State Privacy Law Developments

I. Introduction

The key developments in state privacy laws during the survey year occurred primarily in California and Virginia. The California Privacy Rights Act of 2020 (“CPRA”) expands consumer rights by amending the California Consumer Privacy Act (“CCPA”). The regulations issued by the California attorney general clarify how businesses are to comply with their CCPA obligations. Virginia’s Consumer Data Protection Act (“VCDPA”) establishes a framework for controlling and processing personal data, making Virginia the second jurisdiction to adopt a comprehensive privacy law. The key provisions of these two state laws are discussed in Part II, and Part III touches on litigation under the CCPA.

II. State Privacy Legislation

A. California

The two principal developments affecting California state privacy law are: i) the issuance of regulations and amended regulations implementing CCPA and ii) adoption of the CPRA.

The California attorney general issued regulations in June 2020 providing guidance on how to implement CCPA’s requirements. The regulations address how businesses must provide notices to consumers, verify consumer identity and handle requests to exercise consumer privacy rights (i.e., right to know, right to access, right to delete, right to opt-out), ensure consumers can exercise their privacy rights without discrimination, and implement protections for consumers under sixteen years old. After the initial version of the regulations became effective in August 2020, amendments to the regulations became effective on March 15, 2021 and included provisions amending certain opt-out requirements, such as the manner of providing the opt-out notice if collecting information offline, the ability for businesses to use an opt-out icon in addition to, but not instead of, the requirement to post the notice of the right to opt out or a “Do Not Sell My Personal Information” link, and the requirement to allow consumers to opt out using a mechanism that has a minimal number of steps and forbidding the use of “a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out.”

Although the regulations provide guidelines for implementing the CCPA’s requirements, they do not offer any templates or model language for businesses to use when drafting privacy notices and policies. There is currently no indication of whether such guidance is forthcoming.

In November 2020, after the initial version of the CCPA regulations was finalized on June 2020, California voters passed the CPRA, which is known colloquially as “CCPA 2.0” and modifies certain consumer rights that the CCPA granted:

• Creates a new enforcement and oversight landscape. The CPRA establishes the new California Privacy Protection Agency, with authority to bring an administrative enforcement action against businesses that violate the CCPA. The agency may assess an administrative fine of $2,500 for each violation, or $7,500 for each intentional violation involving the personal information of minors under sixteen years old. The attorney general will retain enforcement authority over the CPRA. However, for administrative enforcement actions, the CPRA no longer provides a thirty-day right to cure an alleged violation.
• Amends the definition of “business.” The CPRA amends the definition of “business” under the CCPA and defines a “business” as an entity that either (i) has annual gross revenues in excess of $25 million in the preceding calendar year, (ii) buys, sells, or shares the personal information of 100,000 or more consumers or households (which increases the threshold of consumers from 50,000 to 100,000 and drops the reference to devices that was in the CCPA), or (iii) derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information. The CPRA also provides that a business includes any entity that controls or is controlled by a business, that shares common branding with the business, and with whom the business shares consumers' personal information. A joint venture or partnership where each business has at least 40 percent interest is now considered a “business” under the CPRA.
• Creates and expands consumer rights. The CPRA grants consumers the new right to request that a business correct inaccurate personal information. It also allows consumers to opt out of a business’ sharing of personal information, an expansion of the original CCPA’s right to opt out of selling. However, the definition of “sharing” of personal information is limited to sharing, disclosing, or otherwise communicating a consumer's personal information to a third party for “cross-context behavioral advertising,” regardless of whether any money changes hands.
• Expands protection from discrimination. The CCPA prohibits businesses from discriminating against a consumer who exercises his or her rights. The CPRA expands this right (i.e., prohibiting retaliation) to employees who exercise their privacy rights.
• Adds a new category of personal information. The CPRA adds “sensitive personal information” as a new category of personal information protected by the law. “Sensitive personal information” includes log-in or account information, along with any required security or access code, password, or credentials allowing access to the account. Additional categories of personal information include certain identifiers (e.g., social security number), geolocation, race, non-business-related communications (e.g., email, mail, text), genetic data, and biometric information. Businesses collecting sensitive personal information must disclose the purpose of its collection, the categories of information collected, and whether it is sold or shared. Under the CPRA, consumers now have the right to restrict the use of sensitive personal information to only what is necessary to perform services or provide goods requested by the consumer. A business that collects sensitive information must provide a link on its homepage restricting its use or disclosure. For financial institutions, the Gramm-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act may exempt much of this category of information.
• Amends the data breach private right of action. The CPRA amends the personal information subject to the data breach private right of action to align with the definition of “personal information” under California’s data breach law—i.e., including in the definition of personal information an e-mail address in combination with a password or security question and answer that would permit access to an account. Consumers must provide a business thirty days’ written notice of the alleged violation. If within thirty days the business cures the issue and provides the consumer a written statement that it addressed the violations and such violations will not reoccur, no action may be initiated.
• Extends certain exemptions. The CPRA extends the exemptions for business-to-business communications and personal information of a business’ employees until January 1, 2023. The CPRA also now exempts personal information collected under the federal Farm Credit Act. Originally, only personal information gathered under the GLBA and the California Financial Information Privacy Act were exempt.
• Introduces prohibition of dark patterns. The CPRA introduces the concept of “dark pattern,” which it defines as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.” The statute adds a definition of “consent” which provides that “use of dark patterns does not constitute consent.”

B. Virginia

The Virginia Consumer Data Protection Act (“VCDPA”) was approved on March 2, 2021, and is effective on January 1, 2023, making Virginia the second jurisdiction in the United States to pass a comprehensive privacy law. The VCDPA applies to a person that conducts business in Virginia or produces products or services targeted to its residents and (i) either controls or processes personal data of 100,000 consumers in a calendar year, or (ii) controls or processes personal data of at least 25,000 consumers and over 50 percent of its gross revenue comes from the sale of personal information.

Certain organizations and data are exempt from the VCDPA. These include, among other things, Virginia government entities, financial institutions and data subjected to the GLBA, data regulated by the Fair Credit Reporting Act, and entities governed by privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act or the Health Information Technology for Economic and Clinical Health Act.

The Virginia law provides consumers many of the same rights as its West Coast counterpart, the CPRA, such as the rights to know and access personal information, correct inaccurate personal information, delete personal data, transfer data to another controller, and opt out of the processing of data for targeted advertising or sale of personal data. One deviation from the CPRA, however, is in the VCDPA’s definition of “consumer,” which expressly excludes a “natural person acting in a commercial or employment context.” In contrast, such persons are within the definition of “consumer” under the CPRA, which defines “consumer” simply as “a natural person who is a California resident,” and the exemptions that may apply to such persons under the CCPA sunset on January 1, 2023. In another departure from the CCPA and CPRA, the VCDPA does not have a private right of action for violations under the law.

The VCDPA also implements data protection and processing requirements similar to those of the European Union’s General Data Protection Regulation. The VCDPA requires a data processing agreement between a controller and processor to govern the data processing procedures. Data controllers also must conduct data protection assessments when processing sensitive data, processing personal data for targeted advertising or profiling, selling personal data, and processing activities involving personal data that presents a heightened risk of harm to consumers. The law is silent, however, as to the frequency of the data processing assessments.

After the close of the survey year Colorado joined California and Virginia as the third jurisdiction to adopt a privacy law.

III. CCPA Litigation and Enforcement

A. CCPA Litigation

The CCPA provides a limited private right of action to consumers who experience a data breach as a result of a business’ failure “to implement and maintain reasonable security procedures and practices.” Moreover, the CCPA explicitly provides that the CCPA shall not “serve as the basis for a private right of action under any other law.” Notwithstanding, plaintiffs filed numerous CCPA cases in federal courts testing the boundaries of the CCPA private right of action by diversifying their claims:

• Scope of data breach CCPA claims. Some plaintiffs have filed civil actions under Section 1798.150 because of unauthorized access and theft of personal information. Defendants filed motions to dismiss in response to CCPA claims and were successful in some instances. For example, in Rahman v. Marriott International, Inc. the court opined that plaintiffs did not sufficiently plead that “more sensitive data—such as credit card information, passports, or social security numbers—has fallen into the wrong hands.” Without a breach of this type of sensitive information, the court found plaintiffs did not suffer an injury to meet standing requirements, and granted defendant’s motion to dismiss.
• CCPA violations did not give rise to a private right of action. In at least one case, McCoy v. Alphabet, Inc., the plaintiffs claimed CCPA violations for failure to disclose sharing of information and purpose of collection, but the court dismissed the CCPA claim because it found that there were no allegation of a security breach.
• CCPA violation as a predicate for unfair competition law cause of action. The California unfair competition law (“UCL”) applies to activities that are “unlawful, unfair or fraudulent business act[s] or practice[s]” and “unfair, deceptive, untrue or misleading advertising” and provides consumers with a private right of action. Plaintiffs have raised UCL claims by alleging that non-data breach violations of the CCPA are “unlawful, unfair, and/or fraudulent.” However, to date, there has not been a case where courts have been persuaded by this argument.

B. Enforcement

CCPA enforcement began on July 1, 2020. Businesses have a thirty-day right to cure the violation before the California attorney general may proceed with an enforcement action. Since July 1, 2020, numerous notices of alleged noncompliance were issued across various industries, including online marketing and advertising services, social media networks, grocery retail, online dating, automotive, online gaming, and education technology. Consumer complaints, social media, and business websites were elements the attorney general considered when evaluating businesses for CCPA non-compliance.

While the central issues varied in scope, enforcement notices sent to businesses about privacy policies, opting out of the sale of personal information, and notice to consumers appeared the most frequent. The attorney general paid particular attention to CCPA privacy policies and whether a business was in compliance with providing a consumer the means to opt out of the sale of personal information given the explicit inclusion of the opt-out provisions in the CCPA. In particular, the attorney general examined non-compliant service provider contracts, untimely responses to requests, non-compliant privacy policies, lack of request methods, failing to provide a Do Not Sell link on the business webpage, and failing to provide notice of financial incentive to consumers in loyalty programs.

The takeaway from the attorney general’s curative efforts is that paying close attention to consumer-facing requirements may reduce a business’ exposure to enforcement actions.