah afford residents of each state certain rights with respect to their personal data.  In particular, these new laws provide residents with the right to access, correct (with the exception of Utah) and delete their data, and to obtain a copy of their data in a portable and readily usable format. Businesses will need to ensure that residents of these states are made aware of these rights by adding supplemental terms to their website privacy policies, which should also address the business’ obligations under each law. Further, these laws afford consumers additional rights to control processing of their “sensitive personal data”.

Yet, these laws differ in several significant ways as well. As such, despite a business’ compliance efforts to date around the CCPA and GDPR, such efforts do not guarantee an organization will automatically comply with the new state laws coming online in 2023. First and foremost, the CPRA will significantly increase consumer rights beyond the CCPA. The CPRA includes creation of a California Privacy Protection Agency, extends rights provided by the CCPA, and creates additional consumer rights such as the right to correct inaccuracies in personal information and the right to limit how sensitive personal data is processed. Yet, unlike the CPRA (as well as the UCPA), the new state Virginia, Colorado, and Connecticut laws require consumer consent (i.e., an affirmative opt-in) before a business may process sensitive personal data.

From an enforcement perspective, there are also significant deviations. For example, CPRA affords a private right of action while the laws in Virginia, Utah, Colorado, and Connecticut do not. Further, the authorities afforded to Attorneys General across these states vary in terms of the ability to issue regulations. While the CPA, CCPA, and CPRA empower the California Attorney General to issue regulations, neither Virginia, Utah, nor Connecticut grant such rulemaking authority to their respective Attorneys General. These deviations, especially those related to consumer rights, may create conflicts and provide an impetus for resolution at the Federal level.

Further complicating matters, businesses operating nationwide or in multiple states will need to comply with the most stringent requirements among this growing patchwork of comprehensive state privacy laws.

State of the Union: Will Congress Pass Comprehensive Privacy Legislation?

It appears that the privacy tidal wave starting on the west coast has made its way eastward and continues to pave the way for other similarly-minded states to pass comprehensive privacy laws. Will this tidal wave spur Federal action to harmonize disparities amongst these laws?

While Federal action has been encouraged from both private and public actors in the hopes of bettering compliance frameworks, the country has looked toward Capitol Hill to act and pass a Federal privacy law. It is unlikely that a comprehensive Federal law will come soon, as evidenced by such privacy legislation fizzling at various stages within Congress. Yet, even in these early days of state action on privacy . . . the writing on the wall appears to be coming into focus.

FOOTNOTE

[1] See also The Washington Post Editorial Board, Lack of a federal privacy law opens the door to dystopia, The Washington Post (May 5, 2022),  https://www.washingtonpost.com/opinions/2022/05/05/clearview-ai-dystopia-congress-must-pass-federal-privacy-law/.