This is the latest article in our series highlighting aspects of the new wave of U.S. state privacy laws. For our most recent previous article, click here.
The first question most businesses ask, understandably, is whether they are subject to the new wave of U.S. state privacy laws. For our largest clients, the answer is often a straightforward yes; but for midsize and small businesses, there are several layers and nuances to work through.
Below we identify some key threshold considerations, informed by our work over the last several years advising businesses on the scope and applicability of these laws, starting with the California Consumer Privacy Act (CCPA), and continuing more recently with its successor California Privacy Rights Act (CPRA) and laws in other states, like the Virginia Consumer Data Protection Act (VCDPA), the Connecticut Data Protection Act (CTDPA), and more.
Assess the nature of your contacts with each state and your size in relation to each law’s relevant thresholds.
Each new law’s core applicability test involves two prongs – the first generally asks whether you “do business in” the relevant state, and the second generally asks whether your business (or the amount of personal information your business processes) is large enough to activate the law’s requirements.
Businesses are subject to California’s law if they:
(1) Do business in California, and
(2) Meet any one of the following:
- Annual gross revenue exceeding $25 million
- Annually buy, sell, or share at least 100,000 California residents’ personal information
- Derive at least 50% of annual revenue from selling or sharing California residents’ personal information
Businesses are subject to Virginia’s law if they:
(1) Conduct business in Virginia or produce products or services targeted to Virginia residents, and
(2) Meet any one of the following:
- Annually control or process at least 100,000 Virginia residents’ personal information
- Annually control or process at least 25,000 Virginia residents’ personal information and derive at least 50% of annual revenue from the sale of personal information
On the doing business prong, sometimes the answer is an easy “of course we do business in Connecticut” or “we have no nexus whatsoever to Utah” - but there are also plenty of grey-area scenarios. We do not yet have a meaningful body of authoritative guidance (from courts or regulators) specifically interpreting these laws’ tests, so we typically look to what other, more developed bodies of state law – such as general corporate law and tax law – say about “doing business” that might be instructive.
On the size prong, it’s important for midsize and small businesses to understand that this is not a static assessment. A growing business not currently subject to, for example, Colorado’s law, could well tip into being subject within a few years. Also, some businesses do not immediately appreciate how easy it can be to reach some of these numerical thresholds, particularly if the business conducts a lot of small dollar transactions or has lots of website traffic.
For example, since California’s definitions of selling or sharing personal information cover the use of many third-party advertising cookies, a business whose website receives a couple hundred or so unique California visitors a day can meet the size threshold on that basis alone.
One piece of good news – California’s revised test under the CPRA sweeps up fewer businesses than the prior test under the CCPA.
Analyze whether your business, or some of the personal information your business processes, qualifies for an exemption.
Unlike existing data breach notification statutes that focus on specific data elements, such as social security numbers, financial account numbers, and the like, these new laws use very broad definitions of personal information. Connecticut, for example, defines personal information (which it calls “personal data”) as “any information that is linked or reasonably linkable to an identified or identifiable individual.”
But these laws do have categorical exemptions that remove certain businesses and certain types of information from their scope. Connecticut, for example, exempts covered entities and business associates under HIPAA, financial institutions subject to GLBA, higher education institutions, and nonprofit institutions, as well as numerous categories of information, including PHI under HIPAA, financial data subject to GLBA, credit information subject to FCRA, and education information subject to FERPA.
One distinction with major implications for compliance programs separates California’s law from the rest of the pack. Unlike the other new laws, California does not, as of January 1, 2023, have blanket carve-outs for employment data and business-to-business data.
Before relying on an exemption, it’s important to analyze it rigorously against your business and data flows to confirm whether there are any potential snags.
Remember that what matters is not only whether your business is directly subject to these new laws, but also whether you deliver services to other businesses that are subject to these laws.
Here’s a situation we encounter frequently: A business that diligently confirmed it is not subject to any of these laws, under the tests summarized above, is frustrated because one of its clients is insisting that it sign a new data protection addendum motivated by these new laws. Is that really necessary? Frequently, the answer is yes.
Those familiar with, say, HIPAA or GDPR, won’t be surprised to hear that. The bite-size takeaway on HIPAA applicability is that if there is a HIPAA “covered entity” involved in the collection of health information, then that information is likely PHI subject to HIPAA, and all “downstream” businesses that touch that PHI are likely subject to HIPAA, including the covered entity’s service providers, the service providers’ service providers, and so on. GDPR functions much the same way, and so do the new state privacy laws.
There’s a lot more on this topic that we’ll unpack in a forthcoming article, but in a nutshell, even if your busine