While 2020 was a period of change in many ways, one major shift in the landscape of data privacy occurred right at the beginning of the year. On January 1, 2020, the nation’s first comprehensive consumer privacy law, the California Consumer Privacy Act (CCPA), went into effect, affording California residents the right to know about and control how businesses use their personal information.*
Now, more than halfway through 2021, we’re beginning to see the effects of California’s example as other states introduce and pass similar laws to protect the rights of their residents. Two states so far, Virginia and Colorado, have passed similar right-to-privacy legislation, which will place new obligations on companies that collect or process consumer data. These laws go into effect at the beginning of 2023.
Here’s what you need to know about this new trend in consumer privacy laws:
VIRGINIA’S 2023 CONSUMER PRIVACY LAW
In March 2021, Virginia passed the Consumer Data Protection Act, which goes into effect on January 1, 2023. Although the law clearly draws some inspiration from the CCPA, there are some crucial differences.
Virginia’s CDPA applies to entities which conduct business in Virginia or target products or services to Virginia residents, and:
- Control or process the data of at least 100,000 consumers (regardless of location) in a calendar year, or;
- Control or process the data of at least 25,000 consumers in a calendar year, and derive at least 50% of gross revenue from the sale of personal data.
California’s law applies to a much broader range of entities, including businesses which make $25 million or more a year in gross revenue, regardless of the amount of data they process. This means that some businesses that are covered by the CCPA will not be affected by the Virginia CDPA. For example, businesses with revenue exceeding $25 million per year, but who process less than 100,000 consumers’ data, would have to comply with CCPA in California, but not the CDPA in Virginia. This could include businesses involving real estate, costly medical procedures, personal service firms, or b2b businesses. (Interestingly, that would suggest that businesses who serve wealthier customers in California are required to offer more data protection to those wealthy customers, than those businesses serving Californians with more modest incomes.) Virginia’s law also exempts nonprofit organizations and educational institutions, although they are not exempt in California’s law.
Virginia’s CDPA requires businesses to limit their collection of personal data to only that which is “adequate, relevant, and reasonably necessary for the purposes of which the data is processed.” Businesses are also required to provide “reasonable administrative, technical, and physical data security practices” to protect the integrity and accessibility of consumers’ personal data, and conduct data protection assessments. The law does not specify how often data protection assessments must occur, so this is something that may be clarified by ongoing regulation.
In addition, Virginia’s CDPA provides six main rights to consumers:
- The right to confirm whether a business who directs how the data is the collected (controller) is processing their personal data, and the right to access that data.
- The right to correct specified inaccuracies in the collected data.
- The right to delete personal data collected from or provided by the consumer.
- The right to obtain a copy of the consumer’s personal data in a portable and usable format which will allow the consumer to transmit the data to another controller.
- The right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or other significant effects on the consumer.
Certain businesses will also be required to provide consumers with a privacy policy containing specific information, such as the categories of personal data which are processed and how consumers may exercise their rights under the law.
COLORADO’S 2023 CONSUMER PRIVACY LAW
The Colorado Protect Personal Data Privacy Act (CPPDPA), which goes into effect on January 1, 2023, applies to entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents, and that:
- Control or process the data of at least 100,000 consumers in a calendar year, or;
- Derive revenue from the sale of personal data and control or process the data of at least 25,000 consumers in a calendar year.
The new law limits the collection and processing of personal data to what is “adequate, relevant, and… reasonably necessary” for the specific purposes for which the data is gathered, unless the consumer’s explicit consent is obtained. Businesses are also required to take “reasonable” measures to secure the personal data during both storage and use. Data processors are also required to conduct and document a data protection assessment when processing data which presents “heightened risk of harm” to the consumer.
The law also affords Colorado consumers certain rights over the collection and use of specified personal data, including:
- The right to access, correct, or delete the collected data
- The right to obtain a copy of the consumer’s personal data in a portable format
- The right to opt out of having their personal data processed for the purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or other significant effects on the consumer
Additionally, businesses must obtain explicit and informed consent from the consumer before processing personal data that is considered “sensitive.” This includes information regarding health such as biometric data or information relating to mental or physical illness, as well as any personal data from a “known child.”
Businesses will be required to provide a privacy notice to consumers to inform them of their rights, including information about what types of data are collected and how consumers can exercise their rights. Colorado will also create technical specifications for a “user-selected universal opt-out mechanism” which must be supplied to the consumer, but this provision will not go into effect until 2024.
2023 CONSUMER PRIVACY LAWS: WHAT’S NEXT?
Although these are state laws, the fact that they afford consumer rights to residents means that many businesses across the country will be affected, regardless of where their headquarters are located. While the Virginia CDPA and the Colorado CPPDPA will not go into effect until 2023, the business sector will need to start planning solutions to address their responsibilities under these 2023 consumer privacy laws.
We’re also likely to see a domino effect as other states consider similar laws to protect their resident consumers. Like in Ohio, where the Legislature introduced the Ohio Personal Privacy Act (OPPA), which is similar to Virginia’s CDPA. As more states address consumer privacy, we will continue to monitor how businesses will be affected and the services they need to address compliance responsibilities.
*Note: California voters have since amended the law with Measure 24, or the California Privacy Rights Act (CPRA), which also goes into effect in 2023. We will address the CPRA in a future blog post.
Are you wondering how this wave of 2023 consumer privacy laws will affect your business? Do you need guidance on your general data security practices? Contact us for a free consultation to see if Gazelle Consulting’s customized compliance services are right for you.