As of January 1, 2023, California’s amendment to the existing California Consumer Privacy Act—the California Privacy Rights Act (“CPRA”)—as well as Virginia’s new Consumer Data Protection Act (“CDPA”) are in affect.
The CPRA passed via a California statewide referendum as privacy advocated for more consumer-friendly provisions be added to the already existing California data protection law. The CPRA also moved enforcement of California data protection laws and regulations from the California Attorney General to the newly minted California Privacy Protection Agency (“CPPA”). The CPPA has yet to finalize the CPRA’s updated data protection regulatory scheme; however, their draft, proposed regulations provide a window into what the final regulations will likely be.
Virginia’s state legislature, on the other hand, passed the CDPA in 2021 (slightly amending it in 2022); which ushered in Virginia’s first comprehensive data protection law.
Colorado, Connecticut, and Utah also joined Virginia over the course of the past two years in that each state has passed and is currently working to implement the applicable state’s first comprehensive state data protection law. Prior to 2021, California was the only U.S. state with a comprehensive data protection law. Now, there are 5 and 2023 could prove to be another year that sees multiple states introduce and pass similar laws so as not to be left behind from the wave of data protection legislation.
As more states pass comprehensive data protection laws and such laws come into effect, more and more business will need to build out substantive, data protection compliance programs.
Those programs will need to adaptable—as one business could be subject to multiple state laws and therefore must adapt to the nuanced differences—and will need to account for the different aspects of comprehensive data protection laws, such as (1) substantive privacy policies and notices; (2) consumer privacy right request policies and procedures; (3) reasonable, adequate technical, organizational, and physical security measures; (4) vendor and contract management programs to flow through required contractual provisions when engaging data processors and service providers; and (5) regular audit procedures and programs.
The above list is not exhaustive of all a business would need to do under the applicable U.S. state laws; but it provides an example of the different requirements comprehensive data protection laws set forth—and the time it will take for business to build out compliant programs.
Businesses that have not previously dealt with comprehensive data protection law compliance will need to invest a significant amount of time in developing the require policies and procedures. Additionally, even if businesses have previously dealt with other—or former versions of—comprehensive data protection laws, they will need to conduct comprehensive reviews in order to account for specific nuances and difference in the laws.
The Benesch Data Protection team stands ready and able to assist business of any size work on building out new data protection compliance programs and/or leveraging existing programs to adapt to the ever-evolving U.S. state data protection landscape.
Below, please find more information on the timing for when each state has data protection laws coming into effect and what businesses will be subject to the data protection laws of a given state.
Effective Dates
Scope and Applicability
All states set forth a prerequisite that only a business that operates or does business in the specific state is subject to the law. But it is not that simple. To be subject to the applicable state laws, the “do business in the state” prerequisite must be met, but a business must also meet certain “triggers”.
There are generally three triggers that could bring a business into the scope of a U.S. state data protection law: (1) annual gross revenue (not just the revenue derived out of the applicable state); (2) the total collection of personal information from consumers in the applicable state; or (3) the collection and sale of the state’s consumers’ personal information.
As the above table indicates, each state has taken a slightly different approach. California arguably has the broadest reach in that any business that records an annual gross revenue of over $25 million is subject to the CPRA. It is also important to note a big difference between California and the other 4 U.S. states—California includes employee, job applicant, contractor, and business-to-business personal information in the scope of the law. The other 4 U.S. states all include broad exclusions that exempt out the forgoing employee and business-related personal information categories.
Utah is arguably the narrowest in scope in that on top of the “do business in the state” threshold requirement, Utah also requires a prerequisite that the business have an annual gross revenue of $25 million or more. Then, assuming the first two prerequisites are met, a business must meet one of the two collection or sale of personal information triggers.
Conclusion
In 2022, the federal government again failed to seriously consider an omnibus data protection law that would preempt the increasing number of state data protection laws; and it is unlikely the federal government will implement such a federal law anytime soon.
Meanwhile, states will continue to enter the fray of comprehensive data protection laws. While those laws will undoubtably be similar in concepts—they will all present different and important nuances that will require detailed reviews of data protection compliance programs. This has proved true in 2021 and 2022 with California, Colorado, Connecticut, Utah, and Virginia.
Look for 2023 to continue the trend.
