Are your privacy policy and practices adequate? Given a new wave of state-level data privacy laws, companies that collect customer information should consider whether updates are required. This applies especially to companies that do business online or use wireless devices to harvest personal information.
Customer Information and Data Privacy Law Prior to New Wave
There is no uniform or single body of law in the United States governing data privacy protection in the context of information collected from customers.
[1] Instead, there is a patchwork of federal and state laws that may apply to a company’s data collection and retention efforts depending on the type of activities performed by the company.[2] Typically, these laws apply to specific industry sectors, such as healthcare providers and financial institutions, to protect specific populations, such as minors, or to specific types of information.[3] Policy experts have referred to these laws as being grounded in a framework based on ‘”harm-prevention.”
Where sectoral special privacy laws don’t apply, the only federal law of general application is the Federal Trade Commission Act, which allows the Federal Trade Commission to force companies to abide by their own online privacy policies and to challenge certain data practices as unfair or deceptive.[4] To date, unless a specific data protection law applies, a company’s data collection activities are largely unregulated.[5] Thus, the content of most privacy policies has been driven by an interest in obtaining customer consent to avoid litigation[6] and by market dynamics.
Growing Body of State Law Comprehensive Regulating Data Privacy
Any “regulatory gaps” in this space are quickly being filled by a growing body of state laws, that comprehensively regulate consumer data privacy and protection. These laws differ from existing laws in that they implement a “rights-based” framework. States with comprehensive data privacy laws currently in effect or to come into effect during 2023 include California, Colorado, Utah, Connecticut, and Virginia. Eight other states including Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee and Texas have passed comprehensive data privacy laws this year, all of which will have taken effect by 2026. These laws are significantly influenced by the European Union’s General Data Protection Regulation. There are differences between the state statutes, but they largely implement similar frameworks. California was the first state to pass a comprehensive data privacy act, and its statutes are the most unique relative to the data privacy laws of other states.
Focus on Consumers, but B2B Sellers Should also Contemplate New Data Privacy Laws
These laws focus on consumer data privacy, but companies focused on business-to-business sales should not summarily conclude they can be ignored. Websites and remote information collection processes may result in companies unknowingly collecting consumer information, which may trigger application of statutory rights and obligations.
For example, California law defines a “consumer” as any person that is a resident of California—and doesn’t require that a company’s goods or services are sought after in connection with a personal or household purpose.[7] Accordingly, if personal information is transferred for a business purpose, an individual may have statutory rights vis-à-vis that business.
Statutes in other states define whether a buyer is a consumer based on the buyer’s intentions. These statutes require a personal or household purpose to trigger their protection, but there are potential scenarios in which buyers acquire goods or services of B2B sellers for “personal” or “household” reasons without the seller’s knowledge.
Threshold Necessary for Application of Comprehensive Data Privacy Statutes
Because compliance with the statutory mandates of comprehensive data privacy laws may be onerous and burdensome, state legislatures have sought to limit their application. Typically, state statutes are limited in their application to companies that are deemed large enough to absorb the cost, or to companies who “trade” in consumer information.
Below are a few examples of how these statutes limit their application to businesses based on their size or the nature of their activities:
- The California Privacy Rights Act[8] applies to persons doing business in California who:
-
- Had annual gross revenues of at least $25 million in the prior year;
- Alone or in combination buys, sells, receives for commercial purposes, and/or shares for commercial purposes, the personal information of at least 100,000 California consumers (“consumers”), households, and/or devices; or
- Derive at least 50% of its annual gross revenues from sharing or selling consumers’ personal information.
- The Colorado Privacy Act applies to persons (a) doing business in Colorado or (b) who target goods or services to Colorado residents, and who also:
- Control or process the personal data of 100,000 consumers or more during a calendar year; or
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
- The Utah Consumer Privacy Act applies to persons (a) doing business in Utah or (b) produce a product or service targeted to consumers who are residents of Utah, and who
- Have annual revenue of $25,000,000 or more; and
- Satisfy one or more of the following thresholds:
- during a calendar year, control or process personal data of 100,000 or more consumers; or
- derive over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
Right and Obligations Typical of State Data Privacy Laws
Some of the core aspects of relevant state data privacy laws, including both comprehensive data privacy and partial frameworks, include the following:
- Mandatory disclosure of whether the company collecting the information sells the information.
- A requirement that privacy policies be posted conspicuously.
- Publication of privacy notices that specify the type of information collected and the purposes for which data is used and collected.
- Clear affirmative acts from consumers prior to processing of personal information.
- A consumer right to opt out of a company’s sale of consumer data.
- A consumer right to opt out of a company’s processing of information for targeted advertising, or for creating user profiles that result in important decisions.
- Mandatory disclosure in a privacy policy of how the business responds to a web browser ‘Do Not Track’ signal or similar mechanisms.
- Disclosure of categories of information collected about consumers who use or visit a site or service and the categories of third parties with whom the operator may share such information.
- Specific confirmation to a consumer upon request of the type of information collected.
- A consumer right to personal data portability.
California Specials: Data Collection, Retention, and Use Limitations & a Data Protection Authority
California was the first state to pass a comprehensive consumer data privacy law and its consumer data privacy laws now go further, and are more onerous, than the laws of other states. With the passage of the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA) and goes into effect Jan. 1, 2023, California authorized the creation of the California Privacy Protection Agency. Additionally, California now requires companies to limit personal information collection, use, and retention to what is reasonably necessary and proportionate for a legitimate business purpose.[9] The purpose must be published in advance of collection and policies should disclose the length of time that their information will be stored.
Conclusion
In addition to the new wave of data privacy statutes, several states have recently passed laws creating obligations for private sector actors that handle personal information. For instance, statutes in several states require companies to implement and maintain reasonable security measures with respect to collection and storage of consumer information. As a consequence of this wave of state data privacy laws, companies now face an additional layer of exposure to data privacy lawsuits. Accordingly, companies should evaluate and update their privacy policies and data collection and retention practices.
[1] Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), N.Y. Times, September 6, 2021.
[2] Id.
[3] See, e.g., the Federal Trade Commission’s description of sectors and subjects subject to privacy laws at the following website: Privacy and Security | Federal Trade Commission (ftc.gov)
[4] 15 U.S. Code § 41 et seq.
[5] Supra, note 1.
[6] See, e.g., the settlement described in the following article: Natalie Hanson, Judge approves settlement ordering Plaid to pay $58 million for selling consumer data, Courthouse News Service, July 20, 2022.
[7] See Cal. Civ. Code, § 1798.140(i) for the definition of “consumer,” available here: California Privacy Rights Act
[8] Cal Civ. Code, § 1798.100, et seq.
[9] See response to FAQ, No. 1, here: California Privacy Protection Agency’s FAQ on CCPA.
