In 2018, the European Union (“EU”) enacted the General Data Protection Regulation (“GDPR”), vastly altering the landscape of data privacy laws. With its broad scope and potentially hefty fines for non-compliance, the GDPR called for widespread change to the way data was collected, stored, transmitted, and secured. Shortly after, California passed the first major data privacy law in the United States – the California Consumer Privacy Act, which became effective January 1, 2020, providing California consumers with rights to the data that related to them. Although many federal privacy laws have been proposed, there is currently no comprehensive federal privacy law in the US. Rather, the US remains dominated by state and business sector (i.e., HIPAA) data protection laws. While all states have data breach laws, there are currently five states that have data privacy laws either in effect or which will go into effect in 2023:
- California
- California Consumer Privacy Act (“CCPA”)
- California Privacy Rights Act (“CPRA”)
- Colorado
- Connecticut
- Virginia
- Utah
The CCPA provides California consumers the Right of Access, which is “the right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information,” the Right of Deletion, which is “the right for a consumer to request deletion of personal information about the consumer under certain conditions,” the Right of Portability, which is “the right for a consumer to request personal information about the consumer be disclosed in a common file format,” and the Right to Opt-Out of Sales, which is “the right for a consumer to opt out of the sale of personal information about the consumer to third parties.” All formal data privacy laws provide for these rights to consumers in the states in which the law has been enacted.
The CPRA, which will be fully operative beginning January 1, 2023, with enforcement commencing 6 months later, is a rigorous and all-encompassing privacy protection bill for California consumers which supplements the CCPA. Along with all the same privacy rights as the CCPA, the CPRA also gives California consumers additional rights such as the Right of Rectification, which is “the right for a consumer to request that incorrect or outdated personal information be corrected but not deleted,” the Right Against Automated Decision Making, which is “a prohibition against a business making decisions about a consumer based solely on an automated process without human input,” and the Right of Restriction, which is the right for a consumer to restrict a business’s ability to process personal—and in only California’s case, sensitive—information about the consumer. Furthermore, under either statute, California consumers have a limited Private Right of Action for certain violations, under which a consumer may seek civil damages from a business for violations of the statute. For more information about the CCPA and the CPRA, see California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act of 2020 (“CPRA”) (effective January 1, 2023).
The Virginia Consumer Data Protection Act, which will also become effective January 1, 2023, along with similar, but not identical, privacy rights as the CCPA, will provide Virginia consumers (a group more narrowly defined than under the CCPA) a Right of Rectification, a form of Right Against Automated Decision Making which provides a right to opt out of certain automated decision making, and a form of Right of Restriction with “the right to opt-out of processing for profiling/targeted advertising purposes.” The Colorado Privacy Act and the Connecticut Data Privacy Act, which become effective on July 1, 2023, provide the respective Colorado and Connecticut consumers with similar privacy protections. The Utah Consumer Privacy Act, which will become effective on December 31, 2023, along with similar privacy protections as the CCPA, will provide Utah consumers with a form of Right of Restriction with “the right to opt-out of processing for profiling/targeted advertising purposes.”
Click on this link to view a table providing an overview of the upcoming data privacy law changes.
Importantly, each of the above-referenced data privacy laws has its standard of applicability – generally based upon the number of residents (i.e., the laws generally only apply to data collected from the individual state at issue) whose personal data is obtained/collected, the purpose for which the data is obtained and what the data is used for.
Businesses need to be aware of the data they collect, the location and number (quantity) of the consumers whose data they collect, and have proper processes and procedures in place to determine the applicability of the various data privacy laws and where applicable, the ability to comply. For more information on compliance, please contact Michael J. Feldman, Esq. ( or 908-964-2486).
