New year, new state privacy laws. In 2023, Colorado, Connecticut, Utah, and Virginia will join California as their comprehensive privacy data laws come into effect. As with the 2020 California Consumer Privacy Act, businesses that collect personal information from consumers in these states will need to understand the significant impact of these laws.
To minimize the burden and cost of compliance in the new year, there are steps companies should take now to be better prepared. In this quick Q&A style presentation, Andy Baer and Jeremy Garvey will discuss:
-
The highlights and key points of the new state laws
-
Applicability of the laws and how to determine which companies they will affect
-
The differences and similarities between the laws in each state
-
Practical steps companies should take to get a head start on compliance, such as creating a data map and updating commercial contracts
To view this webinar, click here.
Transcript
Jeremy Garvey:
Good afternoon. My name is Jeremy Garvey. I am a member of the Corporate Practice Group here at Cozen O’Connor. It’s my pleasure to welcome you to another Cozen O’Connor Corporate COffee break. Just as a reminder, Cozen O’Connor Corporate COffee break is a series meant to present quick, informative, and consumable programs on relevant corporate topics to our clients and friends of the firm. The format we’ve chosen is a quick-hitting Q&A format. So hopefully, it’s an easy way for folks to get the information. And the idea is to get folks up to speed and bring them current in a consumable way.
Jeremy Garvey:
Before I get into the intro of our guest, who I’m really excited to have today, there’s a few housekeeping items that we usually go over. All participants will be in listen-only mode. That means, hopefully, you can hear us but we can’t hear you. We do want to hear from you, though, if you have questions and time will permit. There is a Q&A chat pod at the bottom. If you want to put your question in that, we will try to answer it. If we can’t and time will not allow it, I will make sure that we get it to Andy and either Andy or someone on his team will try to get back to you via email. With that housekeeping, we couldn’t be more pleased today to do a really super timely and outstanding topic that is very interesting to me, and hopefully is of interest to everyone because of its high impact.
Jeremy Garvey:
Our topic today is what companies should be doing now to prepare for the state data privacy laws. What we are getting at is that there is a handful, a number of states that have presented a patchwork of state privacy laws, and this is a high-profile, high-stakes area, which is very complicated, and we want to get in to what folks can be doing now to prepare. With that said, our guest today is my partner Andy Baer, who is also a member of the Cozen O’Connor Corporate Practice Group, but Andy is the chair of Cozen O’Connor’s Technology, Privacy & Data Security Group. Andy focuses his practice on cutting-edge technology transactions on both the buy- and sell-side. He also represents and is involved in cloud computing, data privacy issues, security compliance, copyrights and trademarks, software transactions in the digital advertising ecosystem, transactions in the interactive marketing space, as well. His clients include Fortune 500 companies and startups and everything in between, such as financial institutions, cloud computing companies, digital interactive agencies, adtech companies, data brokers, online ad networks, mobile app developers, media monitors, international e-commerce companies, as well as many others.
Jeremy Garvey:
Andy is a lecturer at Wharton, public speaker, author, and blogger. Prior to coming to Cozen O’Connor, he co-founded Baer Crossey McDemus, which is a firm that combined with Cozen O’Connor. He previously was the chief legal officer of a life sciences technology company and technology/IP/privacy counsel for Advanta Corp. Andy has been a national contributor for several online and print publications on emergent issues of technology and cybersecurity law. He also has served as a faculty member for the PBI – the Pennsylvania Bar Institute – and other continuing legal education groups on subjects relating to internet and cloud computing law. Andy got his bachelor’s degree at Dartmouth and his law degree from the University of Chicago Law School.
Jeremy Garvey:
Andy, welcome. Thank you for joining us today. I think, let’s get right at it. If folks know, the reason we’re here is California, through the CPRA – the California Privacy Rights Act – Virginia, Colorado, Utah, and Connecticut are all implementing laws in 2023 in varying ways. But before we dig into what’s new, and it’s super confusing, and I know you can talk about this forever, but maybe just give a little level set of what the current landscape is before we get to this new series of laws, and give an overview of why this is super important for folks listening in today.
Andy Baer:
Sure, Jeremy. Let me say also it’s great to be here. I would describe the privacy landscape in the United States as fractured. There is no comprehensive federal privacy law in effect in the United States yet. And by comprehensive, I mean a law that covers basically all types of industries and all types of data. Contrast that with Europe, where you have since 2018 the General Data Protection Regulation, which is pretty much the leading gold standard in comprehensive privacy laws right now. In the United States, at the federal level you have sector-specific laws or laws applicable to certain types of information, so the Gramm-Leach-Bliley Act for consumer financial information, HIPAA for protected health information, and COPPA for personal information of children under 13. And then you have these various state laws, which we’re about to discuss, but there’s no overarching privacy framework. And why this is important is new state frameworks – as we’re about to explore – keep getting added. But as yet, there is no comprehensive federal law with preemptive powers. So, a lot of different compliance requirements for companies.
Jeremy Garvey:
Andy, that’s very helpful, and I commend you on taking what is a real mess and condensing it down to about 70 seconds. On the new state laws, we’ve got California, which is always sort of leading the way it seems. We’ve got Virginia, Colorado, Connecticut, and Utah. I know we’re going to dig deeper but maybe just as a quick overview, talk a little bit about effective dates and some of the high level things on the laws.
Andy Baer:
Sure, happy to. So, California Privacy Rights Act, which amends the existing California Consumer Privacy Act, takes effect on January 1, 2023. That’s a big date. Virginia and Colorado’s new privacy laws also take effect on January 1, 2023. Connecticut takes effect on July 1 – not January 1 – July 1, 2023, and Utah on December 31, 2023. As you suggested, Jeremy, California is a bit different. It imposes more stringent requirements. In addition, it creates a new enforcement agency, the California Privacy Protection Agency (CPPA), not to be confused with CCPA. There’s an alphabet soup here.
Andy Baer:
Generally, I would say all of these laws are comprehensive privacy laws in the general mode of GDPR and they aim to provide enhanced disclosures and rights for individual consumers. Additionally, in various ways, these laws require companies to balance and document the risks of processing activities to individuals versus the benefits of those processing activities to the company. California, as you said and as I already noted, is different from the other four. The other four state laws are roughly similar, although not identical.
Jeremy Garvey:
Andy, maybe the easiest way to do this – if there is an easy way – is to talk about some of the commonalities and then maybe some of the differences. So, could you run us through how these things are the same and then some of the more significant differences, and when I say significant, obviously there’s going to be nuances across the board but in order to give a quick view of the landscape, maybe hit what’s the same and what’s different.
Andy Baer:
Sure. Commonalities first – and I think we’re all stretching to find the commonalities because we want to see what we can replicate across various compliance regimes. So all of these laws have thresholds of applicability – what types of companies and what sizes of companies they apply to – because they don’t apply to everyone. There are some significant differences in what those thresholds of applicability are and we’ll get to that in a second. All of these laws, roughly like GDPR, have what I call data subject rights. They aim to provide consumers who are residents in these states with certain rights to empower them with knowledge about how their data is being collected, used, and disclosed to third parties, and certain rights to control those processing activities. So those core data subject rights that are common across all five of these laws include a right to know what data of an individual a company has, as well as the fact that a company has it. A right to access that data. All of these laws, except Utah, provide a right to correct inaccurate data. There’s also a right to delete data – a so-called right to be forgotten. A right to opt out of data sales, and some right to get a portable, machine-readable version of the data that you can take to another company.
Andy Baer:
Other areas of similarity or commonality include the following: all these laws have – thank goodness – exceptions for publicly available information. This exception for publicly available information will extend not only to government records but also records that consumers affirmatively make public, i.e., that they post online publicly without restricting to certain audiences. In addition, all of these laws in various ways aim to regulate profiling. That’s a word we’ve probably heard a lot used in the tech and privacy news recently. So roughly speaking, profiling is the automated use of personal data for purposes of evaluating, analyzing, or predicting the behavior or preference of individuals. All of these laws, except Utah and California, have the right to opt out of profiling, and California’s CPRA asked the new agency, the CPPA, to scrutinize profiling and the proposed new regulations around it, and those regulations as of this date haven’t yet even been issued in draft form.
Andy Baer:
So now let’s look at the differences. So California, as I said, is more different from the other four state laws than they are from each other. The first area of difference in California is the threshold of applicability. California is the only law that is applicable to businesses that do business in California and have a certain amount of revenues, regardless of how many California residents’ pieces of information they have. So if you are doing business in California and have over $25 million in annual revenue, you are subject to CCPA and CPRA.
Andy Baer:
California is also unique in the definition of what’s the sale of personal data. In the other state laws, it’s basically what we would expect, an exchange of data for monetary consideration, but in California, it’s an exchange for any kind of valuable consideration. And so what that means is that the presence of certain types of third-party advertising, cookies, and what-not, on a business’s website can conceptually be interpreted as a sale.
Andy Baer:
California also will require companies to recognize a global opt-out browser signal, allowing users to opt out of sales or sharing of their data for cross-contextual behavioral advertising purposes. California’s exemption for Gramm-Leach-Bliley is a data-level exemption, not an entity-level exemption. The other four states give exemptions for entities that are subject to Gramm-Leach-Bliley Act regulating consumer financial privacy. In California, that’s an exemption just for the data itself.
Andy Baer:
California also gives a right to limit the use and disclosure of sensitive data. All of these states have a category of especially sensitive data with added requirements, but California will require you to include a link on your site to limit the use and disclosure of sensitive data.
Andy Baer:
Just a couple of other high-level notes about differences, California is the only one of these five state laws that has a private right of action, which applies to data breaches which result from a failure to use reasonable security measures. Virginia, Colorado, and Connecticut require an affirmative opt-in to process sensitive data. Utah requires clear notice of the processing and an opportunity to opt-out. California and Colorado are the only states that have implementing regulations – right now in draft form in both cases. And I should also, last but not least, mention that Utah is the most business-friendly of these five statutes in terms of their threshold of applicability: annual revenues of $25 million per year as well as processing the data of at least 100,000 Utah residents – Utah consumers. So both of those have to be met to be subject to Utah’s privacy law.
Jeremy Garvey:
Andy, that’s really helpful. We’ve got a couple of questions and you might knock a few of them out. But I know some places have regs, some don’t yet. Moving to what you’re telling folks on what they should be doing now to help prepare. I know things like there are thresholds. Obviously, can you do some mapping? Can you get rid of things maybe you don’t need that could be otherwise problematic? What are folks doing with service providers? Can you talk a little bit about the steps that folks – even though this isn’t fully baked yet – in all these jurisdictions, what people are thinking about to be prepared? Particularly when the first-of-the-year laws hit. Can you speak to those things a little bit?
Andy Baer:
Certainly. So, first of all, as you mentioned, cross off any laws where a company doesn’t meet the threshold of applicability. So, as I said, presently, California is the only state whose privacy law can apply on the basis of annual revenues alone – $25 million a year if you are doing business in California. The other four states’ privacy laws apply only if a covered entity controls or processes the personal information of at least 100,000 consumers in that state or meet some sort of numerical standard involving sales of personal information. You know, you sell personal information of “x” consumers in that state. So therefore, as a practical matter, many small and medium-sized businesses will be exempt. Getting back to the Gramm-Leach-Bliley Act, which I mentioned earlier, all of the new privacy laws, except California’s, also exempt financial institutions subject to Gramm-Leach-Bliley. So California’s is a data-level exemption. Everyone else is an entity-level exemption. So as a practical matter, many financial services businesses will be spared the headache of complying with multiplicative state requirements. There’s still an optics issue, however, for these businesses. They will still need to wrestle with the issue of whether to publish privacy notices that give greater privacy rights to Californians and to residents of other states. That’s a marketing issue, not a legal issue, but again something very important to consider.
Andy Baer:
Data mapping: step number two to prepare. So these new state privacy laws require companies to provide enhanced privacy disclosures about their data practices, the types of third parties to whom they disclose personal information; they require covered businesses to respond to requests by data subjects to exercise their right and data held by business entities or their service providers, and to make those responses to data subjects within defined timeframes; and they also require companies to document the risks and benefits of high-risk data processing activities. So compliance with this smorgasbord of requirements assumes that a company can quickly access information about what types of data it’s processing, the sources of the data, the different processing activities performed on the data, the business purposes for which these processing activities are performed, where the data is stored, i.e., whether with a company itself or with a service provider, and which third parties have access to the personal data. So the process of gathering and centralizing this information – that’s what we call data mapping. And it’s an essential first step to address the new privacy requirements.
Andy Baer:
Let’s talk about also analyzing the data that a company has, confirming the business and operational purpose, and cease collecting or purging unnecessary data. So, we start from the idea that these new privacy laws apply to personal information that remains in a business’s possession or control, i.e., if you don’t have it or if what you have doesn’t meet the state’s definition of personal information, then you’re not subject to these laws and your compliance responsibilities are nonexistent under these laws. So, in my experience, too often companies retain personal information indefinitely, long after any legitimate business, audit, or legal purposes have lapsed. They hang on to this data because we might have a business purpose for it someday. And from an information security and privacy perspective, that’s really not the right way to think. That’s not privacy by design. So getting rid of unnecessary data simplifies the process of creating a data map, limits the number of data subject requests a company may have to honor under these laws.
Andy Baer:
CPRA has an obligation to disclose the retention period for certain types of data or, if that’s infeasible, to disclose the criteria that determines the retention period for various types of personal data. Obviously, if what you have isn’t personal data, your compliance obligations under that requirement are less. And also I should say that not holding on to data or not keeping it in the form of personal data, also reduces a company’s exposure to data breach-related costs and losses.
Andy Baer:
Now, you may find that a data set still provides some value but personal identifiers are not necessary. And if that’s the case, you can realize the benefits of holding on to the data by anonymizing the data so it’s no longer reasonably linkable or reasonably capable of identifying an individual, and that’s no longer personal information under these states’ laws.
Andy Baer:
Last but not least, in terms of preparation – Jeremy, you mentioned service provider contracts. So all of these new privacy laws impose requirements to contractually limit third parties’ usage of the personal information they receive in the course of providing services to covered businesses. So under the California CPRA and its draft regulations, these requirements are particularly rigorous – no surprise there – and failure to include the necessary contract language can result in a transfer of information to a service provider being deemed to be a sale. So you should really update your service provider contracts. Businesses that utilize service providers – and by this, it could be a cloud services provider, a web host, outsourcing company, data analytics company, whatever – companies that utilize service providers to process information on their behalf should consider adding a European-style data processing agreement or addendum – what we call a DPA – to their service contracts. And this would contain all the necessary restrictions imposed by these laws, limiting the service provider’s ability to use the data, basically, except to perform services for the covered business. And you can also flow down some other useful requirements to the service providers, like a requirement to honor data subject requests, such as to delete data, or to help out in the preparation of a data protection impact assessment. You know – in each case, as directed by the covered business.
Jeremy Garvey:
Andy, that’s great. We are getting some questions. So, hopefully, we’ll make a little time at the end, but if not, we’ll make sure we get you to folks. My hope and dream is that this would get simplified, right? Maybe yours too in some ways. But I know it may not get done. It may be even a longer shot. I know it depends on where some of the politics comes out. But maybe it makes sense, before we dig into some of the questions, to talk a little bit about the American Data Privacy and Protection Act that was the draft legislation kicking around, maybe a little bit about how is it similar to the state laws? What are the key differences? Are there provisions for the large data holders? If it does get passed or if something gets passed, is it going to be the panacea of federal preemption?
Jeremy Garvey:
I know this is a little bit harder – or may be easier today, I don’t know – chances for it to get passed. We can all dream. Is there something that could be federally implemented that could be helpful and maybe run through some of those things?
Andy Baer:
Yeah. Sure. I mean it could be, although prospects for its passage, especially since the election, are doubtful. I’ll get to that in a minute. So what you’re referring to, Jeremy, is the American Data Privacy and Protection Act, the ADPPA. That’s another alphabet soup. It is roughly similar to the state laws, other than California, in terms of the rights it gives data subjects. It does have a data minimization requirement like California. By data minimization, we mean collecting what’s only reasonably necessary and proportionate to a disclosed business purpose. It has a private right of action like California, but it’s broader.
Andy Baer:
In terms of differences, one key difference is the way the threshold of applicability is framed. So the scope of the law generally includes pretty much anyone who is subject to federal law and collects data, but small businesses are exempted from certain requirements. If you have less than $41 million in annual revenues or you collect the personal information of less than 200,000 individuals for purposes beyond completing transactions requested by those individuals. The draft language is a bit sloppy, so it’s a little bit unclear whether that’s an “and” or an “or.” There are special requirements to large data holders. I mean, in many ways this is a law targeted to big tech companies. A large data holder, or LDH, is defined as a company that has $250 million dollars or more of annual gross revenues, data relating to $5 million or more individuals, and sensitive data relating to 200,000 or more individuals. There are certain exclusions from that.
Andy Baer:
LDHs – large data holders – would have certain disclosure and reporting requirements, which are not applicable to other companies. They would have to annually certify that they have internal controls in place to comply with the law and sufficient reporting structures. They would have to designate a qualified privacy officer reporting to the highest official of the company, and that privacy officer would interface with enforcement authorities. They would need to conduct privacy impact assessments bi-annually – again, weighing the benefits of processing the data against risks to the individual. Any large data holder that would use an algorithm to collect or transfer covered data would have to conduct an impact assessment to mitigate potential harms to individuals, especially with regard to protected characteristics like race and gender. And the current draft, in addition to a broad private right of action, does have preemption provisions, which is good. So it preempts the various other state laws that we have been discussing. But it’s not perfect. The preemption would only be partial. Numerous exemptions from preemption would include state consumer protection laws of general applicability, and most notably, Illinois’ Biometric Information Privacy Act, which is generating right now a huge wage of class action litigation.
Andy Baer:
In an attempt to appease California legislators, it would also be enforceable by the CPPA in California as well as federal authorities. And last but not least, what are the chances that this is actually going to get passed? Jeremy, I sounded a pessimistic note at the beginning of this discussion. Let me unpack that a little bit. I would say, especially after this election, less than fifty percent (50%). So the California legislators, led by Nancy Pelosi, are against it. California Attorney General Rob Bonta and nine other attorneys general are launching an effort to heavily revise the law, and the biggest objection by the Californians in Congress and the state attorneys general is the whole idea of federal preemption. They’ve worked hard on these state laws. They don’t want them to be blown out of the water, and they’re saying they want a new federal privacy law. They’re all in favor, but they want it to be a floor, not a ceiling. And for businesses, of course, that would be the worst of all possible worlds. Because what a floor, not a ceiling means is a new federal privacy regime that you would have to comply with in addition to all the state privacy laws. So right now with the Democrats holding the Senate, with Nancy Pelosi and the House against it, and Washington Senator Patty Murray also opposed to preemption, unfortunately, I think we’ve got some more work to do on the federal level.
Jeremy Garvey:
Andy, I want to commend you. You got through a lot of stuff – hard stuff – in a very straightforward way. We’re going to play speed round – see if you can knock out a number of these questions. First, this is a hard one or maybe an easy one. On the California side, there’s been no requirements or regulations released, so what should folks do to prepare, other than what you’ve said? And, maybe more importantly, any view on when something gets put out by California?
Andy Baer:
California has had several draft regulations subject to public comment. They’re not finalized yet. Big pieces of the California regulations are missing, particularly the regulations around profiling and algorithmic bias that I mentioned. I would say, look at the language of the law and read the regulations as best you can. California has also said that they understand this is confusing. They understand there aren’t finalized regulations out. What they’ve said, the CPPA, is they’re looking for a good faith attempt to comply. California has been, under CCPA, looking at privacy policies – public-facing privacy policies – to see if California language is there. Companies that offer loyalty and rewards programs that don’t seem to have the necessary disclosures, the attorney general has been sending demand letters to those. So I would just say with California, and all these other states, look like you’re doing something, particularly in your external-facing policies.
Jeremy Garvey:
Awesome. Andy, one question and then we got to wrap it up but we’ve got a couple more, so we’ll get these out and try to connect by email. And this may not be easy to do in the 30 seconds you have. Do these apply to nonprofits? Is there an easy way if you’re a not-for-profit to get out of them?
Andy Baer:
California doesn’t apply to nonprofits. That’s good. Off the top of my head, I believe that most of them also don’t apply to nonprofits. Although, I can’t say that all of them don’t. But certainly California is the most difficult one. And that doesn’t apply to nonprofits.
Jeremy Garvey:
We can certainly connect the question with you or your team, and if they have specific requirements, we’ll be happy to help out. Andy, thanks. Of the topics we’ve talked about, this one is pretty dense. It’s super important. Privacy and the federal system of state and federal regulation here – particularly given some industries have their own particular rules. Federally, it’s very complicated. This is not for the neophyte to go alone and do it, so you and your team are great at unpacking this and trying to give straightforward advice even when there is some ambiguity. So, thank you for taking the time. I know you’ve got a lot going on. I do want to thank everyone today for joining us, particularly Andy for helping put this together. Folks, when you log off, as typical, you will get an evaluation form. If you have a moment, we greatly appreciate you taking the time to give any feedback. It does help us shape these things going forward. And we try to get better as we move forward. If you submitted a Q&A and we didn’t get to it, the folks here will try to get it around to Andy and his team, and we will try to connect by email if that’s helpful to you. Again, a special thanks goes to Andy and his team. And if you need help with data privacy, security, or technology transactions, Andy and his folks are the best and very straightforward and user-friendly.
Jeremy Garvey:
On behalf of everyone here at Cozen O’Connor and Andy, I’d like to thank everyone for joining. Please stay safe and healthy. Have a good holiday. We will be back after the Thanksgiving holiday with the next installment, and we hope you enjoyed today’s COffee Break. Andy, thanks so much. Appreciate it.
Andy Baer:
Thank you, Jeremy. Thanks, everyone, for joining.