State-level momentum to enact data privacy laws is at an all-time high as the internet and new technologies continue to raise privacy questions. Family businesses of all sizes rely on technology and may be regulated by state data privacy laws. Below, we provide a brief overview of the comprehensive privacy laws across the United States. These laws focus on comprehensive approaches to governing the collection and use of personal data. Industry-specific or narrowly scoped legislations are not included. We also briefly discuss the status of proposed privacy legislation in Oregon and Washington.
Five states—California, Virginia, Colorado, Utah, and Connecticut—have enacted comprehensive data privacy laws. These laws have several key provisions in common. They require certain businesses that collect personal data to do the following:
- Limit their uses of personal data, and
- Provide individuals with certain rights to understand and control how their personal data is used.
Although there are slight distinctions between the states, each law generally applies to for-profit businesses (and in some cases, nonprofit organizations) that collect, use, store, or process the personal data of residents in the state. Personal data refers to any information which is "linked or reasonably linkable" to an identified or identifiable person. For example, name, email address, telephone, credit card or personnel number, IP address, device ID and customer address are all personal data. While each state has a numeric threshold that entities must meet to be subject to the law (e.g., annually "processing" the personal data of a certain number of state residents), the broad definition of personal data means that a small or family business may find itself in scope for these laws.
Proposition 24, the California Privacy Rights Act (CPRA), amends the California Consumer Privacy Act (CCPA). In 2020, the CCPA made California the first state to implement omnibus consumer privacy legislation. The CCPA established consumer rights to personal data and imposed obligations on businesses that collect and use personal data. A business falls within the jurisdictional scope of the CCPA if it:
- a) Had annual gross revenue above $25 million in the previous calendar year;
- b) Annually processes the personal data of 100,000 or more California residents or households; or
- c) Derives at least 50 percent of its annual revenue from selling (disclosing to a third party for monetary or other valuable consideration) or sharing (disclosing to a third party for targeted advertising) the personal data of California residents.
The CCPA as amended provides additional protections to California consumers, such as the right to correct inaccurate personal data, requirements that businesses engage in data minimization, and the right to receive notice from a business that uses sensitive personal data. Notably, the CCPA as amended expands the scope to include employment-related and business-to-business personal data. (It is the only state to currently apply its consumer privacy law to employment and business contact data.)
The CCPA grants consumers the right to opt out of certain disclosures of their data, categorized as "sales" or "sharing." A business cannot discriminate against consumers who choose to opt out. Businesses must undertake data governance practices, including adding specific provisions in their contracts with vendors and others who receive personal data. CCPA also created the California Privacy Protection Agency to enforce the privacy laws and impose fines. This entity recently posted proposed rules to interpret the statute, offering greater clarification and specificity on compliance obligations. The amendments to the CCPA will take effect on January 1, 2023.
For a more in-depth discussion of the CCPA, as amended by the CPRA, we offer this DWT article. In a separate DWT article, we analyzed the preliminary proposed regulations posted by the California Privacy Protection Agency.
Virginia's Consumer Data Protection Act (VCDPA) applies to businesses in Virginia or services that are targeted to Virginia residents and either:
- a) Control or process personal data of at least 100,000 Virginia residents ("consumers") or
- b) Obtain 50 percent of revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
It provides consumers the similar rights as the CCPA, with several key distinctions. For example, VCDPA imposes a more expansive obligation for processing sensitive personal data (including data revealing race and ethnicity, health or medical information, children's data, and biometric data, among others) than CCPA by requiring opt-in consent for the use and processing such data. VCDPA also requires businesses to engage in data governance and other internal practices, including risk assessments to analyze certain higher-risk data processing activities. The effective date of VCDPA is January 1, 2023.
We recommend this DWT article to learn more about the VCDPA.
The Colorado Privacy Act (CPA) provides Colorado residents ("consumers") rights to privacy similar to those in the CCPA. It applies to businesses and nonprofits that target Colorado residents and process personal data of at least 100,000 consumers per year or obtain revenue from the sale of personal data and process the data of at least 25,000 consumers. Like the VCDPA, covered businesses and organizations are required to undertake certain data governance activities (including risk assessments), engage in transparency, and honor consumer rights requests. The effective date for CPA is July 1, 2023, and the Colorado Attorney General will promulgate rules that offer additional clarification and requirements for in-scope entities.
To learn more about how the Colorado, Virginia, and California privacy laws differ, please see this article.
Utah's Consumer Privacy Act (UCPA) applies to for-profit entities that:
- a) Conduct business in Utah or target products and services to consumers who are residents of the state,
- b) Have annual revenues of at least $25 million, and
- c) Meet one of the following requirements:
- Annually control or process the personal data of 100,000 or more Utah residents; or
- Derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.
Utah residents ("consumers") have similar rights to their personal data as in other states. While the VCDPA and CPA require that consumers affirmatively opt-in to the processing of their sensitive data, the UCPA requires controllers of personal data to notify the consumers and give them an opportunity to opt out prior to processing their sensitive data. Data governance and contracting requirements are generally similar to other states.
The UCPA goes into effect on December 31, 2023. We recommend reading this DWT article for an in-depth analysis of UCPA, including a summary of differences from other state laws.
Connecticut recently passed the Connecticut Data Privacy Act (CTDPA), making it the fifth state to pass a comprehensive consumer privacy law. The CTDPA applies to for-profit entities that:
- a) Process the personal data of at least 100,000 consumers or
- b) Process the personal data of at least 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
Like other state privacy laws, CTDPA provides consumers the right of notice, access, portability, correction, and erasure, and requires businesses to undertake certain data governance activities. It takes effect on July 1, 2023.
To learn more about how the CTDPA is similar to and different from other state privacy laws, please see this article.
State Privacy Laws in Oregon and Washington
Neither Oregon nor Washington has comprehensive privacy laws. However, both states have data breach and data security laws that require businesses to safeguard consumer's personal data. The Oregon Identity Theft Protection Act, for example, requires businesses to develop, implement, and maintain reasonable safeguards to ensure the security, confidentiality, and integrity of personal data. Oregon's Trade Practices and Antitrust Regulation also includes consumers' privacy terms and rights. Likewise, Washington law requires businesses, individuals, and public agencies to notify any Washington resident who is at risk of harm because of a data breach that compromises the security, confidentiality, or integrity of that resident's personal data.
Both states have considered comprehensive consumer privacy legislation in recent legislative sessions, but these actions failed to advance. We expect privacy will continue to be a legislative focus in upcoming years in Washington and Oregon, as well as several other states.
We anticipate that 2023 will be a major year for state privacy, as five states' laws (or their amendments) will come into effect. Family businesses may find that their data practices bring them into scope for a number of these laws, even in states where they do not have a physical presence.
Moreover, momentum around privacy legislation shows no signs of slowing. Several other states currently have a comprehensive privacy bill in the legislative process, and Congress is considering bipartisan comprehensive federal privacy legislation. Given the changing landscape in data privacy legislations, it is important for family businesses to stay informed regarding consumer rights and business obligations.