Summary
- This survey covers significant developments in state and local privacy laws in 2022, including three comprehensive state privacy laws set to come into effect in 2023.
This survey covers significant developments in state and local privacy laws over the past year. First, it provides an overview of three comprehensive state privacy laws set to come into effect in 2023 (Part II). Second, it outlines recent amendments to the two preexisting comprehensive state privacy laws (Part III). Third, as more states and municipalities look to establish privacy laws, this survey outlines the Uniform Personal Data Protection Act, which threatens conflicting compliance burdens if incorporated into state or local law (Part IV). Finally, the survey covers recent developments in the litigation of claims under the Illinois Biometric Information Privacy Act (Part V.A) and New York City’s two new laws governing biometric data (Part V.B).
In 2022, three comprehensive state privacy bills were signed into law. The Colorado Consumer Protection Act (“CPA”) and the Connecticut Data Privacy Act (“CTDPA”) take effect on July 1, 2023. The Utah Consumer Privacy Act (“UCPA”) takes effect on December 31, 2023. This section covers key aspects of the three laws, highlighting commonalities and differences.
The CPA, CTDPA, and UCPA apply to entities that conduct business in-state or that produce one or more products or services targeted to consumers who are residents of the respective states. From this broad starting point, exemptions and limitations narrow the scope of coverage of each act. Notably, all three acts place a burden on controllers to demonstrate compliance.
First, to fall within the scope of each act, entities must satisfy one of two threshold requirements. The first is common to all three acts, making them applicable to entities that control or process personal data from 100,000 consumers or more. For the second threshold, the CPA applies to entities that derive any revenue or receive a discount on the price of goods and services from the sale of personal data; the CTDPA applies to entities that control or process personal data from at least 25,000 consumers and derive at least 25 percent of their gross revenue from sale of personal data; and the UCPA applies to entities that control or process personal data from at least 25,000 consumers and derive at least 50 percent gross revenue from sale of personal data. The UCPA contains an additional limitation not present in the other two statutes, applying only to entities with an annual gross revenue of $25 million or more.
Second, each act exempts specified entities. For example, all acts exempt “covered entities” or “business associates,” as defined under the Social Security Act, entities subject to Title V of the Gramm-Leach-Bliley Act, and various credit reporting entities, among others. Each act exempts institutions of higher education and various governmental entities—with varying definitions from act to act. The CTDPA and UCPA exempt nonprofit organizations. The CPA and CTDPA further exclude national securities associations registered under the Securities Exchange Act of 1934. The UCPA does not apply to tribes.
Third, key terms narrow the scope of each act. For example, the “sale” of personal data is defined in detail under each act. Under the UCPA, “sale” is defined as “the exchange of personal data for monetary consideration by a controller to a third party.” Under the CTDPA and CPA, “sale” includes an exchange of personal data for monetary “or other valuable consideration.” Each act also excludes specified transactions from the definition of “sale.” For example, all acts exclude a controller's disclosure of personal data to a processor who processes personal data on its behalf; a controller’s disclosure to affiliates (as defined by each act); disclosure of information that a consumer intentionally makes available to the general public via a channel of mass media; disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer; disclosure directed by a consumer; and disclosure that is part of a transaction in which a third party assumes control of assets. Additional limitations on the definition of “sale” vary from act to act. The UCPA provides the broadest exclusion, excluding from the definition of “sale” disclosure to a third party for purposes “consistent with a consumer's reasonable expectations.”
Fourth, data-level exemptions narrow the scope of each act. For example, de-identified data and publicly available information are exempt from coverage under each act. The UCPA additionally exempts aggregated data. All three acts incentivize pseudonymizing data by exempting from coverage personal data that is pseudonymized as directed by each act. Further, each act exempts the use of personal data for several business and product development purposes, including for conducting internal research to develop, improve, or repair a product, service, or technology, to identify and repair technical errors that impair existing or intended functionality, or to effectuate product recall. All acts exempt personal data collected and maintained under numerous federal laws, with some variation from act to act. All three statutes include numerous public health exemptions. The CPA and the CTDPA further exempt, more broadly, personal data used in the public interest for public health purposes.
The CPA, CTDPA, and UCPA grant rights to “consumers” with respect to their personal data, defining a “consumer” as a state resident acting in an individual or household context only, and not in a commercial or employment context. Across all three acts, “consumers” have the right to confirm whether a controller is processing their personal information, to access their personal data, to obtain a portable copy of their data, and to delete their personal data. The CTDPA and CPA additionally grant consumers a qualified right to correct their personal data.
Each act recognizes a consumer’s right to limit use and disclosure of sensitive data. Across all acts, sensitive data includes information pertaining to a consumer’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, citizenship or citizenship status, and uniquely identifying genetic or biometric characteristics. Under the CPA and CTDPA, sensitive data additionally includes personal data collected from a known child. The CTDPA and UCPA additionally protect data concerning immigration status and precise geolocation data. The CPA and CTDPA protect data concerning sex life. The UCPA protects medical history and treatment. Under the CPA and CTDPA, a controller may not process sensitive data collected about a consumer without first obtaining consent and must conduct and document data protection assessments before processing any sensitive data. Under the UCPA, consumers must have clear notice and an opportunity to opt out of processing sensitive data.
Each act requires that controllers clearly and conspicuously disclose to consumers how they can exercise rights to opt out from data processing. Under the UCPA, consumers have a right to opt out from processing of personal data for purposes of targeted advertising or the sale of personal data. Under the CTDPA and CPA consumers may additionally opt out from profiling in furtherance of decisions (“automated decisions” under the CTDPA) that produce legal or similarly significant effects on them. Further, the CPA and CTDPA establish a right of consumers to authorize other persons acting on their behalf to opt out of processing personal data, including by way of technologies such as web links, browser setting, browser extension, or global device setting. From July 1, 2024, the CPA will mandate the use of a “user-selected universal opt-out mechanism,” which covered entities may implement sooner.
All three acts establish responsibilities with respect to transparency, data specification, data minimization, and secondary use of personal data. Transparency obligations are similar across all three acts, requiring that privacy notices contain the categories of personal data collected or processed; the purposes for such collection and processing; the categories of personal data shared with third parties as well as the categories of any such third parties; and information about how consumers may exercise their rights. The CPA and CTDPA additionally require that privacy notices contain contact information for controllers, with the CTDPA requiring “an active electronic mail address or other online mechanism” for the consumer to contact the controller. Finally, while the CPA and the CTDPA require disclosure in privacy notices of any sale of personal data or processing of personal data for targeted advertising, the UCPA requires only disclosure of how consumers may opt out of such activities. All three acts require purpose specification, with the CPA using the strongest language in this regard. The CPA and CTDPA require data minimization. Finally, the CPA and the CTDPA expressly require consumer consent for any secondary use of personal data, i.e., use for purposes that are not reasonably necessary to or compatible with those disclosed to consumers.
All three acts establish security obligations for controllers. The CPA requires controllers to take reasonable measures to secure personal data during both storage and use from unauthorized acquisition, using practices that are appropriate to the volume, scope, and nature of the personal data processed and the nature of the business. The CTDPA and the UCPA, sharing almost identical language, require a controller to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality and integrity of personal data, as appropriate to the volume and nature of the personal data at issue. The CTDPA additionally requires controllers to protect accessibility of the personal data. The UCPA additionally requires that controllers reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data and that data security practices consider the controller's business size, scope, and type.
Each act requires processors to adhere to a controller's instructions and assist controllers in meeting their obligations. More stringently, all acts require the relationship between controllers and processors to be governed by mutually binding contracts that contain, among other mandatory recitals, instructions for processing personal data; the nature, purpose, and duration of the processing; and each party’s rights and obligations. Further, contracts must subject each individual processing personal data to a duty of confidentiality and require that processors engage subcontractors pursuant to a written contract that establishes, for subcontractors, the same obligations as the processor. Under the CPA and the CTDPA, contracts must require that processors engage subcontractors only after providing controllers with an opportunity to object.
Each act gives controllers forty-five days to respond to a consumer’s exercise of rights. If a controller declines a request, it must communicate, within this same period, the reasons for its refusal, with the CPA and CTDPA requiring communication of instructions for appealing the decision. Relatedly, the CPA and the CTDPA require covered entities to establish an internal process for appealing a controller’s refusals to take action on a request. All acts require that information provided in response to consumer requests be provided free of charge once per consumer during a twelve-month period.
Under the CPA and CTDPA, a controller must conduct and document a data protection assessment for each of its processing activities that presents a heightened risk of harm to a consumer. Under both acts, such processing includes processing for targeted advertising or sale, certain kinds of profiling, and the processing of sensitive data. The requirement for data protection assessments comes into effect on July 1, 2023, under both laws. Data assessments are confidential and exempt from public inspection and copying under Connecticut’s Freedom of Information Act (under the CTDPA) and the Colorado Open Records Act (under the CPA).
Finally, enforcement powers and mechanisms vary from act to act. While no act creates any private right of action, all acts grant their respective state attorneys general enforcement authority. The CPA grants authority to both the attorney general and district attorneys to bring actions on behalf of people residing in the state, granting both authorities the power to access and evaluate data protection assessments, to impose penalties where violations occur, and to prevent future violations. Under the UCPA, the Utah attorney general acts upon referral from the Utah Division of Consumer Protection and provides entities with written notice of an alleged violation with a thirty-day opportunity to cure. Until January 1, 2025, the CPA and CTDPA afford covered entities an automatic sixty-day cure period. After this date, the cure period is repealed under both acts. Under the CTDPA (and not the CPA), after this date, the cure period will remain available at the discretion of the state attorney general.
In April 2022, legislation amending the Virginia Consumer Data Protection Act (“VCDPA”) was signed into law. In effect since July 1, 2022, the amendments finalize the text of the VCDPA, which became effective January 1, 2023. There are three amendments. First, where a consumer requests deletion of personal data obtained from a source other than the consumer, processors now have two options. Processors can either retain a record of the deletion request and the minimum data necessary to ensure the consumer’s personal data remains deleted and not used for any other purpose, or they can opt the consumer out of such processing for any purpose except specified exempt purposes. The amendment functions as an exemption for data brokers aimed at enhancing compliance. Second, the VCDPA’s definition of “nonprofit organization” has been expanded to include organizations exempt from taxation under section 501(c)(4) of the Internal Revenue Code and political organizations, a term of art that has been defined with exceptional breadth by amendment. Third, a fund established by the original text of the VCDPA is eliminated, with monies collected credited to a preexisting fund.
In November 2020, California voters passed Proposition 24, the California Privacy Rights Act (“CPRA”). The CPRA amends the California Consumer Privacy Act (“CCPA”), with full effect from January 1, 2023. It also establishes the California Privacy Protection Agency (“CPPA”), which has assumed rulemaking authority for the CCPA and CPRA. In June 2022, the CPPA approved text of proposed CPRA regulations. Among other things, the proposed regulations operationalize new rights and concepts introduced in the CPRA. The proposed regulations will be subject to extensive public comment and modification before being finalized.
In July 2021, the Uniform Law Commission (ULC) approved the Uniform Personal Data Protection Act (“UPDPA” or “Model Act”). The UPDPA takes a radical turn away from existing comprehensive state privacy laws, particularly through its categorization of data processing activities. The Model Act divides data practices into “compatible,” “incompatible,” and “prohibited” practices. Under the Model Act, a compatible data practice does not require consumer consent and is defined as processing that “is consistent with the ordinary expectations of data subjects or is likely to benefit data subjects substantially.” Incompatible data practices are those which are neither compatible nor prohibited and require explanatory notice to consumers and timely opportunity to withhold consent. Signed consent is required for incompatible data practice that involves sensitive data. Finally, the Model Act classifies various practices as prohibited, including those that give rise to “specific and significant . . . financial, physical, or reputational harm.” A covered entity complies with a requirement of the UPDPA if it adopts a “voluntary consensus standard” that is recognized by the state’s attorney general and if it commits to abiding by the standard in its privacy policy.
In essence, the UPDPA requires each entity to design its own best practices using the rubric set by the Model Act. While this may sound attractive, the Model Act shifts the burden of standard setting to businesses, while ultimately setting them up for failure by seeking compliance with a framework that is completely out of step with domestic and international laws, policies, and best practices. The UPDPA does not contain, for example, rights to delete, port, or correct personal data or rights to opt out from certain processing activities. As such, the Model Act amplifies risks for businesses, as strict compliance with the Model Act could leave covered entities in plain violation of other comprehensive privacy laws, placing businesses covered by the law at a disadvantage in other jurisdictions.
Two cases before the Illinois Supreme Court will impact the scope of litigation under the Illinois Biometric Information Privacy Act (“BIPA”). First, the Illinois Supreme Court is considering whether claims asserted under sections 15(b) and 15(d) of BIPA accrue only once upon the initial collection or disclosure of biometric information, or each time a private entity collects or discloses biometric information. Second, the court is considering whether the statute of limitations for BIPA claims is one year, five years, or both depending upon the subsection allegedly violated. The outcomes in these two cases will have significant impacts on calculation of statutes of limitation and damages under BIPA.
Preemption and standing remain significant topics for BIPA litigation. In Kislov v. American Airlines, Inc., an Illinois federal court found that claims concerning an airline’s use of a customer service telephone hotline that “collects, analyzes, and stores callers’ actual voiceprints” were preempted by the Airline Deregulation Act because they concerned services provided to customers within the scope of the Act. In McDonald v. Symphony Bronzeville Park, LLC, the Illinois Supreme Court held that claims against employers for violation of BIPA are not preempted by the exclusive remedy provision of the Illinois Workers’ Compensation Act (“IWCA”) because an injury caused by a BIPA violation is not within the scope of the physical and psychological injuries that are “compensable” under the IWCA. In Fernandez v. Kerry, Inc., the Seventh Circuit held that section 301 of the Labor Management Relations Act of 1947 preempted a BIPA cause of action because claims were premised on issues within the scope of a collective bargaining agreement.
BIPA settlements have intensified the litigation landscape. In June 2022, Google agreed to pay $100 million to settle a class action about its use of facial tagging of photographs without consent. In October 2021, an Illinois federal judge approved a $92 million class action settlement with TikTok. In May 2022, Clearview AI reached a settlement with the ACLU that, while providing nominal monetary damages, required the company to permanently stop selling access to its faceprint database to private businesses or individuals in the United States.
On July 29, 2021, the New York City Tenant Data Privacy Act (“TDPA”) came into effect. The TDPA requires express consent for collection and processing of biometric data used in “smart access systems” and details the extent of permissible data collection and processing for such purposes. The Act requires owners of smart access buildings to provide tenants with a written privacy policy and requires that smart access systems have stringent security measures and safeguards in place. Finally, the TDPA creates a private right of action for lawful occupants of smart access buildings against unlawful sale of data, with remedies including compensatory and punitive damages, plus reasonable attorneys’ fees and court costs.
Finally, a local law governing collection and use of biometric data has been in effect in New York City since July 9, 2021. Under the BII Law, commercial establishments in New York City must notify customers of their use of biometric data in plain and simple language using clear and conspicuous signage placed near customer entrances. Further, the law prohibits commercial establishments from selling, leasing, trading, sharing, or otherwise profiting from biometric data. The law establishes a private right of action for any violations that includes a thirty-day right-to-cure period for violations of the law’s notice requirement only. Failure to comply can result in damages from $500 and $5,000 for each violation, plus reasonable attorneys' fees and court costs.
With the privacy law landscape set to undergo significant changes in the year ahead, keeping track of new and evolving compliance requirements remains an important priority. Businesses should work to prepare key employees, staff, and relevant third parties for expected changes in law and for a rapidly changing compliance environment. Businesses will need to continue to monitor state and local privacy laws, as relevant to their business activities and market base, and should work to create adaptable, flexible, informed, and responsive compliance protocols.