Five U.S. states have adopted comprehensive data privacy laws that either went into effect as of January 1, 2023 or are scheduled to go into effect later in 2023: California, Connecticut, Colorado, Utah, and Virginia.  Most recently, on March 29, 2023, Iowa became the sixth state to pass a comprehensive data privacy law, which goes into effect on January 1, 2025.  Businesses may be subject to one or more of these laws even if they are not physically located in any of these states. Companies need to comply with these laws if their sales within the jurisdiction reaches a certain threshold. The laws are not restricted to companies headquartered or with physical brick and mortar locations there – e-commerce is sufficient. In general, the laws are modeled after provisions in the European Union’s (“EU”) General Data Protection Regulation (“GDPR”). The laws include provisions that promote transparency for consumers, as well as incorporate specifications and limitations on the purposes of personal data.

The United States has taken a patchwork approach to data privacy with the potential of each state creating a different set of rules similar to the 50 different data breach laws that currently exist.  This has resulted from the lack of one comprehensive federal law that governs data privacy. In the absence of a federal law, the costs of America’s patchwork approach of different and sometimes conflicting state privacy laws will only continue to rise, imposing compliance costs that are estimated to exceed over $100 billion annually for businesses. Failure to comply with applicable data privacy laws may lead to multi-million dollar fines, class action lawsuits, and state or federal enforcement actions.  The Federal Trade Commission (“FTC”) has become increasingly aggressive in the privacy and data security area.  It has recently brought actions against businesses for lax data security and sharing sensitive consumer data with third parties for advertising purposes.  The FTC enforcement actions can prove extremely costly, as it is authorized to bring civil actions for monetary penalties of up to $40,000 per violation, and each day of non-compliance constitutes a separate violation.

Several state privacy laws do not include a private right action, but both California’s Consumer Privacy Act and the Illinois Biometric Information Privacy Act (“BIPA”) do.  The number of BIPA class action law suits have skyrocketed recently coinciding with the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019), holding that a plaintiff is not required to allege or prove an actual injury to recover statutory damages under BIPA.  Since that decision, Facebook agreed to pay a $650 million dollar settlement to resolve a BIPA class action, and in October 2022, a jury returned a verdict of $229 million dollars against BNSF Railway, Co., in the first-ever BIPA class action jury trial.  Further, in January 2023, New York City’s Biometric Identifier Information Law went into effect. Shortly thereafter, Amazon was sued in a putative class action for allegedly violating this law for its use of finger and palm print data at locations using Amazon Go technology, see McCall v. Amazon.com Servs. LLC, Civil Action. No. 23-00901. Other states, including Massachusetts and New York, have recently introduced biometric legislation, which will similarly provide the possibility of massive damage awards in class actions.  The Massachusetts biometric bill, if passed, will provide the prospect of higher damages than BIPA – “no less than $5,000 per violation or actual damages suffered.”  See MA Senate Bill 195 at § 3 (An Act to Protect Personal Biometric Data).  Accordingly, data holders need to be increasingly careful as to how they and their third-party vendors handle consumer data.

Overview of New State Privacy Laws

California, Connecticut, Colorado, and Virginia will require companies to perform data protection impact assessments (“DPIAs”)^[1], which are similar to the assessments required under the GDPR. Companies will need to keep records as well as track their data processing activities to comply with these laws. All the laws provide the consumer rights of data access, data correction, portability of data and deletion, and limits on processing data and opt-out options. All six states require businesses to enter into contracts with third parties that process personal data, and at a minimum, protect that information with reasonable data security.

The Colorado, Connecticut, Iowa, Virginia, and Utah laws mirror terminology from the GDPR, and the laws apply to “controllers.” Although there are nuances in the laws, generally, a “controller” is a natural or legal person who decides the purposes for and the means by which personal data is processed. In general, the five states’ laws apply to “controllers” that conduct business in the state or that provide services or products targeted to residents of the state and that either:

1. control or process personal data of 100,000 or more consumers during a calendar year; or
2. control or process personal data of 25,000 or more consumers and derive a certain percentage of revenue from selling personal data.

These five states also all include exemptions for personnel and information transmitted from business to business.  (California eliminated its exemption for employee and B2B information in its most recent amendments.) These state laws also exempt financial institutions subject to the federal Gramm-Leach-Bliley Act of 1999 (“GLBA”) at the entity level.

State Attorneys General will be enforcing the new data privacy laws. California’s Attorney General warned companies, stating in a recent press release: “[m]y office is watching, and we will hold you accountable…there are no more excuses.” In August 2022, Sephora agreed to pay $1.2 million in penalties to settle a CCPA investigation with the California Attorney General for violations involving the use of third party tracking software on Sephora’s website. You can read more about the Sephora settlement here. Most recently, on January 27, 2023, the California Attorney General announced a new enforcement sweep for businesses who have mobile apps, especially in the retail, travel, and food service industries, which do not comply with the CCPA and do not provide a way for customers to opt-out of the sale of their personal data.

California

While the laws of all six states share similar goals for consumer protection, California’s law differs quite a bit from the other states’ laws. The California Privacy Rights Act (“CPRA”) amended the California Consumer Privacy Act (“CCPA”), which became effective in 2020 and included rights modeled after the GDPR.  Most of the provisions of the CPRA went into effect as of January 1, 2023, and they will become enforceable on July 1, 2023.  The recently finalized CCPA regulations will also go into effect in July 2023.

The new CCPA requirements include additional data mapping, tracking tools, and recordkeeping for businesses. Businesses are required to respond to consumers’ requests within 45 days, but may, upon notice and explanation to the consumer, take an additional 45 days. In addition, businesses will be required to perform a cybersecurity audit annually. California’s law also includes a threshold for annual revenue of at least $25 million for the law to apply to a business. Under the CCPA, unlike Colorado, Connecticut, Iowa, Utah, and Virginia, institutions that collect data under the GLBA are not exempt from the requirements of the CCPA.  It only exempts specific information subject to GLBA.

California has recently formed the California Privacy Protection Agency to serve as the enforcement agency for the CCPA. California will be requiring risk assessments be submitted to this agency. California’s law does not have a right to cure provision for alleged violations, and so there is a potential for higher enforcement risk than the other four states. California’s law also provides a private cause of action for those seeking damages from failure to protect personal information, and it also provides a private right of action for unauthorized or illegal access, destruction, use, modification, or disclosure of unencrypted and unredacted data.

Colorado

Colorado’s law, the Colorado Privacy Act (“CPA”), will go in effect on July 1, 2023. Colorado’s law more closely tracks the provisions of the GDPR than the laws in Connecticut, Utah, and Virginia. Colorado’s law provides a 60-day right to cure period before a controller faces penalties. Colorado also has proposed regulations, which would become effective in July 2023, and, among the proposed regulations, there are extensive recordkeeping requirements.

Colorado requires a DPIA before a controller conducts any “high risk” processing activities. The “high risk” category includes sensitive data, such as health data and children’s data. Additionally, a DPIA will be required for targeted advertising if the data processing may result in reasonably foreseeable risks. DPIAs will also be required for any sales of personal data.

The DPAs must be provided to Colorado’s Attorney General upon request.

Businesses must respond to consumer requests for information within 45 days. Colorado’s law requires data minimization, so companies should only collect data reasonably necessary to achieve the purposes for which the data was provided. Colorado residents may appeal a controller’s determination related to their personal data if they disagree with a decision. The Colorado Attorney General and district attorneys will be responsible for enforcement of the law, and the maximum penalty ranges from $7,500 to $20,000 per violation. The law does not have a private right of action.

Connecticut

Connecticut’s law, the Connecticut Data Privacy Act (“CDPA”), also goes into effect on July 1, 2023. Similar to Colorado’s law, Connecticut’s law requires DPIAs before any “high risk” data processing activities occur, including any processing of sensitive data, such as health, financial, or children’s data. DPIAs will be required for targeted advertising if the advertising could result in reasonable foreseeable risks. Connecticut’s law requires businesses to respond to consumer data requests within 45 days of receipt. Like Colorado, Connecticut mandates data minimization so that companies may only process personal data reasonably necessary for the purpose for which the data was provided.

The Connecticut Attorney General is responsible for enforcement, and the law does not include a private right of action. There is a 60-day right-to-cure period for any violations of the law, but if the Attorney General determines it would not be possible to cure the violation, the law does not require any notice or opportunity to cure. The law provides for civil penalties in an enforcement action up to $5,000 per violation.  For a more detailed analysis of the CTDPA see Connecticut Becomes Fifth State to Pass Comprehensive Data Privacy Legislation – Hinckley Allen.

Iowa

Iowa most recently enacted consumer privacy legislation on March 28, 2023. The act takes effect on January 1, 2025, giving organizations 21 months to comply with its new requirements. Similar to the states outlined above, Iowa’s privacy law applies to entities that conduct business in Iowa or provides services or products that target consumers within the state.  This law is far more industry-friendly than the other states, in that it provides a 90-cure period (discussed below), no private right of action, and contains broad exemptions for entities and data regulated by federal law such as the GLBA and Children’s Online Privacy Protection Act.

Consumers in Iowa are provided with four main rights: the right to access, the right to delete, the right to obtain a copy of their data that is processed by a controller and the right to opt out of the sale of their personal data. Businesses are required to respond to consumer requests within 90 days, however, they may extend that period to 45 days in extenuating circumstances. The Iowa law explicitly prohibits its use for a private right of action, however, it does allow for the state attorney general’s exclusive authority to enforce the law. Upon discovery of a potential violation, the attorney general must provide the controller or processor written notice and 90 days to cure the alleged violation before they are able to file suit. The attorney general may seek an injunction or civil penalties up to $7,500 per violation.

Utah

Utah’s law, the Utah Consumer Privacy Act (“UCPA”), will go into effect on December 31, 2023. Like California, Utah’s law also includes an annual revenue threshold of at least $25 million for the law to apply to controllers. However, unlike other state laws, Utah’s law does not require DPIAs. The law limits processing to purposes specified at the time of data collection and consent is required to use that data for any additional purposes other than the original purpose.

The UCPA does not provide consumers any right to appeal if a controller declines a consumer request. The Utah Attorney General is responsible for enforcement of Utah’s law and its right-to-cure period for violations is only 30 days. The law does not have a private right of action.

Virginia

Virginia’s law, the Virginia Consumer Data Protection Act (“VCDPA”), went into effect on January 1, 2023. Similar to the other states, Virginia also requires the performance of DPIAs in advance of any processing activities deemed “high risk,” including processing of “sensitive data.” Virginia’s law also requires DPIAs to be completed for any targeted advertising if processing may result in reasonably foreseeable risks after the processing activities are carried out. Businesses must provide assessments to Virginia’s Attorney General, if requested.

Businesses are required to respond to consumer requests within 45 days, and Virginia’s law provides a right to appeal for consumers who are not satisfied with a controller’s decision. Like the other states’ laws, Virginia’s law also requires businesses to only process the data necessary to achieve the purpose for which the information was provided. Virginia’s Attorney General will be responsible for enforcement in Virginia.

Best Practices

• Businesses should determine whether any of these six state laws applies to their company. Reach out to your Hinckley Allen lawyer if you are unsure what state laws apply to your business. Wherever possible, businesses should consider complying with the most onerous requirements out of any potentially applicable state laws to ensure overall compliance.
• Increasingly aggressive enforcement efforts by the FTC and new state privacy requirements mandate that businesses be able to demonstrate compliance with data minimization and privacy principles. The FTC has harshly criticized companies for failing to maintain data inventories, following specific data retention schedules, and adhering to the principle of data minimization. Businesses should therefore, at a minimum, develop policies to ensure that (1) they have an inventory of the personal data they collect, use, and store on their network; (2) maintain records of the purpose for which personal data is maintained; and (3) minimize the amount of personal data kept by the organization.
• Organizations should implement procedures to track individual consumer requests and maintain records regarding the handling of such consumer requests for at least 24 months. The best way to avoid becoming a target of a federal or state data privacy investigation is to be able to prove and demonstrate compliance through detailed recordkeeping that shows that an organization’s data processing activities were lawful, legitimate, and necessary for the purpose of which the data was collected, and it abided by all consumer requests.
• Businesses should keep records of all state required data protection assessments and cybersecurity audits. If a state law applies to your business and requires DPIAs or cybersecurity audits, you should develop internal policies and procedures related to recordkeeping of both DPIAs and cybersecurity audits.
• If any de-identified personal data is shared with a third-party vendor, companies should update their contracts to ensure compliance with the new data privacy laws.
• Implement training and confirm that your organization’s record-keeping complies with the new data privacy requirements.
• Organizations should remain aware that additional U.S. states may also pass similar privacy laws in the near future. In the month of January 2023 alone, Iowa, New Hampshire, Massachusetts and Indiana all introduced comprehensive privacy bills. Indeed, within a span of three months, Iowa passed its new privacy law. With the upcoming 2024 elections and widespread media coverage of threats to U.S. personal data by big tech companies such as TikTok, States and Congress may be fired up to take action.

Hinckley Allen lawyers are here to assist you in ensuring compliance with applicable state laws. Please call your Hinckley Allen lawyer if you would like our assistance with reviewing your company’s compliance with applicable U.S. state laws relating to data privacy.

[1]Colorado and Connecticut refer to this as a data protection assessment, but to avoid any confusion between a data processing agreement, which is also referred to as a DPA, for purposes of this bulletin, we will be referring to data protection assessments and data protection impact assessment synonymously as “DPIA.”