New Data Privacy Laws Coming in 2023

Operators of websites that collect user data have had to follow the California Consumer Protection Act (“CCPA”) since 2020. This law sets out specific requirements when interacting with California consumers, which applies to most companies with any significant internet presence at all. Additionally, Virginia, Colorado, Connecticut, and Utah have all passed their own privacy acts, and California has passed the California Privacy Rights Act which made some changes to the CCPA, all of which become effective in 2023. Below, we will discuss the principal requirements of these statutes in order to help companies plan for the coming changes.

First, it is important to know when each of these statutes becomes effective. The changes to the CCPA take effect January 1, 2023, as does the Virginia Consumer Data Protection Act (“VCDPA”). The Colorado Privacy Act (“CPA”) and the Connecticut Data Privacy Act (“CTDPA”) are effective on July 1, 2023, while the Utah Consumer Privacy Act (“UCPA”) becomes effective on the last day of 2023. While there is some variety in the effective dates of the requirements outlined below, it makes the most sense to prepare for them all now in order to prevent wasting resources by reconfiguring privacy policies multiple times over the next 18 months.

Next, let’s look at applicability of each statute. The CCPA currently applies to any for-profit entity that collects personal information from California residents and meets any of the following three qualifiers:

(1) at least $25 million in gross annual revenue;

(2) buys, sells, or receives information about at least 50,000 California consumers, businesses, or devices for commercial purposes; or

(3) derives more than 50% of its annual revenue from the sale of personal information.

The alterations to the CCPA that take effect on January 1 will change the second qualification to “buys, sells, or shares personal information of 100,000 or more California residents or households” and will change the third qualification to “derives 50% or more of annual revenue from selling or sharing California personal information.” These changes will reduce the applicability to companies who collect primarily business data and will raise the threshold for those that collect personal or household data from 50,000 affected consumers to 100,000. They also extend applicability to those who do not directly sell consumer data but share it in a way that brings them profit.

The VCDPA will apply to for-profit entities that conduct business in Virginia or target their offers of products and services to Virginia residents and:

(1) control or process the data of at least 100,000 consumers; or

(2) control or process the data of at least 25,000 consumers and derive more than 50% of revenue from the sale of personal data.

The CPA will apply to all legal entities that conduct business in Colorado or intentionally target products or services toward Colorado residents and:

(1) control or process personal data of more than 100,000 consumers per calendar year; or

(2) derive revenue or receive a discount on the price of goods and services from the sale of personal data and process or control the data of at least 25,000 consumers.

The CTDPA will apply to all persons that conduct business in Connecticut or produce products that are targeted to Connecticut residents and:

(1) control or process personal data, excluding data processed or controlled solely to complete payment transactions, of at least 100,000 consumers; or

(2) control and/or process the data of at least 25,000 consumers and derive more than 25% of gross revenue from personal data.

Finally, the UCPA will apply to conduct business in Utah or produce a product or service that is targeted to residents of the state that have more than $25 million in gross annual revenues and:

(1) control or process personal data of more than 100,000 consumers; or

(2) derive over 50% of gross revenue from the sale of personal data and controls or processes the data of at least 25,000 consumers.

For companies that do business nationally, at least one of the above laws will apply if you control or process the data of at least 100,000 consumers (or 25,000 if you get any revenue or discount from the sale or transfer of consumer data).

All of the statutes define personal data similarly: as any data that can reasonably be linked to a particular consumer or household. They also all contain exceptions for deidentified data and publicly available information. And they require consent from the consumer prior to processing sensitive data. Sensitive data is defined slightly differently from statute to statute, but it includes:

• social security numbers,

• driver’s license numbers,

• financial account numbers,

• precise geolocation data,

• health information,

• racial or ethnic data,

• religious or philosophical information,

• citizenship or immigration status,

• genetic or biometric data, and

• information collected from a child.

The CPRA also includes the contents of mail, email, and text messages in sensitive data.

When it comes to the notice requirements, there is some divergence among the various statutes. All the statutes require businesses to give consumers notice of what categories of information they collect and what the intended use of the data is. All of the statutes except the VCDPA require the notice be given at the point of data collection and that it includes information on the right to opt-out of data sales to third parties. All statutes require disclosure of what third-parties consumer data is shared with. Only the CCPA requires a Financial Incentive Notice that discloses to consumers that they are receiving a financial benefit in exchange for allowing the business to collect their information; this applies to loyalty programs, discount programs, etc. The CTDPA explicitly requires companies to limit the collection of data to what is adequate, reasonable, and necessary for the disclosed purposes of data collection and to avoid collecting or processing any data that does not meet those criteria.

All of the privacy statutes describe specific rights of consumers. The rights to know what data is being collected, to access that data, opt out of its sale, opt out of having it used for profiling, and the right to correct any wrong data is almost universal among these laws. The one exception is the UCPA which does not offer any rights to correct wrong information of to opt out of profiling, but that exclusion will only apply to the small sliver of companies that do business in Utah and not California, Colorado, Connecticut, or Virginia. All statutes also require that companies enter into contracts with any third parties that process data for them (loyalty platform managers, payment processors, etc.) that place restrictions on how that data is used.

The five privacy statutes are very similar, though not identical. Most companies that collect consumer data, unless very small, will be required to follow them all, so the best solution is to start preparing now and to have all the appropriate measures in place by January 1, 2023. This will simplify the process and prevent any redundant waste of resources as each statute comes online over the course of the year. If you have any questions regarding these new requirements, please contact the Indiana business law attorneys at McNeelyLaw LLP.

This McNeely Law LLP publication should not be construed as legal advice or legal opinion of any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.