chevron-down Created with Sketch Beta.

The Business Lawyer

Spring 2023 | Volume 78, Issue 2

Privacy Laws Continue Their Spread Across the Country

Sanford P Shatz and Paul J Lysobey

Summary

  • Since the beginning of 2022, the privacy landscape in the United States has continued to change and develop.
  • Utah and Connecticut have enacted comprehensive consumer privacy legislation, and California is currently working to finalize regulations in anticipation of the transition from the California Consumer Privacy Act (“CCPA”) to the California Privacy Rights Act (“CPRA”) in January 2023.
  • Virginia and Colorado are also preparing for their privacy laws previously enacted in 2021 to become effective within the next year.
  • In addition, privacy legislation was also introduced at the federal level. 
Privacy Laws Continue Their Spread Across the Country
Photo by Nick Fewings

Jump to:

Introduction

Since the beginning of 2022, the privacy landscape in the United States has continued to change and develop. Utah and Connecticut have enacted comprehensive consumer privacy legislation, and California is currently working to finalize regulations in anticipation of the transition from the California Consumer Privacy Act (“CCPA”) to the California Privacy Rights Act (“CPRA”) in January 2023. Virginia and Colorado are also preparing for their privacy laws previously enacted in 2021 to become effective within the next year. In addition, privacy legislation was also introduced at the federal level. This survey provides an overview of the requirements of these privacy developments during the past year.

New State Privacy Laws—Utah and Connecticut

Following the enactment of comprehensive data privacy legislation in Virginia and Colorado in 2021, Utah and Connecticut passed their own consumer data privacy laws in 2022. The Utah Consumer Privacy Act (“Utah CPA”) was enacted in March 2022 and becomes effective on December 31, 2023. The Connecticut data privacy law (“Connecticut PDPA”) was enacted in May 2022 and becomes effective on July 1, 2023.

Applicability

The Utah CPA and the Connecticut PDPA, like the privacy laws in Virginia and Colorado, apply to “controllers” and “processors” of personal data, provided that the entity in question meets certain triggering requirements. Controllers under these laws are persons who determine “the purposes for which and the means by which personal data are processed” and a processor is a person who processes data on behalf of a controller. Processing data includes the “collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”

The triggering conditions for the laws to apply differ slightly under the Utah CPA and the Connecticut PDPA. The Utah law applies to the following entities:

any controller or processor who:

(a)(i) conducts business in [Utah]; or (ii) produces a product or service that is targeted to consumers who are residents of [Utah];

(b) has an annual revenue of $25,000,000 or more; and

(c) satisfies one or more of the following thresholds: (i) during the calendar year, controls or processes personal data of 100,000 or more consumers; or (ii) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

In contrast, the Connecticut PDPA applies:

to individuals and entities that conduct business in [Connecticut] and produce products or services that are targeted to residents of Connecticut and during the preceding calendar year:

(1) Controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

One notable difference under these laws is that Utah has a minimum revenue threshold of $25,000,000 for the law to apply, but the Connecticut law has no revenue threshold at all. This could potentially lead to more entities being subject to the Connecticut law, particularly smaller businesses that may not meet the revenue threshold for the Utah CPA to apply.

The substantive provisions of both of these laws apply generally with respect to interactions with consumers. The Utah CPA defines a consumer to mean “an individual who is a resident of [Utah] acting in an individual or household context,” but “does not include an individual acting in an employment or commercial context.” The Connecticut PDPA uses a similar definition for consumer, but expands the exclusions beyond simply the commercial or employment context to also exclude “an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.”

Exemptions

Both the Utah CPA and the Connecticut PDPA include a comprehensive list of persons and types of data that are not subject to the respective law. Notably, both laws provide an exemption for financial institutions governed by or data subject to the Gramm-Leach-Bliley Act (“GLBA”). Among many others listed in these statutes, notable exemptions under the laws include: (a) governmental entities; (b) nonprofit corporations or institutions of higher education; (c) protected health information under the Health Insurance Portability and Accountability Act; (d) certain types of data subject to regulation under the Fair Credit Reporting Act (“FCRA”); and (e) data processed or maintained in the context of employment for purposes such as maintaining emergency contact information or administering benefits.

Consumer Personal Data Rights

The consumer privacy laws in Utah and Connecticut also establish consumer privacy rights that are similar to the rights established by the consumer privacy laws previously enacted in California, Virginia, and Colorado.

The Utah CPA creates the following consumer privacy rights for Utah residents: (1) a right to confirm and access the data a controller is processing about the consumer; (2) a right to delete the data provided by the consumer; (3) a right for consumers to obtain a copy of their data in a portable format; and (4) a “right to opt out of the processing of the consumer’s personal data for purposes of: (a) targeted advertising; or (b) the sale of personal data.”

Similarly, the Connecticut PDPA creates the following consumer privacy rights for Connecticut consumers: (1) a right to confirm and access the data a controller is processing about the consumer; (2) a right to correct inaccuracies in the consumer’s personal data; (3) a right to delete data provided by the consumer, or any data the processor obtained about the consumer; (4) a right for consumers to obtain a copy of their data in a portable format; and (5) a right to opt out of the processing of the personal data for purposes of: “(i) targeted advertising; (ii) the sale of personal data, except as provided [under the PPDPA]; or (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.”

The consumer rights established in Utah and Connecticut are very similar in many ways, such as the right to confirm, the right to obtain a copy of personal data, and the right to opt out for certain specified purposes. However, note that the Utah CPA provides a narrower set of rights by not including the right to correct inaccuracies. In addition, the right to delete in Utah only includes data that the consumer has provided to the controller, rather than any data “provided by” or “obtained about” the consumer under the Connecticut law. Therefore, there are some notable distinctions with respect to consumer rights between these two laws.

Exercising Consumer Rights and Responding to Requests

A consumer may exercise a right by submitting a request to a controller through the means specified by the controller, and the request must specify the right the consumer intends to exercise.

The processes for responding to a consumer request are very similar under the laws of Utah and Connecticut. As a general rule, the controller must take action on a request and inform the consumer of the action taken within forty-five days after receiving a request to exercise a right. The controller may extend the initial forty-five-day period by an additional forty-five days if reasonably necessary due to the complexity or volume of requests. If the controller has grounds to extend the initial forty-five-day period, the controller must inform the consumer of the length of the extension and the reasons for the extension before the initial forty-five-day period expires. The forty-five-day period does not apply if the controller reasonably suspects the request to be fraudulent and the controller is not able to authenticate the request. If a controller declines to take action in response to a request, the controller must, within forty-five days of receiving the request, inform the consumer of the reasons for not taking action.

However, one significant difference between the Utah CPA and the Connecticut PDPA is that the Connecticut PDPA requires the controller to establish an appeal process if the controller declines to take the action requested by the consumer, while the Utah law does not provide for an appeal process. If the controller fails to take action under the Connecticut PDPA, in addition to informing the consumer of the reasons for not taking action, the controller must inform the consumer in writing with the information regarding how to appeal the decision. Within sixty days after receipt of an appeal, the controller must inform the consumer in writing of any action taken or not taken in response to the appeal, and must include an explanation of reasons for its decision. If an appeal is denied, the controller also must provide the consumer with an online mechanism or other available method to contact the Connecticut Attorney General to submit a complaint.

In addition, under both the Utah and Connecticut laws, a controller may not charge a fee for information in response to a request, unless the request is the consumer’s second or subsequent request during the same twelve-month period. However, a controller may charge a reasonable fee to cover administrative costs of complying or refusing to act under limited specified circumstances. The controller bears the burden of demonstrating compliance with the charging of a fee.

Duties of Controllers

Both the Utah and Connecticut laws provide similar duties for controllers. Among other listed duties, controller duties under both laws include: (1) providing consumers with a privacy notice that includes certain required content specified by statute; (2) disclosing required information when a controller engages in targeted advertising; (3) establishing security practices designed to protect personal data and reduce the risk of harm to consumers; (4) obtaining consent when processing “sensitive data” from a consumer; and (5) prohibiting discrimination against consumers for exercising their rights, provided that a controller may offer a different price, rate, level, quality, or selection if certain conditions are satisfied. The Connecticut PDPA includes additional duties for controllers, including the duty to limit data collection to what is “adequate, relevant and reasonably necessary” for the purposes as disclosed to the customer and the duty to provide an “effective mechanism” for consumers to revoke consent.

Enforcement Authority

Under the Utah CPA and the Connecticut PDPA, the attorney general in the respective states has exclusive authority to enforce these laws and neither law contains a private right of action. The Utah CPA provides that the attorney general must provide the controller or processor a written notice identifying each provision of the CPA allegedly violated and an explanation of the basis for each allegation at least thirty days before the attorney general initiates an enforcement action against a controller or processor, and must allow an opportunity to cure the violation in that timeframe. In contrast, the Connecticut PDPA provides for a sixty-day cure period and the attorney general may not initiate an action if the controller or processor cures the violation within sixty days. The Utah CPA also provides that the attorney general may recover actual damages to the consumer in an amount not to exceed $7,500 for each violation.

Update on Currently Enacted Laws

On July 8, 2022, the California Privacy Protection Agency proposed new rules to implement the CPRA and update the regulations issued under the CCPA, enacted in 2020 and 2018, respectively. As explained in the rulemaking announcement, the proposed regulations:

(1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.

The proposed regulations restrict the collection, use, retention, and/or sharing of personal information to that which is reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed, and provide illustrative examples. The proposed regulations describe the requirements for disclosures and communications to consumers, methods for submitting requests and obtaining consumer consent, and revise the requirements for the privacy policy to provide greater clarity and understanding. The comment period closed on August 23, 2022, and amended rules are expected to follow.

Aside from the proposed regulations, the California Attorney General (“AG”) announced the settlement of its first enforcement action under the CCPA on August 24, 2022. The AG claimed that Sephora failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA. The AG explained that consumers are constantly tracked when they go online. Many retailers allow third-party companies to install tracking software on their website or app, which monitors consumers as they shop. The third parties then create profiles that track the brand of product a consumer views, which products are put in the “shopping cart” and the consumers’ precise location. This helps businesses better target consumers. The AG stated that the arrangement constitutes the sale of consumer information under the CCPA, and triggers certain rights and obligations—“such as telling consumers that [businesses] are selling their information, and allowing consumers to opt-out of the sale of their information.” Because Sephora did neither, it agreed to pay $1.2 million in penalties, clarify its online disclosures and privacy policy, provide an opt-out mechanism including Global Privacy Control, conform the service provider agreement to the CCPA’s requirements, and provide further reports to the AG.

The AG also announced that it continues to send notices to businesses regarding non-compliance with the CCPA and reminds businesses to comply with consumer opt-out requests, including those submitted through Global Privacy Control. The AG also highlighted an enforcement sweep of businesses operating loyalty programs that offer financial incentives in exchange for personal information, online advertising with deficient privacy disclosures, and called out a “Do Not Sell My Personal Information” link that was not fully operational.

As discussed in the previous Annual Survey, Virginia and Colorado were the first states to follow California in enacting comprehensive consumer data privacy laws, with the Virginia Consumer Data Protection Act (“Virginia CDPA”) and the Colorado Privacy Act. The Virginia CDPA becomes effective on January 1, 2023, and the Colorado Privacy Act becomes effective on July 1, 2023. Note that in Colorado, the attorney general plans to implement regulations for the Colorado Privacy Act before the law becomes effective. The Virginia attorney general has not given a timeline for the implementation of regulations under the Virginia CDPA. Therefore, entities subject to these laws should begin to implement compliance programs in anticipation of these laws becoming effective.

Potential Federal Privacy Law

On June 21, 2022, the American Data Privacy and Protection Act (“ADPPA”), a comprehensive federal privacy law, was introduced in the House. The Act covers entities or persons that are subject to the jurisdiction of the Federal Trade Commission (“FTC”), are common carriers subject to the Communications Act of 1934, are non-profit organizations, or are other entities that control or are controlled by, or are under common control with, another covered entity. While financial institutions are generally not subject to FTC jurisdiction, they may be subject to the ADPPA if they control or are controlled by a covered entity.

The ADPPA defines covered data to mean “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual.” ADPPA excludes data that is de-identified, employee data, or publicly available information. The ADPPA includes a category of “sensitive covered data,” which includes “government-issued identifiers, such as a social security number, passport number, and driver’s license numbers,” health information, financial account information, “biometric” and “genetic” information, “precise geolocation information,” private electronic communications (e.g., voicemails, e-mails, texts), “account log-in credentials,” “information identifying sexual orientation or behavior,” and other enumerated categories of private information.

The ADPPA requires data minimization—a “covered entity shall not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to” (1) providing or maintaining a product or service; (2) delivering a communication in the context of the individual’s interaction with the covered entity; or (3) carrying out the business relationship, or complying with legal requirements.

The ADPPA requires covered entities to develop privacy policies regarding the collection, processing, and transfer of covered data to comply with federal law, mitigate risks to individuals under age seventeen, mitigate privacy risks, and implement training and safeguards. The policies and practices must be “transparent.” Covered entities must make publicly available, in a clear, conspicuous, not misleading, and readily accessible manner, their privacy policies that provide a detailed and accurate representation of the entity’s data collection, processing, and transfer activities, in the language in which the entity provides its product or service, or carries out its activities.

Covered entities must provide individuals with the right to access covered data, correct verifiable material inaccuracies, delete covered data, and transfer that data at the individual’s request. Individuals also have the right to opt out of the transfer of their covered data.

The FTC is tasked with creating a new Bureau of Privacy to enforce the ADPPA and to create a Victims Relief Fund. State attorneys general may also enforce the ADPPA. Individuals may enforce the ADPPA via a private right of action four years after the ADPPA takes effect, and individuals may seek actual damages, injunctive relief, and attorneys’ fees and costs.

The ADPPA provides that a covered entity that is required to comply with Title V of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act , and other acts, and is in compliance with those acts, shall be deemed to be in compliance with the related requirements of the ADPPA. The ADPPA generally preempts state laws, except for consumer protection laws of general applicability, laws that address data breach notification requirements, laws that address banking or other financial records, and other non-finance-related laws.

    Authors