Data Privacy Newsletter: Evolving USA Data Privacy Landscape – February 2023
2023 is a milestone year for data privacy laws as we observe a surge in the number of data privacy regulations worldwide.
For instance, the Federal Trade Commission, USA (the “FTC”) for the first time, has taken action against a popular telehealth and prescription drug provider, for failing to notify consumers and others of its unauthorized disclosures of consumer personal health information to social media platforms.
We observe that there are two key forces contributing to this revolution in the privacy landscape. First of all, consumers have become well-informed about rights in relation to their personal data and are also exercising such rights. Secondly, the new data privacy legislations have constituted effective and powerful supervisory authorities which are imposing significant fines on companies for violations of their obligations.
Currently, the data privacy laws in the United States of America (the “US”) are fragmented into state-specific and sector-specific laws. The US federal government is in process of introducing national data privacy legislation. The states have introduced state-specific data privacy frameworks to protect their resident’s personal data.
Privacy Laws in the United States of America
As of February 2023, five states have introduced and passed comprehensive data privacy laws and several others have laws in the pipeline. The state of California passed a data privacy law in the year 2018 and further amended it in 2020. The states of Virginia and Colorado passed data privacy laws in the year 2021. This was followed by the states of Connecticut and Utah has also passed data privacy laws in the year 2022.
The state of California is the first state to implement the most comprehensive data privacy law in the US called the California Consumer Protection Act (the “CCPA”).
The CCPA was recently amended by the California Privacy Rights Act (the “CPRA”) and has come into full force on January 1, 2023.
The CCPA and CPRA apply to businesses that collect personal information from the residents of California and determine the purposes of such collection. The CPRA is applicable to businesses with (i) an annual revenue of USD $25Mn, and/or (ii) businesses which buy, sell, or share the personal information of 1,00,000 or more consumers/ households and/or (iii) derives 50% or more of its annual revenue from selling or sharing consumer’s personal information. The CCPA along with CPRA has extra-territorial applicability and applies to companies which conduct business in California and may be located outside California.
The CCPA provided consumers with the right to access, delete, and opt out of the sale of their personal information, along with the right to not be discriminated against. The CPRA has now provided for the right to rectification of personal information and the right to limit the use and disclosure of sensitive personal information, under the CCPA.
New Enforcement Authority
The CPRA has imposed a limitation on businesses for the collection, retention, and use of personal information to the extent it is necessary to provide goods or services. The CPRA has constituted a new authority, the California Privacy Protection Agency (the “CPPA”), replacing the previous Attorney General. The CPPA will consist of a 5-member board and will have powers to investigate and enforce the legislation.
Fines and Penalties
Companies violating the obligations under the CCPA may face a fine of up to $2,500 and in case of any intentional violations, the fine may go up to $7,500.
The amended law has introduced a new and broad definition of sensitive personal information (“SPI”). The definition of SPI is subjected to stringent disclosure and purpose limitation, thus recognizing the need for higher security measures for SPI and allowing consumers to ask businesses to limit the use of their SPI.
Virginia became the second state to enact a comprehensive data privacy law in 2021. The Virginia Consumer Data Protection Act (the “VCDPA”) has become fully effective on January 1, 2023.
The VCDPA applies to businesses that conduct business in Virginia, market their goods and services that are ‘targeted’ to residents of Virginia, control or process the personal data of at least 100,000 Virginia residents or derive more than 50% of their gross revenue from the sale of personal data. The statute does not define what “targeted” means. The VCDPA is applicable extra-territorially.
Impact on businesses
The VCDPA establishes obligations on companies to conduct data protection impact assessments related to processing personal data for targeted advertising and sales purposes. In the event there is a personal data breach which affects more than a thousand people, then as per Virginia’s personal data breach notification law, the affected consumers, the Attorney General, and national consumer reporting agencies be notified.
The VCDPA has conferred several rights on consumers, including the right to know, right to access and right to confirm personal data, right to delete, right to correct inaccuracies, right to data portability, right to opt out of the sale of personal data and right to opt out of profiling based upon personal data.
Fines and Penalties
In case of a violation of obligations under the VCDPA, the Attorney General may levy penalties of up to $7,500 for each violation and there may also recover expenses incurred in the investigation of the cases.
The Colorado Privacy Act (the “CPA”) will be effective on July 1, 2023, making Colorado the third state (after California and Virginia) to pass a comprehensive privacy law to protect its residents.
The CPA is applicable to businesses that collect or process personal data of 100,000 Colorado consumers in a year, produce or deliver commercial products or services that are intentionally targeted to residents of Colorado, or derive revenue or receive a discount on the price of goods or services from the sale of personal data.
The CPA grants consumers certain rights regarding their personal data, including the right to access, right to correct, right to delete, and right to portability with respect to their personal data.
The CPA also requires businesses to obtain opt-in consent for sensitive data and to implement reasonable security measures.
Fines and Penalties
The violations of the obligations under the CPA can result in civil penalties of up to $20,000 per violation with a total maximum penalty of $500,000.
In March 2022, Utah became the fourth state in the US to enact the Utah Consumer Privacy Act (the “UCPA”) which will take effect on December 31, 2023.
The UCPA has three primary criteria for applicability to businesses, they are as follows: (i) conducting business in the state or producing a product or service that is targeted to consumers who are residents of the state, (ii) annual revenue of $25,000,000 or more and (iii) either during a calendar year, controls or processes personal data of 100,000 or more consumers or derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The consumers of Utah have the right to access, the right to delete their personal data, the right to portability of their personal data and the right to opt-out of processing of personal data for targeted advertising or sale.
In contrast to the CDPA and CPA, the UCPA does not include the right to opt out of profiling nor the right to correct inaccuracies in their personal data.
Fines and penalties
The Attorney General is the enforcement authority and has the power to levy fines up to US $7,500 per violation.
The fifth and most recent, state of Connecticut to pass “An Act Concerning Personal Data Privacy and Online Monitoring” (the “CTDPA”), becomes fully effective on July 1, 2023.
The CTDPA applies to Companies that conduct business in Connecticut, or who produce products/services targeting Connecticut residents and control or process the personal data of at least 100,000 consumers or 25,000 or more consumers and derived over 25% of gross revenue from the sale of personal data.
The CTDPA provides the Consumers with the right to access, right to delete, right to correct inaccuracies, right to data portability and the right to opt-out of targeted advertising, sale of personal data and profiling based on personal data.
Fines and Penalties
The Companies or individuals that violate the CTDPA may face penalties of up to $5,000 per violation and can also seek injunctive relief, restitution, and/or disgorgement.
With each passing day, more states are enacting legislation to protect consumers and the businesses that collect, control, process or share consumer data must regularly evaluate their privacy practices and compliances. With extraterritorial applicability, Indian companies serving US customers are required to develop/enhance their privacy framework to mitigate risks arising due to non-compliance with the said laws.