privacy:
Overview of State Privacy Laws
Beginning in 2023, the United States will see the enforcement of five different state data privacy laws. No longer does California stand alone regarding data privacy, and this new patchwork of laws will pose challenges new to most American businesses as they grapple with how to comply with regulations while ensuring they meet consumer privacy expectations.
Comprehensive Consumer Data Privacy Laws
It’s worth noting that in the following section, the max fine description is simply the monetary penalty. The enforcement bodies can inflict additional punishment, including, but not limited to, injunctive relief, restitution & disgorgement. Often, enforcement actions end in settlements, imposing a fine and multiple requirements for corrective measures which have effects beyond the initial monetary loss.
Virginia Consumer Data Protection Act
Enforcement Date: 1/1/23
Enforcement Authority: Virginia Attorney General
Notice to Cure Timeline: 30 Days
Max Fine: Up to $7,500 per violation
The State of Virginia requires Data Protection Assessments to be conducted on high-risk activities such as Targeted Advertising. It also has clauses around data minimization practices, computer security processes, and special rules for de-identified data use.
Notably, Virginia also requires a formalized appeal process regarding Data Subject Access Requests, which would allow a consumer to challenge a decision rendered by the business regarding exercising one of their rights granted under the law.
More Information can be found here.
The Colorado Privacy Act
Enforcement Date: 7/1/23
Enforcement Authority: Colorado Attorney General, Colorado District Attorneys
Notice to Cure Timeline: 60 Days (Sunsets in 2025)
Max Fine: Up to $20,000 per violation
The State of Colorado is presently still in the process of rulemaking, but looks to have one of the most comprehensive slates of requirements for Data Protection Assessments so far. The state also looks ready to impose more stringent requirements around valid consent than most other States have passed.
Colorado has extensive documentation requirements around data collection and use, as well as the pending adoption of the need to adhere to a Universal Preference Signal, which will introduce new challenges for organizations subject to the Colorado Privacy Act.
Connecticut Data Privacy Act
Enforcement Date: 7/1/23
Enforcement Authority: Connecticut Attorney General
Notice to Cure Timeline: 60 Days (Sunsets in 2024)
Max Fine: Up to $5,000 per violation
Connecticut sits in the middle of the five states when it comes to the strictness of its law. It does have extensive consumer protections, but not as far as Colorado and California. It is business-friendly to a degree, but to a different extent than Virginia and Utah.
The law has a strict view of what valid consent looks like, more specifically than in several other states. Like Virginia, Connecticut also has specific rules around the use of de-identified data. Notably, businesses will need a method to revoke consent using a method that is as easy as it was to grant it in the first place.
Like Colorado and California, Connecticut will introduce requirements for a Universal Preference Signal over the next few years.
More information can be found here.
Utah Consumer Privacy Act
Enforcement Date: 12/31/23
Enforcement Authority: Utah Attorney General
Notice to Cure Timeline: 30 Days
Max Fine: Up to $7,500 per violation
Largely based on the law from Virginia, the Utah Privacy Act is narrower in scope due to multiple threshold requirements and numerous exemptions. However, Utah contains many of the same considerations for compliance as with the Virginia law, including most of the consumer rights and the rules around de-identified data and transparency.
More Information can be found here.
Data privacy FAQ
How do digital privacy laws in the U.S. differ from those in Europe?
Critically, the state laws do not apply nationally and are restricted to consumers and businesses who operate in or with residents of the state. This means some areas of the country, such as California, have robust data protection rights, while others have none. This patchwork of laws will cause new compliance difficulties for businesses that operate in several states.
Furthermore, the laws take the stance of ‘Opt-Out’ of data processing activities, in contrast to Europe’s General Data Protection Regulation, which is ‘Opt-In’ to data collection and processing of personal data.
The US State laws tend to cover data not already protected by different Federal standards, such as HIPAA or COPPA. This may mean different protections exist for a data set, depending on the specific data in question. As a result, enforcement can be split between the states, the Federal Trade Commission, the Department of Health and Human Services, and several other agencies. This can slow enforcement activities and confuse consumers about what data is protected by what standards and who can bring suit for enforcement.
Lastly, we have seen a willingness by American authorities to conduct data privacy enforcement sweeps and, in general, take a much more proactive stance to enforcement. This subjects American businesses to increased risk of enforcement action, since these may occur without being prompted by a formal consumer complaint.
What are the primary objectives of U.S. federal and state privacy laws?
Most of the laws are looking to fill the gaps imposed by the largely sectoral nature of privacy in the United States in order to protect consumers. Predominantly, the laws expand on the scope of what is considered deceptive trade practices and ensure businesses act in the manner they disclose to their customers. Newer laws are also beginning to consider rules around mechanisms that interfere with consumer choice, such as rules against using dark patterns.
What are the consequences of violating U.S. state privacy laws?
Most state privacy laws operate under Deceptive Trade Practice laws in terms of their charges and fine structures. At the time of writing, fines can be as low as $2500 per violation in California and upwards of $20,000 per violation in Colorado. The rest fall somewhere in between.
In addition to the financial penalties incurred by non-compliance, the state enforcers often subject the business to a consent decree as part of a settlement that restricts how a business operates and can place additional requirements on them, such as mandatory transparency reports, external auditing, and the like.
If the data is covered under Federal Law, the fines can be higher and even sometimes include jail time for those breaking the law.
Is your business at risk?
If your company operates or has customers in any of the five states with digital privacy laws, you may be at risk of non-compliance. These new laws and regulations may impact your business in multiple ways, ranging from required training for front-line employees to strict documentation requirements.
Knowing this, we feel it’s essential to get out in front of compliance activities so that you can complete them on your timeline, rather than one imposed by enforcement action. There’s no need to panic or struggle alone. We’re here to help.
