18 Jul New State Privacy Laws – Business Obligations and Individual Rights￼
2022 was a busy year for state privacy laws. Now is a good time to recap the similarities and differences of the new state privacy laws and what they may mean for individuals and for your business. Before speaking about each privacy law, it’s important to have a general understanding of the meaning of these rights and obligations.
For individuals, there are certain rights to data that are established with each of these bills. I’ll note a few, but not all, of these:
- The right of access, or the right to be able to see data what a company may have collected about one.
- The right of rectification, or the right to correct any data a company has which is incorrect.
- The right of deletion, or the right for one to ask a company to completely get rid of the data that it has.
- The right of restriction, or the right to make sure that one’s data is only used in certain ways or by certain people.
- The right to opt-out of sales, or the right to ask companies not to market to one.
- Most controversial is a private right of action, or an individual’s right to sue a company for violating a privacy law.
For businesses, it’s important to note that “business” is a special legal term in many of these laws. While we all need to be mindful of our clients’ privacy and security, the legislatures did not intend to require small business owners to take on undue amounts of responsibility. You’ll want to consult with your attorney to see if your business is required to take on the business obligations under each state’s law.
The business obligations are as follows:
- The “opt-in default” age requirement, which is an age restriction on when a consumer can be considered to have automatically agreed to the sale of their personal information. These vary from 13 to 16.
- A notice requirement, or the obligation for businesses to inform consumers about data and privacy practices. You’ve likely seen these notices begin to spring up across the internet.
- A requirement of risk assessments, or an obligation for a business to perform formal evaluations of privacy and security procedures.
- A prohibition on discrimination, or the requirement that if a person exercises their privacy rights, they will not be treated differently.
- A purpose/processing limitation, or a restriction on the collection and processing of personal data except for a specific purpose.
California led the way with our nation’s first comprehensive state privacy law, the California Consumer Privacy Act (CCPA), signed in 2018 and effective on January 1, 2020. This has been modified with the California Privacy Rights Act (CPRA), signed in 2020, which will become effective in 2023. The CPRA expands individual rights under the previous California law to include a right of rectification and a limited right of restriction. The business obligations are expanded to include the requirements of risk assessments and prohibitions on discrimination. California remains the only state with a limited private right of action. Generally, privacy laws are enforced by state’s attorney generals. California has also created a separate agency, the California Privacy Protection Agency, which shares enforcement authority with their attorney general.
Four other states have so far joined California (Virginia, Colorado, Connecticut, and Utah) but interest has been very high, with many more states (including Michigan, Ohio, Pennsylvania, New Jersey, and Massachusetts) not only introducing bills, but considering them in committee. Many other states have also introduced privacy bills.
The Virginia bill will become effective on January 1, 2023. The Colorado Bill will become effective on July 1, 2023 and the Connecticut bill will also become effective on July 1, 2023. These bills are most similar in the protections that they will provide. They all provide individuals with a right of access, a right of rectification, a right of deletion, a right to restrict their data in that the individual may opt-out of data processing for targeting advertising purposes, and a right to opt-out of sales. None of these states provide for a private right of action, meaning that an individual cannot sue a business for violation of the state’s privacy law. Enforcement will be through the government.
Each of these three states, Virginia, Colorado, and Connecticut, has similar business obligations. They all have “sensitive data opt-in default” ages, Virginia and Colorado age 13, and for Connecticut, age 16. They all provide notice requirements and risk assessments. They all provide prohibitions against discrimination when using privacy law protections and they all have limitations on the purpose of data use. It’s important to note that what each state means by “sensitive data” for different ages is complex and you should consult with your attorney to make sure that you understand your duties.
Utah’s law is a little more limited. It provides individuals with a right of access to their data, a right of deletion, but not a right of correction. It also provides for the right to opt out of sales. There is no private right of action for individuals. The Utah law provides a business obligation with an “opt-in default” for all data at age 13. There are notice requirements and prohibitions on discrimination. There are no requirements for risk assessments and no limits on the purpose for which businesses may use customer’s data.
Privacy law is a rapidly changing area of law. We will see California refining its law further with guidance from its privacy agency. It’s likely that in the next legislative terms, beginning in January of 2023, we will see even more states join in with their own privacy laws.
This article is a publication of MWH Law Group LLP and is intended to provide general information regarding legal issues and developments to our clients and other friends. It should not be construed as legal advice or a legal opinion on any specific facts or situations. For further information on your own situation, we encourage you to contact the author of the article or any other member of the firm.
© MWH Law Group LLP 2022. All rights reserved.
CONTACT PARTNER VERONICA KIRK
Veronica Kirk, Partner
Regency West Office Park, Building 8
4350 Westown Pkwy, Suite 120
West Des Moines, IA 50266
P: (515) 453-8509 / F: (515) 267-1408