Do you have privacy and security obligations on your New Year compliance agenda?
The Recorder recently published an article by Baker Botts Partner Cynthia Cole, Special Counsel Rachel Ehlers, and Associate Will Cozzens.
A version of this piece can be read on The Recorder, here.
New comprehensive privacy laws in California, Virginia and Colorado are set to take effect in 2023. In multiple other states, lawmakers are motivated to pass similar legislation. These laws will require businesses to contend with a growing patchwork of privacy regulations that, despite the common themes of expanding consumer rights to control their data, also include variations that will likely frustrate compliance efforts.
There are a few key dates in the coming months that all companies should be aware of:
- July 1: deadline for the new California Privacy Protection Agency to draft and adopt certain regulations for the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA).
- Dec. 22: deadline for retrofitting contracts and data transfer agreements related to data transfers from the European Economic Area to conform with the new Standard Contractual Clauses (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-dataprotection/standard-contractual-clauses-scc_en) published by the European Commission in June 2021.
- Jan. 1, 2023: the Virginia Consumer Data Protection Act (CDPA) becomes effective. Also, the CPRA and its changes to the CCPA become effective.
- July 1, 2023: the Colorado Privacy Act (CPA) becomes effective.
Overview of New Laws
California: The California Privacy Rights Act (https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml? bill_id=202120220AB1490) applies to businesses: (1) that derive at least 50% of annual revenue from sharing or selling the personal information of California consumers; (2) with gross revenue over $25 million; or (3) that buy, sell, or share the personal information of more than 100,000 California consumers/households.
It broadens the reach of the CCPA (https://www.oag.ca.gov/privacy/ccpa), as the CCPA did not include “sharing” of personal data. However, it extends the third criterion to 100,000 from 50,000, which will exclude more small businesses from regulation. Because of these changes, businesses should review previous CCPA-applicability determinations.
The CPRA includes an expanded private right of action for consumers to bring a claim against a business for a breach impacting personal information. It also creates treble damages for violations related to consumers under 16 years old and includes the right to correct inaccurate data.
The CPRA also creates a new subcategory of personal information, dubbed “sensitive personal information” and new limitations on sharing personal information and how long businesses may retain data. It also eliminates the CCPA’s 30-day cure period and requires businesses to enter into agreements with the service providers, contractors, and third parties when they share personal information.
Parts of the CPRA have already taken effect, including the creation of the California Privacy Protection Agency (https://cppa.ca.gov/) (CPPA), the agency tasked with overseeing California’s privacy regulations. The CPPA has until July 1, to finalize regulations related to the CPRA rights and requirements, which makes compliance by Jan. 1, 2023, particularly challenging for companies.
Virginia: Virginia’s CDPA (https://law.lis.virginia.gov/vacode/title59.1/chapter53/) applies to anyone who conducts business in Virginia or produces products or services that are targeted at Virginia residents that controls or processes the personal data of at least: (1) 100,000 consumers during a calendar year; or (2) 25,000 consumers and derives 50% of gross income from the “sale” of personal date.
The CDPA contains several new requirements, exemptions and definitions not found in the CCPA or CPRA. For example, the Virginia law has stricter opt-in requirements, grants broader opt-out rights, and has an obligation for businesses to confirm processing and deletion of personal data “concerning” individuals, in addition to data “collected from” individuals.
Colorado: Similar to the CDPA, the CPA (blank) applies to businesses in Colorado or businesses that produce products or services that are targeted at Colorado residents, and that control or process the personal data of at least: (1) 100,000 consumers during a calendar year; or (2) 25,000 consumers, and derive revenue or receive a discount on the price of goods or services from sales of personal data. There is not a revenue threshold like the CDPA or the California laws. As a result, certain business might not be subject to the CPRA or CDPA but fall within the scope of the Colorado law.
Overview of Pending Legislation
Lawmakers in at least another fifteen states are considering similar legislation in 2022. Private rights of action, which allow individuals to sue when there is a breach (in some cases, even when the individual cannot show harm), and right to cure windows, which allow businesses a period to address issues before becoming liable, are the common issues being debated in various legislatures. The laws being considered do have the common themes of more individual rights and more obligations on businesses, but will create a complicated patchwork given the subtle differences of each law.
Florida: In 2021, disagreements around these issues, and over how to enforce new privacy rules, derailed comprehensive privacy legislation in Florida. Nevertheless, on Jan. 7, Florida Senator Jennifer Bradley introduced the Florida Privacy Protection Act (https://www.flsenate.gov/Session/Bill/2022/1864/BillText/Filed/PDF), which has a similar application threshold to the Virginia law and a private right of action. It also calls for the creation of the Consumer Data Privacy Unit within the Florida Attorney General’s Office. If enacted, it would grant consumers the rights to “opt out” and demand companies to delete or correct their information, in addition to obligating companies to have sufficient internal controls over consumer data.
Washington: Like Florida, Washington’s march towards a comprehensive data protection law has been rocky. The Washington Privacy Act (https://app.leg.wa.gov/billsummary?BillNumber=5062&Year=2021&Initiative=False) has twice failed in the state House, but legislators have introduced two other competing bills in recent weeks. One, the Washington Foundational Data Privacy Act (https://app.leg.wa.gov/billsummary?billnumber=1850&year=2022) (HB 1850), has an application threshold similar to the Colorado and Virginia laws. It also includes the controversial private right of action and would create a data privacy commission similar to California’s CPPA. The other, the People’s Privacy Act (https://app.leg.wa.gov/billsummary?BillNumber=1433&Year=2021&Initiative=false) (HB 1433), includes a private right of action but no right to cure. It also has a lower threshold than the laws in California, Virginia and Colorado, applying to any person or business that operates in Washington and processes and/or maintains the captured personal information of 1,000 or more unique individuals during a calendar year. As such, it appears to be taking a more aggressive, consumer-focused approach to privacy regulation. It remains to be seen whether either of these bills will garner the support necessary for passage.
New York: After languishing in committee for most of 2021, the New York legislature will consider the New York Privacy Act (https://www.nysenate.gov/legislation/bills/2021/s6701) again in 2022. If adopted, it will create a private right of action, require companies to disclose their methods of de-identifying personal information, place special safeguards around data sharing and allow consumers to obtain the names of all entities with whom their information is shared.
Oklahoma: When the 2022 legislative session begins on Feb. 7, the Oklahoma legislature will consider a slightly updated version of the Oklahoma Computer Data Privacy Act (http://webserver1.lsb.state.ok.us/cf_pdf/2021-22%20INT/hB/HB2969%20INT.PDF), which passed the House in 2021 but failed in the Senate. If adopted, this bill would enact application thresholds similar to those found in the CPRA, but no private right of action. Uniquely, it would operate on an “opt-in,” rather than “opt-out,” model and also includes a right to be forgotten.
Indiana: In Indiana, HB 1261 (http://iga.in.gov/legislative/2022/bills/house/1261?__cf_chl_jschl_tk__=sPVkLYE6ivBLOUAOwgIjHtdk_LwlPRwK2Ptg22sQxjc-1642655271-0-gaNycGzNA70#document-1e812990) would apply to any person that conducts business in Indiana, produces products or services that are marketed to Indiana residents, or controls or processes personal data of: (1) at least 100,000 consumers during a calendar year; or (2) at least 25,000 consumers during a calendar year and derives more than 50% of its gross revenue from the sale of personal data. It appears to borrow concepts from the California, Colorado, and Virginia laws.
District of Columbia: On Oct. 18, the Chairman of the Council of the District of Columbia introduced the Uniform Personal Data Protection Act of 2021 (https://lims.dccouncil.us/Legislation/B24-0451) at the request of the Uniform Law Commission (ULC); the bill is still pending.
Not all the action in this area is situated at the state level. On Dec. 10, the Federal Trade Commission initiated the process to propose new rules related to privacy and artificial intelligence. The rulemaking process would allow the FTC to formulate new rules related to the unfair or deceptive use of personal data, but it is too early to say what will come of such efforts. As things stand, the FTC will either begin soliciting stakeholder comments or begin its rulemaking process in February 2022.
How To Prepare
With three states already enacting comprehensive legislation, and many others likely following suit, businesses will need to evaluate how the collect, use, store, and share the personal information of individuals, including their employees and customers. We encourage clients to adopt a broad, holistic approach to data privacy compliance that goes beyond a single law or regulation.
Cynthia Cole is Baker Botts’ deputy department chair of the corporate section in the firm’s Palo Alto and San Francisco offices. Rachel Ehlers is a special counsel and Will Cozzens is an associate in the Austin office.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.