State Law Privacy Alert—Key Compliance Updates
- Kirk Nahra, Ali Jessani, Tamar Pinto
The beginning of 2022 saw a flurry of activity in privacy. In the United States, most of this has been at the state level, where legislatures all around the country have been debating comprehensive privacy proposals. As these legislative sessions wind to a close, Utah (thus far) is the only state to join California, Colorado and Virginia as one of the few jurisdictions in the country with a comprehensive privacy law. As we detail in our blog post about this topic, the Utah Consumer Privacy Act is most similar to Virginia’s Consumer Data Protection Act (CDPA), both in terms of how it is structured and in its more business-friendly provisions, such as its broad exemptions for entities regulated under certain federal laws and limited enforcement provision. It’s unclear whether Utah’s new law will move the needle forward enough for Congress to act and pass a federal comprehensive privacy law, but we will continue to provide updates on that front as well.
While other states have not had the same success in terms of passing their own privacy laws, there have been other notable updates for businesses to stay on top of. For one, California continues to set the gold standard for privacy. In addition to preparing for the California Privacy Rights Act (CPRA) going into effect on January 1, 2023, businesses operating in California must also pay attention to current enforcement trends for the California Consumer Privacy Act (CCPA). The California Attorney General’s office has stated that it is especially focused on businesses operating loyalty programs, and it recently issued its first formal opinion under the law on what constitutes “inference” data under the CCPA. Meanwhile, the California Privacy Protection Agency (which will be responsible for enforcing the CPRA) is fully formed and functional, but it did announce that it would not meet the CPRA’s July 1, 2022 deadline for rulemaking. It likely will not come out with CPRA rules until the third or fourth quarter of this year, which means that businesses will have a quick compliance turnaround. Companies should also be thinking about how to address the CCPA/CPRA’s employee and business-to-business data exemptions, both of which are currently set to expire on January 1 (when the CPRA goes into effect). Outside the CCPA/CPRA, companies need to pay attention to other California laws, such as the Genetic Information Privacy Act (which went into effect on January 1, 2022), as well as other proposals in the California Legislature that may regulate certain categories of data, such as biometric information.
Virginia and Colorado have had their own updates to keep track of. Because the CDPA does not provide the Virginia Attorney General with rulemaking authority, any changes to the law must come from the Virginia Legislature. The legislature has passed a few amendments aimed at expanding the scope of the nonprofit exemption and revising how businesses must respond to deletion requests. In Colorado, the Attorney General’s office has provided guidance as to what constitutes “reasonable” security practices under Colorado law, and it has begun soliciting informal comments for the Colorado Privacy Act. They expect to begin formal rulemaking under the law by this fall, with the expectation of having finalized rules by early next year. The Virginia and Colorado laws go into effect on January 1, 2023, and July 1, 2023, respectively.
In this client alert, we have included our various writings that touch on all of these topics and more. We will continue to stay on top of notable updates in state privacy law and are happy to answer any questions you may have about these issues. To follow along with these updates, please subscribe to our Privacy and Cybersecurity Blog.
Utah Consumer Privacy Act Close to Becoming Law
March 4, 2022
Utah is close to becoming the fourth state to have a comprehensive privacy law. The Utah Consumer Privacy Act (SB 227) unanimously passed the Utah Senate on February 25. And the Utah House followed suit quickly, unanimously passing the law on March 2, and prior to the legislative session ending on March 4. The House version slightly modified a couple of the definitions in the Senate version and the Senate has already approved those changes. As of March 3, a final version is being sent to Governor Spencer Cox for his signature. If signed, the law will go into effect on December 31, 2023.
Utah will likely join California, Colorado, and Virginia as the fourth state with a comprehensive privacy law. In terms of parallels, the Utah law most closely mirrors Virginia’s. It has broad exemptions for entities regulated under certain federal laws (with language that is seemingly broader than the exemptions in place in California), is only enforceable by the Utah AG (and includes a 30-day cure period), does not provide the Utah AG with any rulemaking authority, and does not provide consumers with the ability to opt-out of processing using a global privacy control.
Because the Utah law will not create any substantially new obligations for businesses already subject to the other state laws, it is unclear as to whether this fourth state will be sufficient for Congress to feel enough pressure to pass a federal privacy law. Still, state legislative sessions are ongoing, and it is possible that another state joins the privacy party. We are tracking the laws in Wisconsin and Florida, specifically, both of which have passed one of the two chambers in their respective state legislatures. We will continue to provide updates on these issues.
Below are key provisions of the Utah Consumer Privacy Act:
- Applies to controllers or processors that do business in the state, or produce a product or service that is targeted to consumers who are Utah residents, have annual of $25M or more; and either a) control or process personal data of 100,000 or more consumers during a year; or b) derive over 50% of the entity’s gross from the sale of personal data and control or process the personal data of 25,000 or more consumers.
- Exempts various entities and information types, including government entities; covered entities and business associates under HIPAA; information governed by HIPAA; financial institutions and information governed by the GLBA; and personal data regulated by FERPA.
- Creates individual rights for consumers, including the right to confirm whether a controller is processing their personal data; the right to access their personal data; the right to delete the personal data provided to the controller; the right to obtain a copy of their personal data in a format that is portable, readily usable, and allows the consumer to transmit the data to another controller without impediment; and the right to opt out of the processing of their personal data for the purposes of targeting advertising or the sale of personal data.
- that controllers provide consumers with a privacy notice with the following information: 1) the categories of personal data processed; 2) the purposes for which the categories of personal data are processed; 3) how consumers may exercise a right; 4) the categories of personal data that the controller shares with third parties; and 5) the categories of third parties with whom the controller shares personal data.
- Incorporates privacy by design principles, such as data minimization and purpose limitation.
Creates requirements for the processing of “sensitive data,” including requiring that controllers first present consumers with clear notice and an opportunity to opt out of the processing.
- Enables Division of Consumer Protection to establish and administer a system to receive consumer complaints regarding a controller or processor’s alleged violation.
- Does not create a private right of action. Violations are only enforceable by the Utah AG’s office. AG may recover actual damages to the consumer and up to $7,500 for each violation.
- Creates a thirty-day cure period once AG provides written notice of alleged violation.
- Would go into effect on December 31, 2023.
California Privacy Update
February 14, 2022
The California Consumer Privacy Act (CCPA) may seem like old news, especially now that Virginia and Colorado have also passed comprehensive privacy laws, but businesses must continue to pay attention to California if they want to stay on top of their potential compliance obligations. This blog post highlights key updates in California privacy law that will impact businesses in the coming year and how companies can respond to these.
- CCPA enforcement is ongoing.
As early as July 1, 2020, the first day CCPA enforcement began, the Office of the Attorney General (“OAG”) of California commenced sending notices of alleged noncompliance to CCPA. Target industries range broadly and include online marketing, social media, online dating and advertising, consumer electronics, retailers and more. Once notified, companies have thirty days to cure or fix the alleged violation before enforcement further proceeds. Common fixes have included updating privacy policies and modifying service provider contracts with CCPA addendums and adding “Do Not Sell My Personal Information” links.
- Businesses operating loyalty programs are also on notice.
As part of their investigative sweep, on January 28, 2022, the OAG also sent notices to businesses operating loyalty programs in California. Under the CCPA, businesses that financial incentives, such as promotions, discounts, free items, or other rewards, in for personal information must provide consumers with a notice. Such financial notice must clearly describe the material terms of the financial incentive program to the consumer before they opt-in to the program. Major corporations in the retail, home improvement, travel, and food services industries were sent notices of alleged violation to the financial notice of their loyalty programs.
- CPRA rulemaking is also in full force.
In November of 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA) which establishes many updates to the CCPA. A new agency, the California Privacy Protection Agency (CPPA or “Agency”), governed by a five- Board, is mandated to implement and enforce the law.
On September 22, 2021 the Agency opened for invitation comments on eight main topics:
- Risks: What kind of processing presents a significant risk to consumers’ privacy or security? These are the businesses that will be subject to cybersecurity and risk assessments performed by businesses
- Automated Decision-Making: What activities consist of “automated decision-making” technology? Consumers will be able to opt out of automated-decision making technologies and/or profiling.
- Authority of Agency: What authority and scope should the Agency have to ? CPRA will give the Agency authority to businesses based on such defined scope.
- Consumers’ Rights: The CPRA adds a new right: the right to request correction of inaccurate personal information What should be the scope of new rules for corrections of consumer information?
- Opt-Out Rights: What rules should be established to consumers to limit the use and selling of sensitive information and how should the opt-out preference be defined? Businesses may need to redefine functionality associated with opt-out of the sale of personal information and to create rules to limit the use of sensitive personal information.
- Sensitive Information: CPRA expands data categories to include sensitive personal information. What is the scope of “sensitive personal information” and what would be the sensitive disclosure? Businesses will need to include provisions that address sensitive data.
- 12-months period of consumer information: Upon an access request, CPRA will require businesses to provide the consumer information for a 12-months period. Requests made after January 1, 2022, may require businesses to disclose information beyond the 12-months window. Comments on this topic include what would constitute a “disproportionate effort” for businesses to provide the requested data back to consumers.
- Definitions and categories: The Agency is also asking for comments on the definitions section. Businesses should be on the lookout for changes to definitions such as “personal information,” “precise geolocation,” “specific pieces of formation obtained from the consumer,” “designated methods for submitting requests,” and others.
- The future of the B2B and employee data exemptions under California law is unclear.
The CPRA extends the business-to-business and employee information exemptions in the CCPA to Jan. 1, 2023 (subject to certain limitations). Businesses that have previously relied on these exemptions for their California data will have to evaluate their potential compliance obligations once these exemptions expire. It is possible that the California legislature attempts to further extend these exemptions (or make them permanent in the law, similar to the privacy laws in Virginia and Colorado), but it is unclear to what extent the CPRA permits them to make this change.
- Meanwhile, California passed the Genetic Information Privacy Act.
On top of the CCPA/CPRA updates, the California legislature passed the Genetic Information Privacy Act (“GIPA”) last year, which went into effect on January 1, 2022. GIPA targets companies with a “direct-to-consumer” model for genetic testing. To qualify as a direct-to-consumer (“”) entity and fall under GIPA, the company must engage in one of the following: (1) sell, market, interpret, or consumer-initiated genetic testing products or services directly to consumers; (2) analyze genetic data obtained from a consumer. Interestingly, persons licensed in the healing arts for diagnosis or treatment of a medical condition are exempted; or (3) collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service.
GIPA governs all data that results from the analysis of a genetic material from a consumer. Genetic material can be deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA or single nucleotide polymorphisms. Genetic material can also be the data extrapolated, derived, or inferred from genetic analysis. Notably, de-identified data is exempt from the scope of the law.
Under GIPA, must provide notice, consent, and meet certain data security standards. must clearly provide information regarding their privacy practices and use and maintenance of genetic data, as well as a disclosure that deidentified genetic or phenotypic information may be shared with third parties. For service providers specifically, must include a contract with them that limits what they can do with genetic data that they process on behalf of the . must also obtain express consent from consumers for using, storing, or transferring genetic data to a third party. must further develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure. Finally, must provide consumers with access to their genetic data, as well as the to delete their account and genetic data.
There is no private right of action under GIPA. It can be enforced exclusively by the OAG, a district attorney, county counsel, city attorney, or a city prosecutor. Negligent violations of the law can lead to fines up to $1,000 per violation, and willful violations are enforceable up to $10,000 per violation.
California Privacy Update, Part II
March 1, 2022
California Office of the Attorney General Clarifies What Constitutes an “Inference” under the CCPA
March 16, 2022
In the first of its kind “opinion” from the California Office of the Attorney General (“OAG”), the agency addressed the question of whether a consumer’s “right to know” what personal information a business holds about the consumer under the California Consumer Privacy Act (“CCPA”) extends to internally generated inferences that a business has on the consumer, from either internal or external information sources. The OAG answered this question in the affirmative and stated that a consumer has the right to know internally generated inferences about the consumer when the inferences: (i) are derived from information that is otherwise considered personal information under the law; and (ii) used by the business for the purpose of creating a profile about that consumer. (The OAG did clarify, however, that disclosing inferences to consumers does not require businesses to disclose their trade secrets.)
This opinion has broad ramifications for data , advertisers, and other entities that rely on consumer profiles as part of their business operations. The OAG clearly states here that the CCPA’s rights do not only apply to the information that a business collects from a consumer but also to the information that a business develops about a consumer (that would otherwise meet the definition of personal information under the law). This means that businesses relying on inferences must assess how this inference data is implicated in potential data subject rights requests they receive pursuant to the CCPA. The timing of this guidance, combined with the detailed harms of inference data identified by the OAG in its opinion, indicate that this topic may be an enforcement priority for the agency moving forward.
An inference is as “derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” For clarity, an inference is a characteristic or attribute that describes an individual such as “expectant parent”, “homeowner” or “likely to vote”. With the proliferation of big data and artificial intelligence, businesses have been able to collect and process an unprecedented and increasingly granular amount of consumer data and create such inferences from them. In its opinion, the OAG cites an academic paper from 2018 that showed that as little as 4 applications installed by a user constitutes sufficient data in order to re-identify such a user in a dataset with 95% accuracy. In the same vein, social media usage profiles such as “likes”, or similar such behavioral data can be used to predict age, gender, race, sexual orientation, and political views.
B. Selected highlights from OAG’s opinion.
With this data as backdrop, the OAG determined that under the CCPA, consumers have a right to know what inferences are drawn about them. The OAG first looked to the definition of personal information under the CCPA for its analysis. Under section 1798.140(v) of the CCPA, personal information “includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The definition includes an array of subdivisions such as age, name, and address which are provided directly by the consumer and commercial information such as property and rent records which can be attained indirectly. Specifically, subdivision (k) of personal information includes “[i]nferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” (emphasis added).
Under this textual interpretation, the OAG creates a two-pronged analysis to determine whether consumers have a right to know the respective inferences that companies collect and store about such consumers. Prong (1), the definition prong, is whether the inference is drawn from the information identified in one of the subdivisions defined as personal information. The information can be both direct, such as gender and race, or indirect, such as property records. Prong (2), the profile prong, is whether such information is used to create a profile about a consumer.
For example, assume a business collects a consumer’s age and online activity of browsing to spas and resorts. If the business then proceeds to create a profile of the user as a “traveler” in order to establish targeted advertising to vacation resorts, that consumer can exercise their right to know this information under the CCPA because (1) collecting age and online activity meets the definition prong and (2) creating a “traveler” profile meets the profile prong.
The OAG emphasizes that “once a business has made an inference about a consumer, the inference becomes personal information—one more item in the bundle of information that can be bought, sold, traded, and exploited beyond the consumer’s power of control.” Further, for purposes of responding to a consumer’s request to know, “it does not matter whether the business gathered the information from the consumer, found the information in public repositories, bought the information from a , inferred the information through some proprietary process of the business’s own invention, or any combination thereof.”
C. The OAG responds to arguments against disclosure.
The OAG next responds to arguments against the disclosure of inferences. The first argument is that inferences need not be disclosed to consumers because inferences are information that has been generated internally by a business, rather than collected from the consumer within the meaning of Civil Code section 1798.110, subdivision (a). Subdivision (a) states that: “a consumer shall have the right to “request that a business … disclose . . . [t]he specific pieces of personal information it has collected about that consumer.” The OAG disagrees explaining that the CCPA is explicit in that it gives consumers the right to receive all information collected “about” the consumer, not just information “collected from” the consumer. As such, inferences include information collected about consumers rather than from consumers and further creates that consumer’s unique identity. “When a business creates (or buys or otherwise collects) inferences about a consumer, those inferences constitute a part of the consumer’s unique identity and become part of the body of information that the business has ‘collected about’ the consumer.” Thus, inferences must be disclosed to the consumer upon request.
A second argument suggests that internally generated inferences constitute a business’s intellectual property. The OAG again disagrees, responding that inferences themselves are not necessarily trade secrets. The algorithm used to derive the inferences may be protected as a trade secret, but the CCPA only requires businesses to disclose the product of the algorithm rather than the algorithm itself. Additionally, under California’s Uniform Trade Secret Act, the burden is on the company to prove the existence of a trade secret and the “improper means” by which it was attained. The opinion affirms that “[a] blanket assertion of ‘trade secret’ or ‘proprietary information’ or the like would not suffice.”
Thus, based on its opinion and as the OAG continues its investigative sweep and efforts of sending notices of alleged noncompliance to CCPA, businesses will need to consider whether they fall under the OAG’s two-pronged analysis and if so, be prepared to respond to this broader range of verifiable consumer requests.
Amendments to the Virginia Consumer Data Privacy Act Pass Legislature
March 11, 2022
The Virginia Consumer Data Privacy Act (CDPA)—which is set to go into effect on January 1, 2023—will likely be amended in the coming days. The Virginia House and Senate have passed four amendments which, most notably, address how businesses can process deletion requests, and reshape the scope of the law’s non-profit exemption. These bills will now be sent to Virginia’s Governor, and he will have until April 11 to review them and potentially sign them into law.
As we had previously noted, these amendments were inspired by a November 2021 report by the working group that was established under the law to suggest improvements. Because the Virginia CDPA does not provide the state Attorney General with rulemaking authority, any changes to the law must come from state legislature. If you would like to learn more about the Virginia CDPA, visit our past post here.
Amendments to Virginia’s CDPA
Expand Non-Profits Exemption. The Virginia CDPA already exempts “nonprofit organizations,” but two potential amendments expand the nonprofits exempted from the CDPA. SB 534 and HB 714 both revise the definition to include “any political organization” which they define as a “party, , association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.”
Both bills also define a nonprofit organization to include “any organization exempt from taxation under § 501(c)(4) of the Internal Code that is identified in § 52-41.” § 52-41 of the Virginia Code applies to certain insurance fraud organizations that operate in the context of the state police. Lastly, the bills define a nonprofit to include “any subsidiary or of entities organized pursuant to Chapter 9.1 (§ 56-231.15 et seq.) of Title 56.” Chapter 9.1 refers to utility consumer services cooperatives and utility aggregation cooperatives.
Deletion Requests. HB 381 and SB 393 make it easier for controllers that obtain consumer personal data from other sources (other than the consumer) to comply with the consumer’s right to delete. The amendments note that if controllers obtain consumer personal data from a source other than the consumer, a controller is in compliance with a request from the consumer to delete, if they either: (a) “retain a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not us[e] such retained data for any other purpose” pursuant to the CDPA; or (b) “opt the consumer out of the processing of such personal data for any purpose except for those exempted” pursuant to the CDPA. These amendments will assist data and other companies that do not directly process consumer data to comply with requests to delete.
Deletion of Consumer Privacy Fund: SB 534 and HB 714 both eliminate the Consumer Privacy Fund. The bills note that civil penalties, and fees will instead be paid to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.
Colorado AG Provides Clarity on Appropriate Security Practices
February 9, 2022
The Colorado AG recently provided guidance on data security best practices. Companies doing business in Colorado, especially those subject to the Colorado Privacy Act, should be paying attention to what is required under Colorado law.
On Data Privacy Day (January 28) the Colorado Attorney General (“the AG”), Phillip Weiser, published prepared remarks on data privacy and data security. The remarks served to highlight the upcoming implementation of the Colorado Privacy Act, noting that by the fall, a formal Notice of Proposed Rulemaking would be posted. The AG also published guidance on common best practices relating to data security (“Data Security Best Practices”).
Companies following this guidance will be better positioned to limit, or respond to, data breaches. They may also be in a better position to comply with the Colorado Privacy Act, as the law outlines a “” for controllers, which requires them to take reasonable measures to secure personal data. This guidance may indicate what the AG considers to be “reasonable measures.” And, as with any form of regulator guidance on common issues, these “best practices” also should be evaluated by companies operating anywhere in the country to evaluate whether their information security programs incorporate these ideas, as regulators often borrow from each other on determining what is reasonable and appropriate under state and federal laws.
The guidance lays out nine best practices:
- Data Inventory and Storage System: Companies should identify and track the types of data they collect and create a system for storing and managing that data. When inventorying the data collected, an entity should track the source of the data, the purpose for which the data is being used, and the employees that can access this information. The AG also recommends various policies to manage data, including written data and destruction policies to ensure that PII is disposed of properly, and procedures that delineate the treatment of personal data—such as the length of time the data is stored and how to manage non-secure storage of this data.
- Information Security Policy: Companies should have a written information security policy, containing common security practices like data minimization and encryption. An effective information security policy also incorporates standards that are applicable to the type of information being protected. The company should also make the policy accessible and train employees with compliance.
- Data Incident Response Plan: Companies should implement a written data incident response plan—which outlines what steps to take if a data incident occurs—and keep a copy of the policy in paper format. Just like with the information security policy, the company should train employees on incident response. And the entity should practice its plan through table-top exercises.
- Vendor Security: The interconnected nature of networks makes it important for companies to vet their potential vendors to ensure that necessary security practices are implemented. In vendor contracts, entities should also require that appropriate security measures be used.
- Employee Training: Training employees on cybersecurity is particularly important, and the AG specifically recommends that entities train employees to be vigilant about phishing emails and other suspicious network activity.
- Department of Law Ransomware Guidance: The AG recommends that entities follow the Department of Law’s guidance on ransomware. Companies should also ensure that they can access backups of their files in the event of a ransomware attack.
- Post-Breach Notification: Companies should conduct investigations if they experience a data security breach. If personal information has been, or likely has been, misused, Colorado law requires that the entity notify the affected state residents within thirty days. If the breach is large—affecting 500 or more Coloradans—the company also needs to notify the Department of Law in the thirty-day period.
- Protection of Individuals Affected by Breach: If a company collects personal information, it takes on a duty to compensate and protect those affected by a breach. As a best practice, the AG recommends notifying victims in a timely way and providing them with access to free credit services.
- Security Policy Maintenance: Companies should also review and update their security policies regularly, especially to reflect internal changes or increased risks to maintaining personal information.