Our Cybersecurity & Data Privacy team advises businesses on proactively defending and mitigating the risks of cyber and information incidents that potentially may arise from a variety of threat vectors. The accomplished group has vast experience counseling clients regarding cybersecurity and data privacy matters. Among our attorneys are counselors who are designated Certified Information Privacy Professionals (CIPPs/U.S.) by the International Association of Privacy Professionals. This standard indicates that they have a comprehensive understanding of U.S. privacy and security laws, regulations and requirements and experience in strategically guiding companies in related matters.
Across all industries, from start-ups to Fortune 500 companies, we have extensive knowledge and understanding in assisting them with the development and administration of internal cyber policies that comply with late-breaking state privacy laws. We guide clients on potentially crippling ransomware attacks and data breach responses, unauthorized disclosure of information resulting from the loss or theft of electronic devices, transaction due diligence, litigation arising out of cybersecurity matters, data mapping and mining, supply chain management and comprehensive knowledge management.
Working alongside the Intellectual Property and Commercial & Technology Transactions teams, we collaborate to counsel organizations on using knowledge management and information governance to develop strategic competitive advantages. With state-of-the-art/science counseling, we provide advice for effectively managing and leveraging data assets. Our clients attain and maintain compliance with regulations and also discover meaningful insights and intelligence to make tactical refinements and adjustments that put distance between themselves and competitors. We guide organizations in establishing interdisciplinary cybersecurity and data privacy management programs that pull together disparate organizational facets, including privacy compliance, standards of care, risk management, human resources and information technology. These programs use a revise-and-update-by-design methodology to keep pace with the changing threat environment and mitigation standards.
UPDATED: September 25, 2023
A slew of data privacy laws set to take effect over the next several years poses new challenges for companies, from provisions around individuals’ rights regarding personal information processed about them to data protection and controls requirements.
NGE attorneys David Wheeler and Alfred Tam outline some of the key elements of these state laws for companies operating in those jurisdictions. Here’s what organizations need to know to stay abreast of the nuances, meet compliance requirements and avoid penalties for violations.
Best Practices for Data Privacy Compliance
- Undertake the data protection impact assessments, as they are common in several U.S. state laws, including California, Colorado and Virginia. These assessments should identify the purpose of the data processing, who the data subjects are, why the company has their data, and who the company shares that data with. From there, you can understand and minimize risk.
- Ensure you publish adequate consumer notices and privacy policies accessible to consumers on your websites.
- Only collect the minimum amount of data needed and delete that data as soon as it is no longer needed.
- Conduct website analyses to ensure they are not using “dark patterns”—design interfaces deliberately intended to mislead consumers into making harmful choices.
- Time is of the essence. California, Colorado, and Connecticut began enforcing their respective laws on July 1, so companies in those jurisdictions should take steps toward compliance if they have not done so.
The California Privacy Rights Act (CPRA) went into effect on Jan. 1, 2023 and expanded upon the rights afforded consumers under the California Consumer Privacy Act (CCPA), which took effect in 2020.
The CPRA allows consumers to correct inaccurate data that companies may be collecting and storing. The updated law also establishes a sensitive personal information category, which means that companies must take extra care when processing certain types of consumer information, such as:
- Government identification numbers
- Financial information, such as debit or credit card information
- Face, religion and union membership
- Sexual orientation.
Both the CCPA and CPRA require a Data Processing Addendum (DPA) – a written agreement between a business and service provider – but the CPRA included new requirements. To meet CPRA standards in a DPA, the service provider must:
- Specify that consumers’ personal information is sold or disclosed for limited purposes
- Provide CPRA-level of privacy protection and comply with CPRA obligations
- Use personal information consistently with the business’s CPRA obligations
- Notify the business if the service provider no longer meets its CPRA obligations
- Stop and remediate unauthorized use of personal information.
The CPRA also established the California Privacy Protection Agency (CPPA), which has the power to make rules, investigate companies and enforce the CPRA.
Established in 2020, the agency ended the CCPA’s cure period – the time authorities allow companies to fix potential violations before initiating enforcement – on Jan. 1, 2023. The agency also removed the law’s human resources data exemption and now requires companies to conduct and submit regular risk assessments.
The CPRA also includes a limited private right of action – the only state privacy law to do so – which allows consumers to sue companies that fail to protect their data.
The Colorado Privacy Act (CPA) is effective on Jul. 1, 2023, though the no cure period begins Jan. 1, 2025.
Like Virginia’s law, the CPA does not apply to individuals acting in an employment or commercial context, nor to job applicants. Colorado’s law does not provide consumers with a private right of action, though penalties will be governed by the Colorado Consumer Protection Act, under which violations could cost a company between $2,000 and $20,000.
The CPA also requires businesses and service providers to implement DPAs. In these agreements, the data processor must allow consumers to object to having subcontractors process their data, and also must conduct independent audits at least annually. All parties must follow appropriate security measures and clearly assign responsibilities.
The Connecticut Data Privacy Act (CTDPA) also goes into effect on Jul. 1, 2023 and excludes individuals working in an employment context.
But unlike other state laws, the CTDPA explicitly exempts personal data processed only for payment, such as transactions conducted by restaurants and convenience stores.
The CTDPA does not include a private right of action, but the law will pursue violations under the Connecticut Unfair Trade Practices Act, and companies could pay up to $5,000 per violation.
The Delaware Personal Data Privacy Act (DPDPA) is effective on January 1, 2025. While largely consistent with other state privacy laws, the DPDPA contains no general revenue threshold and applies to entities that in the prior 12 months either:
- controlled or processed personal data belonging to at least 35,000 Delaware residents, or
- controlled or processed personal data of at least 10,000 Delaware residents and obtained more than twenty percent of gross revenue from the sale of such data.
Notably, while other states have included protections for minors under age sixteen, Delaware becomes the first state to expand protection for minors to those under the age of eighteen, prohibiting businesses from processing personal data for targeted advertising and from selling personal data without consent where the consumer is at least thirteen and younger than eighteen.
Additionally, the DPDPA expands the definition of “sensitive data” beyond that which appears in other state privacy laws to include status as transgender or nonbinary and expressly includes pregnancy under the category of physical health conditions. The law also prohibits the processing of sensitive data without the consumer’s consent.
The DPDPA does not contain a private right of action but does give enforcement authority to the Delaware Department of Justice, with penalties up to $10,000 per violation. For one year after taking effect, the Delaware DOJ must give notice of a violation and provide an opportunity to correct within 60 days of receipt.
Companies will have several years to prepare for the Indiana Consumer Data Protection Act (ICDPA), which does not go into effect until Jan. 1, 2026.
This law closely mirrors Iowa’s privacy law, requiring companies to disclose targeted advertising and provide a clear opt-out function for consumers. The ICDPA does not allow a private right of action, but grants the state attorney general the power to initiate civil proceedings to enforce violations.
Passed earlier this year, the Iowa Consumer Data Protection Act (ICDPA) will go into effect on Jan. 1, 2025.
Under this law, companies must clearly disclose targeted advertising and provide consumers with a way to opt out of it.
Like some other state laws, the Iowa legislation does not allow consumers to correct inaccuracies or sue for violations. The state attorney general will have the power to bring civil actions against companies, which will cost up to $7,500. The state will direct fines assessed to companies into Iowa’s consumer education and litigation fund.
Passed earlier this year, the Montana Consumer Data Privacy Act (MTCDPA) will go into effect on Oct. 1, 2024.
This law is like Connecticut’s privacy law in several respects, including by requiring businesses to recognize universal mechanisms for opting out of sales of personal data and targeted advertising and permitting a consumer to request deletion of all personal data in the possession of a business, as opposed to just personal data collected directly from the consumer.
Like most other state data privacy laws, the MTCDPA includes an exemption for employee data.
There is no private right of action given to consumers for violations of the MTCDPA. The state attorney general will have exclusive authority to enforce violations. There is a mandated 60 day cure period that the Montana attorney general must afford to businesses to cure any noticed violations, but this cure provision goes away on April 1, 2026 (18 months after the law becomes effective).
Oregon became the 11th state to enact a state data privacy law with the Oregon Consumer Privacy Act (OCPA), which will go into effect on Jul. 1, 2024.
In addition to other consumer rights provided by other state data privacy laws, the OCPA also provides consumers the right to request the specific third parties to which a business has disclosed their personal data, as opposed to just the categories of third parties.
The state attorney general has exclusive enforcement authority for violations of the OCPA, with the power to impose civil penalties of up to $7,500 per violation.
Effective Jul. 1, 2024, the Tennessee Information Protection Act (TIPA) includes a safe harbor provision absent in most state privacy laws.
The TIPA allows companies that have a documented privacy program in place to pursue an affirmative defense against enforcement. Companies’ privacy programs must align with the National Institute of Standards and Technology’s privacy framework to qualify for the affirmative defense.
The law does not grant consumers a private right of action, but Tennessee’s attorney general can initiate civil proceedings for violations, which can cost companies up to $7,500.
The Texas Data Privacy and Security Act (TDPSA) will go into effect on Jul. 1, 2024.
One of the unique aspects of the TDPSA is the lack of any specific monetary or processing thresholds for applicability that is present in all other state data privacy laws. Instead, the TDPSA applies to any business that conducts business in the state or generates products or services consumed by state residents, processes or engages in the sale of personal data, and does not identify as a “small business” as defined by the U.S. Small Business Administration.
There is no private right of action, and the state attorney general has exclusive enforcement authority and may levy civil penalties of up to $7,500 per violation. However, the law includes a non-sunsetting 30 day cure period that must be provided to businesses before any enforcement action can be brought.
The Utah Consumer Privacy Act (UCPA) is considered the most business-friendly of the new state laws and will be the easiest for companies to comply with.
Under the UCPA, consumers have the right to access their personal data a company is processing, delete the personal data they provided to the processor, obtain a copy of their personal data in transferable format and opt out of certain processing activities.
The law goes into effect on Dec. 31, 2023 and does not include a private right of action, does not allow consumers to correct inaccuracies or use a UCPA violation to bring a claim under other Utah laws.
Virginia’s Consumer Data Protection Act (VCDPA) went into effect on Jan. 1, 2023. While not as comprehensive as California’s CPRA, it does require controllers to conduct data protection assessments that evaluate the risks associated with consumer data processing activities.
Though the VCDPA does not grant consumers a private right of action, the state attorney general can fine companies up to $7,500 if they fail to fix violations within 30 days.
This law does include an exemption for employee data.
Like California, the VCDPA requires companies to enter into DPAs with service providers. Under these DPAs, service providers must:
- Provide for the confidentiality, return and deletion of personal information
- Demonstrate compliance with the VCDPA
- Conduct compliance assessments and/or audits
- Clearly detail how they process personal data
- Bind subcontractors to similar DPAs.
The content above is based on information current at the time of its publication and may not reflect the most recent developments or guidance. Neal, Gerber & Eisenberg LLP provides this content for general informational purposes only. It does not constitute legal advice, and does not create an attorney-client relationship. You should seek advice from professional advisers with respect to your particular circumstances.