Several state data privacy laws come into force in 2023, including significant regulations in California and Virginia that take effect on January 1. These laws will result in steeper requirements—and penalties—for many companies across the United States.
The California Privacy Rights Act (CPRA), which builds upon the California Consumer Privacy Act (CCPA), and Virginia Consumer Data Protection Act (VCDPA) both apply to companies "doing business in the state," including actively engaging in e-commerce with their residents. These companies must control or process the personal data of at least 100,000 residents of that state, or control or process personal data of at least 25,000 residents and derive at least 50% of their gross revenue from the sale of personal data.
The CPRA also applies to any enterprise that does business in the state and has a global gross revenue of $25 million, regardless of how much consumer personal data it collects. Starting on January 1, it will extend beyond consumer data and apply to business-to-business data and employee data. As a result, the CPRA will bring into scope a much larger swath of data than any other state privacy laws, including VCDPA.
At a high level, these two laws require affected businesses to make certain disclosures in their privacy notices, provide consumers the ability to opt-out of the sale of their personal data, and limit the collection of personal data to what is adequate, relevant and reasonably necessary. There are nuances with these requirements, but the laws are rather clear in this area and the biggest risk comes with noncompliance.
To prepare for new requirements and mitigate the risk of costly penalties, businesses should pay particular attention to three specific areas: navigating uncertain opt-out requirements; developing a data governance program to ensure efficient responses to consumer requests; and managing risks with third-party vendors.
Currently, the VCDPA does not prescribe how consumers may exercise their right to opt-out of the sale of their personal data. On its face, this provides flexibility and allows businesses to designate a method for opting out. In practice, however, this likely means businesses will have to accept all forms of opt-out signals until the Virginia attorney general brings an action against a business that provides more clarity.
The CCPA did not explicitly require businesses to recognize opt-out signals. The final CCPA regulations state that “if a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request.”
Subsequently, the CPRA provided businesses with the option of recognizing an opt-out preference signal as a valid consumer request. It also required the California Privacy Protection Agency to issue regulations governing the technical specifications for the signal, how a business can seek to obtain consumer consent to circumvent the signal, and how a business must respond to the signal. Those regulations are still in draft form.
It is important for companies to err on the side of caution when recognizing opt-out preference signals because the CCPA carries fines of $2,500 per violation, or $7,500 for each violation found to be intentional. In August, for example, the California attorney general announced a $1.2 million settlement to resolve allegations that the global retail chain Sephora failed to process user requests to opt-out of the sale of their information via user-enabled global privacy controls. (These controls are a one-stop shop consumers are increasingly using to signal their privacy preferences.) This demonstrates that how you treat opt-out preferences can easily become a million-dollar decision.
Data governance programs are increasingly important as businesses collect data from consumers regulated by different state and/or federal laws. Data governance refers to the internal controls and policies a business uses to manage the confidentiality, availability and security of data it collects. Data mapping, which is a part of data governance, details how data moves through the organization, where it is stored, and how it is used.
Data maps help businesses make accurate disclosures in their privacy notices regarding how consumer data is processed, shared and retained. Moreover, creating data silos based on criteria such as jurisdiction and applicable laws can allow businesses to respond to users’ requests quickly and efficiently.
For example, when a business receives a request to delete a consumer’s data, it needs to know how long it has to respond. Under the CPRA, a business must acknowledge the consumer request within 10 business days. It then must respond within 45 days by either requesting more information to verify the identity of the consumer, confirming the data has been deleted, or rejecting the request based on an exemption or lack of identification. Under the VCDPA, a business does not have to acknowledge the request, but it must still respond within 45 days.
To respond, the business must be able to identify what law applies to the consumer making the request, determine what information must be deleted, what additional information is required to do so, and what data falls within an exception. If consumer data from different jurisdictions is stored in a general database, it may be hard for businesses to determine what law applies and meet the timeframe requirements.
Further complicating the situation, the two laws involve different sets of data. VCDPA applies to the right to delete personal data provided or obtained about the consumer, while the CPRA only applies to personal data the business collected from the consumer. Additionally, VCDPA includes data from third parties, while CPRA includes data that may relate to an emergency contact or beneficiary. Without a data governance program, it may be difficult for a business to comply with these nuances.
As noted, the CPRA carries fines of $2,500 per violation, or $7,500 for each violation found to be intentional. The VCDPA imposes potential injunctions and civil penalties of up to $7,500 per violation, as well as attorney’s fees. These are just a drop in the bucket of potential losses, as managing regulatory inquiries and investigations can incur significant costs.
The CPRA and VCDPA both require businesses to enter into written agreements with third parties that process data on their behalf. However, there is very little overlap in what the two laws require.
Under the CPRA, the written agreement must:
- Allow the business to ensure that the third party uses the personal data in a manner consistent with the business’s obligations.
- Require the third party to notify the business if it determines it can no longer meet its obligations.
- Grant the business the right, upon notice, to stop and remediate unauthorized use of personal data.
- Prohibit the third party from selling or sharing personal information; retaining, using or disclosing personal information for any purpose other than for the business purposes specified in the contract, including retaining, using or disclosing personal information for a commercial purpose other than the business purposes specified in the contract or as otherwise permitted by the CPRA; and retaining, using or disclosing the information outside of the direct business relationship between the contractor and the business.
Meanwhile, under the VCDPA, the contract must:
- Ensure that each person processing personal data is subject to confidentiality requirements.
- Require the third party, upon request, to delete or return all personal data to the business, unless retention of the data is required by law.
- Allow the business to request that the third party make available all information in its possession.
- Allow the business to conduct reasonable assessments. Alternatively, the third party may arrange for a qualified and independent assessor to audit its policies and the technical and organizational measures used to fulfill its obligations, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The third party shall provide a report of such assessment to the business upon request.
- If the third party uses a subcontractor, it must enter into a written contract requiring this additional party to meet the processor’s obligations regarding the personal data.
Businesses should maintain a data processing addendum that can be added to their vendor agreements that ensures these requirements are met across jurisdictions. They also need remediation processes to ensure all current agreements have the appropriate clauses. By including these statutorily required clauses in the agreement, along with an adequate indemnification provision, businesses will be able to protect themselves from third-party vendor risk.
It is important to note that Congress is currently debating a federal data privacy bill that would largely preempt state laws if passed. However, the bill includes similar obligations, and pivoting a compliance program to adjust for new laws and shifting requirements is far easier than standing flat-footed. Given that Congress has fruitlessly debated federal data privacy laws for almost two decades, it would be a costly mistake to delay compliance on the assumption that it will enact a national law before CPRA and VCDPA take effect on January 1 and the other statutes that follow later next year.
The patchwork of data privacy laws can make for a stressful compliance exercise. But by proactively budgeting and preparing for them through well thought-out compliance programs, businesses can more easily meet their obligations and adjust as new laws are enacted.