A slew of consumer protection laws have been introduced throughout the country this year, with many taking notes from California’s Consumer Protection Act (CCPA). In the last month alone, in fact, Colorado, Nevada, Texas, and West Virginia have all joined the ranks of states introducing CCPA-inspired legislation. Without any uniform consumer privacy legislation at the federal level, multistate businesses will be forced to navigate these rapidly developing state privacy laws on a patchwork basis to ensure compliance in each of the jurisdictions in which they operate.
Consumer Privacy in Colorado
Deemed the “Colorado Privacy Act,” SB 21-190 was introduced on March 26 to address both protections provided to consumers and how controllers of data must fulfill their duties in handling data and responding to consumers’ assertion of their rights. Unlike the CCPA, Colorado’s Privacy Act has no threshold revenue requirement to apply. Instead, the Act would apply to legal entities that either conduct business in Colorado or intentionally target their products and services to Colorado residents, and that either (1) control or processes the personal data of 100,000 or more consumers per year; or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more. A “Controller” under the Act is defined as a person that, alone or jointly with others, determines the purposes and means of processing personal data. The Colorado Privacy Act defines “consumer” as a Colorado resident in their individual capacity or as a member of a household. The definition does not include “an individual acting in a commercial or employment context.”
The Colorado Privacy Act places enforcement authority exclusively with the Attorney General and district attorneys. If it is ultimately enacted, the Colorado Privacy Act will be effective January 1, 2023.
New Legislation in Nevada
Nevada is not without existing privacy legislation, but two bills introduced on March 17 (AB 323 and SB 260) would transform the state’s law towards CCPA levels. The bills would add a new “data broker” category to the Nevada law and amend the term “sale” to refer to sale by an operator or data broker to another person. Under the legislation, a “Data broker” is defined as a person engaged in the business of purchasing covered information about consumers who reside in Nevada from operators or other data brokers and making sales of or disseminating such covered information. Under existing Nevada law, operators of internet websites that collected certain personally identifiable information about consumers in the state are obligated to provide consumers a designated address through which consumers can request that the operator not make any sale of “covered information.” AB 323 and SB 260 seek to impose this same requirement on the newly coined category of “data brokers.”
AB 323 and SB 260 refer and apply to “covered information,” which has been defined more narrowly than the CCPA’s definition of “personal information” in that it does not reference those specific identifiers like biometric and geolocation data that we see under the CCPA. The legislation provides for enforcement by the Attorney General, with civil penalties of not less than $500 and not more than $5,000 per violation.
Moves Towards Consumer Privacy Texas
On March 11, Texas lawmakers introduced six consumer privacy bills aimed at addressing data privacy, data crimes, and data breaches. The pending Data Privacy Omnibus, HB 3741, is reminiscent of the CCPA, but is in many aspects unique legislation. The bill proposes regulations to be applied to for-profit entities.
As with the CCPA, the bill provides the rights to access, to know (meaning an individual can both access and obtain personal identifying information that collected by a business related to them and transfer personal identifying information from one business to another business), as well as the right to deletion. Like the newly passed California Privacy Rights Act, the bill would provide individuals, or their legal representatives or guardians, the right to request that any inaccurate information collected or maintained by the business that relates to the individual, or person on behalf of whom the legal representative or guardian is requesting, be corrected. Uniquely, HB 3741 provides for business immunity from liability under certain circumstances. Under the proposed law, a business that is in compliance with the law and engages a third party to process personal identifying information collected by the business cannot be held liable for a violation of an individual’s right to deletion of information by the third party if the business does not have actual knowledge or a reasonable belief that the third party intends a violation.
Enforcement power lies with the Attorney General’s office, which could seek civil penalties of up to $10,000 per violation, and $1 million total.
What’s Happening in West Virginia?
West Virginia’s data privacy bill, HB 3159, does more than just take inspiration from the CCPA. The bill, which has yet to be formally given any “Act” title, was introduced on March 15. Although West Virginia’s proposed legislation resembles the CCPA in the rights conferred on consumers and definitions of personal information, and threshold for application, it includes some standout additions.
One noteworthy provision includes the bill’s definition of “share,” defining the term as either allowing a third party to use or advertise to a consumer based on a consumer’s personal information without disclosure of the personal information to the third party or monetary transactions, nonmonetary transactions, and transactions for other valuable consideration between a business and a third party for advertising for the benefit of a business. Also noteworthy are the data retention limitations proposed by the bill, which require businesses to both provide and follow a retention schedule that prohibits the use and retention of personal information after satisfaction of the initial purpose for collecting or obtaining such information, or after the duration of a contract, or one year after the consumer's last interaction with the business, whichever occurs first.
Those businesses working with subcontractors around receipt of consumer information should pay particular attention to the bill’s differences from the CCPA. Under the legislative proposal, any contract between a business and a third party or service provider for receiving personal information must include a provision that any contract between a third party and any subcontractor or between a service provider and any subcontractor must require the subcontractor to meet the obligations of the third party or service provider with respect to personal information.
Next Steps for Employers
Although these bills are inspired by the CCPA, do not assume the steps you have already taken to comply with the CCPA will automatically put you in compliance with these – or any other – state’s consumer privacy legislation. You should continue to monitor the status of the particular bills that would impact your business, and if they pass, consult with legal counsel sooner rather than later to ensure you are able to meet that state’s requirements.