This 'Data Privacy US Digest' identifies major legislative developments in the area of personal data privacy law in the United States for the first quarter of 2023.

In light of the increasing awareness of the importance of protection of one's privacy, there has been a boom in the area of personal data protection laws globally. Innumerable countries have come up with new data privacy laws or undertaken a complete revamp of their existing legislations to match the new universal data privacy standards. Read also, Privacy Nuances In AI Tools - Privacy Protection – India for more privacy related regulatory trends.

US States' and Federal law-makers have also been steadfast in their legislative process with a number of laws being proposed at both levels. 2023 is the year, however, in which five state consumer data privacy laws enter into effect. This Data Privacy US Digest, summarises the current framework of data protection in US states.

Upcoming features of this Round-Up will also cover updates from other regions of the world in the sphere of data privacy.

1. Comprehensive State Data Protection Legislations

1316340a.jpg

Laws in Effect Upcoming Laws

VIRGINIA & UTAH

On January 1, 2023, the Virginia Consumer Data Protection Act (VCDPA) and the California Privacy Rights Act (CPRA) took effect. While the VCDPA is a brand new law, the CPRA amended the existing California Consumer Privacy Act to better safeguard the rights of the consumers in California.

CONNECTICUT, COLORADO & UTAH

  1. Connecticut Data Privacy Act, taking effect on July 1, 2023;
  2. Colorado Privacy Act, taking effect on July 1, 2023; and
  1. Utah Consumer Privacy Act, taking effect on December 31, 2023.

IOWA & INDIANA

Recently, Iowa and Indiana, have become the sixth and the seventh US States to pass a comprehensive data protection legislation.

Companies that operate within these states and target their consumers, treat their personal data, and meet their individual numeric thresholds are to comply with the following key requirements, among others:

  1. Providing privacy notice to consumers to disclose processing activities, including a clear description of targeted advertising or sale of data, if any.
  2. Obtaining consumers' consent prior to processing of sensitive personal data, sale of data, targeted advertising, profiling, and, obtaining the legal guardians' consent prior to processing sensitive data of a known child.
  3. Complying with consumer requests to access, obtain a copy of, or delete their data, and request to confirm if an individual's data is being processed.
  4. Providing option to opt-out of processing of sensitive data, sale of data and targeted advertising.
  5. Implementing technical and organizational measures to protect the data.

While the basic legal regime being established by all the state laws is similar, there are a few stark differences that can be observed in each law. They are as follows:

Universal Opt-out Requests The requirement to comply with universal opt-out requests from sale of data and targeted advertising exists only in California and Colorado.
Data Protection Impact Assessment Conducting Data Protection Impact Assessment is not a mandatory requirement in Utah and Iowa.
Violation Cure Period The provision of a cure-period prior to imposition of penalties for violation is not available in California. Additionally, this safe harbour is available in Colorado only until January 1, 2025.
Right against Automated Decision Making Consumers do not have the right against automated-decision making, including profiling in Utah and Iowa.

The Iowa's Consumer Data Protection Act enters into effect on January 1, 2025, whereas, the Indiana's Consumer Data Protection Act enters into effect on January 1, 2026.

2. Finalization of Implementing Rules for Data Privacy Legislations

In Colorado and California, in addition to the primary legislations, their implementing regulations have also been finalized.

COLORADO

The Colorado Privacy Act Rules ('CPA Rules') were finalized, after being in the pipeline since October 2022, with multiple revisions. They enter into effect on July 1, 2023, along with the base legislation. CPA Rules provide the controls and procedures for the following provisions:

  1. Disclosures to consumers;
  2. Mechanism to comply with and respond to consumer personal data requests;
  3. The universal opt-out mechanism;
  4. Fulfilling duties of controllers;
  5. Adhering to the consent requirements;
  6. Data protection assessments; and
  7. Profiling and its opt-out methods.

Colorado's universal opt-out mechanism is a unique procedure by which consumers may exercise their right to opt out of the processing for purposes of targeted advertising or the sale of personal data. It provides individuals with a simple and easy-to-use method by which they can automatically exercise their opt-out rights with all controllers they interact with, without having to make individualized requests with each controller.

1316340b.jpg

Link: Colorado Privacy Act Rules

CALIFORNIA

The California Privacy Rights Act Rules, ('CPRA Rules'), amend the existing California Consumer Privacy Act Rules and align them to the corresponding updates within the CPRA, which recently became effective.

The CPRA Rules introduce updated procedures for various aspects of the California data protection regime, such as, procedures to make disclosures to consumers, obtain consumers' consent, entering into agreements with third-parties, contents of the privacy policy, etc. Drawing comparison with the CPA Rules, the CPRA Rules provide as well, for a universal opt-out option from the sale or sharing of personal information known as "opt-out preference signal". The CPRA Rules were published on March 29, 2023, and became effective on the date of their publication.

Link: California Privacy Rights Act Rules

KEY INSIGHTS

In light of the fundamental developments, companies must prepare themselves for the upcoming legislative changes. Every company must consider to:

  • CONSENT MANAGEMENT MECHANISM
    Establish a consent management mechanism to obtain the consumers' clear, affirmative, and unambiguous consent while also adhering to the opt-out requests, if any.
  • DATA PRIVACY POLICY
    Review, and update their data privacy policy to establish a comprehensive internal policy which incorporates the regulatory requirements and is adaptive to the dynamic changes.
  • EMPLOYEE TRAINING
    Conduct periodic trainings among the staff to familiarize them with the data privacy laws and internal policy.
  • DATA BREACH NOTIFICATION
    Set up a channel to timely notify the supervisory authority of data breaches, if any.

It is pertinent to note that numerous US States have introduced bills into their respective state legislatures for data privacy laws. States such as New York, Tennessee, Oklahoma, Kentucky, Mississippi, Montana, Texas, Florida, and Hawaii, among others, are actively deliberating upon the texts of their laws.

In addition, the federal level US consumer data privacy law is also in the proposal stage. This upward trend towards state-level privacy laws indicates a growing recognition of the need for stronger data protection measures, and it will be interesting to see how these laws evolve and are enforced in the coming years.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.