- This survey covers significant developments in state and local privacy laws in 2022, including three comprehensive state privacy laws set to come into effect in 2023.
This survey covers significant developments in state and local privacy laws over the past year. First, it provides an overview of three comprehensive state privacy laws set to come into effect in 2023 (Part II). Second, it outlines recent amendments to the two preexisting comprehensive state privacy laws (Part III). Third, as more states and municipalities look to establish privacy laws, this survey outlines the Uniform Personal Data Protection Act, which threatens conflicting compliance burdens if incorporated into state or local law (Part IV). Finally, the survey covers recent developments in the litigation of claims under the Illinois Biometric Information Privacy Act (Part V.A) and New York City’s two new laws governing biometric data (Part V.B).
In 2022, three comprehensive state privacy bills were signed into law. The Colorado Consumer Protection Actand the Connecticut Data Privacy Act take effect on July 1, 2023. The Utah Consumer Privacy Act takes effect on December 31, 2023. This section covers key aspects of the three laws, highlighting commonalities and differences.
The CPA, CTDPA, and UCPA apply to entities that conduct business in-state or that produce one or more products or services targeted to consumers who are residents of the respectiveFrom this broad starting point, exemptions and limitations narrow the scope of coverage of each act. Notably, all three acts place a burden on controllers to demonstrate
First, to fall within the scope of each act, entities must satisfy one of two threshold requirements. The first is common to all three acts, making them applicable to entities that control or process personal data from 100,000 consumers orFor the second threshold, the CPA applies to entities that derive any revenue or receive a discount on the price of goods and services from the sale of personal the CTDPA applies to entities that control or process personal data from at least 25,000 consumers and derive at least 25 percent of their gross revenue from sale of personal and the UCPA applies to entities that control or process personal data from at least 25,000 consumers and derive at least 50 percent gross revenue from sale of personal The UCPA contains an additional limitation not present in the other two statutes, applying only to entities with an annual gross revenue of $25 million or
Second, each act exempts specified entities. For example, all acts exempt “covered entities” or “business associates,” as defined under the Social Securityentities subject to Title V of the Gramm-Leach-Bliley and various credit reporting entities, among Each act exempts institutions of higher education and various governmental entities—with varying definitions from act to The CTDPA and UCPA exempt nonprofit The CPA and CTDPA further exclude national securities associations registered under the Securities Exchange Act of The UCPA does not apply to
Third, key terms narrow the scope of each act. For example, the “sale” of personal data is defined in detail under each act. Under the UCPA, “sale” is defined as “the exchange of personal data for monetary consideration by a controller to a thirdUnder the CTDPA and CPA, “sale” includes an exchange of personal data for monetary “or other valuable Each act also excludes specified transactions from the definition of “sale.” For example, all acts exclude a controller's disclosure of personal data to a processor who processes personal data on its behalf; a controller’s disclosure to affiliates (as defined by each act); disclosure of information that a consumer intentionally makes available to the general public via a channel of mass media; disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer; disclosure directed by a consumer; and disclosure that is part of a transaction in which a third party assumes control of Additional limitations on the definition of “sale” vary from act to act. The UCPA provides the broadest exclusion, excluding from the definition of “sale” disclosure to a third party for purposes “consistent with a consumer's reasonable
Fourth, data-level exemptions narrow the scope of each act. For example, de-identified data and publicly available information are exempt from coverage under eachThe UCPA additionally exempts aggregated All three acts incentivize pseudonymizing data by exempting from coverage personal data that is pseudonymized as directed by each Further, each act exempts the use of personal data for several business and product development purposes, including for conducting internal research to develop, improve, or repair a product, service, or technology, to identify and repair technical errors that impair existing or intended functionality, or to effectuate product All acts exempt personal data collected and maintained under numerous federal laws, with some variation from act to All three statutes include numerous public health The CPA and the CTDPA further exempt, more broadly, personal data used in the public interest for public health
The CPA, CTDPA, and UCPA grant rights to “consumers” with respect to their personal data, defining a “consumer” as a state resident acting in an individual or household context only, and not in a commercial or employmentAcross all three acts, “consumers” have the right to confirm whether a controller is processing their personal information, to access their personal data, to obtain a portable copy of their data, and to delete their personal The CTDPA and CPA additionally grant consumers a qualified right to correct their personal
Each act recognizes a consumer’s right to limit use and disclosure of sensitive data. Across all acts, sensitive data includes information pertaining to a consumer’s racial or ethnic origin, religious beliefs, mental or physical health condition orsexual orientation, citizenship or citizenship status, and uniquely identifying genetic or biometric Under the CPA and CTDPA, sensitive data additionally includes personal data collected from a known The CTDPA and UCPA additionally protect data concerning immigration status and precise geolocation The CPA and CTDPA protect data concerning sex The UCPA protects medical history and Under the CPA and CTDPA, a controller may not process sensitive data collected about a consumer without first obtaining consent and must conduct and document data protection assessments before processing any sensitive Under the UCPA, consumers must have clear notice and an opportunity to opt out of processing sensitive
Each act requires that controllers clearly and conspicuously disclose to consumers how they can exercise rights to opt out from dataUnder the UCPA, consumers have a right to opt out from processing of personal data for purposes of targeted advertising or the sale of personal Under the CTDPA and CPA consumers may additionally opt out from profiling in furtherance of decisions (“automated decisions” under the CTDPA) that produce legal or similarly significant effects on Further, the CPA and CTDPA establish a right of consumers to authorize other persons acting on their behalf to opt out of processing personal data, including by way of technologies such as web links, browser setting, browser extension, or global device From July 1, 2024, the CPA will mandate the use of a “user-selected universal opt-out mechanism,” which covered entities may implement
All three acts establish responsibilities with respect to transparency, data specification, data minimization, and secondary use of personal data. Transparency obligations are similar across all three acts, requiring that privacy notices contain the categories of personal data collected or processed; the purposes for such collection and processing; the categories of personal data shared with third parties as well as the categories of any such third parties; and information about how consumers may exercise theirThe CPA and CTDPA additionally require that privacy notices contain contact information for controllers, with the CTDPA requiring “an active electronic mail address or other online mechanism” for the consumer to contact the Finally, while the CPA and the CTDPA require disclosure in privacy notices of any sale of personal data or processing of personal data for targeted advertising, the UCPA requires only disclosure of how consumers may opt out of such All three acts require purpose specification, with the CPA using the strongest language in this The CPA and CTDPA require data Finally, the CPA and the CTDPA expressly require consumer consent for any secondary use of personal data, i.e., use for purposes that are not reasonably necessary to or compatible with those disclosed to
All three acts establish security obligations for controllers. The CPA requires controllers to take reasonable measures to secure personal data during both storage and use from unauthorized acquisition, using practices that are appropriate to the volume, scope, and nature of the personal data processed and the nature of theThe CTDPA and the UCPA, sharing almost identical language, require a controller to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality and integrity of personal data, as appropriate to the volume and nature of the personal data at The CTDPA additionally requires controllers to protect accessibility of the personal The UCPA additionally requires that controllers reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data and that data security practices consider the controller's business size, scope, and
Each act requires processors to adhere to a controller's instructions and assist controllers in meeting theirMore stringently, all acts require the relationship between controllers and processors to be governed by mutually binding contracts that contain, among other mandatory recitals, instructions for processing personal data; the nature, purpose, and duration of the processing; and each party’s rights and Further, contracts must subject each individual processing personal data to a duty of confidentiality and require that processors engage subcontractors pursuant to a written contract that establishes, for subcontractors, the same obligations as the Under the CPA and the CTDPA, contracts must require that processors engage subcontractors only after providing controllers with an opportunity to
Each act gives controllers forty-five days to respond to a consumer’s exercise of rights. If a controller declines a request, it must communicate, within this same period, the reasons for its refusal, with the CPA and CTDPA requiring communication of instructions for appealing theRelatedly, the CPA and the CTDPA require covered entities to establish an internal process for appealing a controller’s refusals to take action on a All acts require that information provided in response to consumer requests be provided free of charge once per consumer during a twelve-month
Under the CPA and CTDPA, a controller must conduct and document a data protection assessment for each of its processing activities that presents a heightened risk of harm to aUnder both acts, such processing includes processing for targeted advertising or sale, certain kinds of profiling, and the processing of sensitive The requirement for data protection assessments comes into effect on July 1, 2023, under both Data assessments are confidential and exempt from public inspection and copying under Connecticut’s Freedom of Information (under the CTDPA) and the Colorado Open Records Act (under the
Finally, enforcement powers and mechanisms vary from act to act. While no act creates any private right ofall acts grant their respective state attorneys general enforcement authority. The CPA grants authority to both the attorney general and district attorneys to bring actions on behalf of people residing in the granting both authorities the power to access and evaluate data protection assessments, to impose penalties where violations occur, and to prevent future Under the UCPA, the Utah attorney general acts upon referral from the Utah Division of Consumer and provides entities with written notice of an alleged violation with a thirty-day opportunity to Until January 1, 2025, the CPA and CTDPA afford covered entities an automatic sixty-day cure period. After this date, the cure period is repealed under both acts. Under the CTDPA (and not the CPA), after this date, the cure period will remain available at the discretion of the state attorney
In April 2022, legislation amending the Virginia Consumer Data Protection Actwas signed into law. In effect since July 1, 2022, the amendments finalize the text of the VCDPA, which became effective January 1, 2023. There are three amendments. First, where a consumer requests deletion of personal data obtained from a source other than the consumer, processors now have two options. Processors can either retain a record of the deletion request and the minimum data necessary to ensure the consumer’s personal data remains deleted and not used for any other purpose, or they can opt the consumer out of such processing for any purpose except specified exempt The amendment functions as an exemption for data brokers aimed at enhancing compliance. Second, the VCDPA’s definition of “nonprofit organization” has been expanded to include organizations exempt from taxation under section 501(c)(4) of the Internal Revenue Code and political organizations, a term of art that has been defined with exceptional breadth by Third, a fund established by the original text of the VCDPA is eliminated, with monies collected credited to a preexisting
In November 2020, California voters passed Proposition 24, the California Privacy Rights ActThe CPRA amends the California Consumer Privacy Act with full effect from January 1, 2023. It also establishes the California Privacy Protection Agency (“CPPA”), which has assumed rulemaking authority for the CCPA and CPRA. In June 2022, the CPPA approved text of proposed CPRA Among other things, the proposed regulations operationalize new rights and concepts introduced in the CPRA. The proposed regulations will be subject to extensive public comment and modification before being finalized.
In July 2021, the Uniform Law Commission (ULC) approved the Uniform Personal Data Protection Act (“UPDPA” or “ModelThe UPDPA takes a radical turn away from existing comprehensive state privacy laws, particularly through its categorization of data processing activities. The Model Act divides data practices into “compatible,” “incompatible,” and “prohibited” practices. Under the Model Act, a compatible data practice does not require consumer consent and is defined as processing that “is consistent with the ordinary expectations of data subjects or is likely to benefit data subjects Incompatible data practices are those which are neither compatible nor and require explanatory notice to consumers and timely opportunity to withhold Signed consent is required for incompatible data practice that involves sensitive Finally, the Model Act classifies various practices as prohibited, including those that give rise to “specific and significant . . . financial, physical, or reputational A covered entity complies with a requirement of the UPDPA if it adopts a “voluntary consensus standard” that is recognized by the state’s attorney and if it commits to abiding by the standard in its privacy
In essence, the UPDPA requires each entity to design its own best practices using the rubric set by the Model Act. While this may sound attractive, the Model Act shifts the burden of standard setting to businesses, while ultimately setting them up for failure by seeking compliance with a framework that is completely out of step with domestic and international laws, policies, and best practices. The UPDPA does not contain, for example, rights to delete, port, or correct personal data or rights to opt out from certain processing activities. As such, the Model Act amplifies risks for businesses, as strict compliance with the Model Act could leave covered entities in plain violation of other comprehensive privacy laws, placing businesses covered by the law at a disadvantage in other jurisdictions.
Two cases before the Illinois Supreme Court will impact the scope of litigation under the Illinois Biometric Information Privacy ActFirst, the Illinois Supreme Court is considering whether claims asserted under sections 15(b) and 15(d) of BIPA accrue only once upon the initial collection or disclosure of biometric information, or each time a private entity collects or discloses biometric Second, the court is considering whether the statute of limitations for BIPA claims is one year, five years, or both depending upon the subsection allegedly The outcomes in these two cases will have significant impacts on calculation of statutes of limitation and damages under BIPA.
Preemption and standing remain significant topics for BIPA litigation. In Kislov v. American Airlines, Incan Illinois federal court found that claims concerning an airline’s use of a customer service telephone hotline that “collects, analyzes, and stores callers’ actual voiceprints” were preempted by the Airline Deregulation Act because they concerned services provided to customers within the scope of the Act. In McDonald v. Symphony Bronzeville Park, LLC the Illinois Supreme Court held that claims against employers for violation of BIPA are not preempted by the exclusive remedy provision of the Illinois Workers’ Compensation Act (“IWCA”) because an injury caused by a BIPA violation is not within the scope of the physical and psychological injuries that are “compensable” under the IWCA. In Fernandez v. Kerry, Inc the Seventh Circuit held that section 301 of the Labor Management Relations Act of 1947 preempted a BIPA cause of action because claims were premised on issues within the scope of a collective bargaining
BIPA settlements have intensified the litigation landscape. In June 2022, Google agreed to pay $100 million to settle a class action about its use of facial tagging of photographs withoutIn October 2021, an Illinois federal judge approved a $92 million class action settlement with In May 2022, Clearview AI reached a settlement with the ACLU that, while providing nominal monetary damages, required the company to permanently stop selling access to its faceprint database to private businesses or individuals in the United
On July 29, 2021, the New York City Tenant Data Privacy Act (“TDPA”) came intoThe TDPA requires express consent for collection and processing of biometric data used in “smart access and details the extent of permissible data collection and processing for such The Act requires owners of smart access buildings to provide tenants with a written privacy and requires that smart access systems have stringent security measures and safeguards in Finally, the TDPA creates a private right of action for lawful occupants of smart access buildings against unlawful sale of data, with remedies including compensatory and punitive damages, plus reasonable attorneys’ fees and court
Finally, a local law governing collection and use of biometric data has been in effect in New York City since July 9,Under the BII Law, commercial establishments in New York City must notify customers of their use of biometric data in plain and simple language using clear and conspicuous signage placed near customer Further, the law prohibits commercial establishments from selling, leasing, trading, sharing, or otherwise profiting from biometric The law establishes a private right of action for any violations that includes a thirty-day right-to-cure period for violations of the law’s notice requirement only. Failure to comply can result in damages from $500 and $5,000 for each violation, plus reasonable attorneys' fees and court
With the privacy law landscape set to undergo significant changes in the year ahead, keeping track of new and evolving compliance requirements remains an important priority. Businesses should work to prepare key employees, staff, and relevant third parties for expected changes in law and for a rapidly changing compliance environment. Businesses will need to continue to monitor state and local privacy laws, as relevant to their business activities and market base, and should work to create adaptable, flexible, informed, and responsive compliance protocols.