How US State Privacy Laws Differ
California became the first state to pass a data privacy law years ago, but now several more have followed suit. Between US regulations and international ones, it can be difficult for companies to know just how to structure their data privacy protocols.
SafeGuard Privacy‘s Wayne Matus, co-founder, EVP, and general counsel, and Katy Keohane, associate general counsel, shared insights with Street Fight on how privacy laws differ and what marketers need to know.
It can be hard for marketers to follow the differences among state privacy laws. What are the broad, common themes?
Yes, the five states that have enacted comprehensive consumer data privacy laws — CA, VA, CO, CT, and UT — do have common themes. They all seek to give consumers rights over the collection, processing, and use of their data by businesses.
The common consumer rights with a few exceptions noted are:
- Right to Access
- Right to Delete
- Right to Data Portability
- Right to Know (Only CA and VA)
- Right to Correct (except UT)
- Right to Non-discrimination for exercising the rights (except Colorado, which refers to prior laws on discrimination)
- Right to Opt-out of certain processing and/or sale* of personal data (*or “sharing for cross-context behavioral advertising” in CA; “targeted advertising” in VA, CO, and CT)
What are some important differences marketers should look out for?
- Sensitive Information. Under all the new state laws except Utah, businesses must perform and document a privacy impact assessment to weigh potential risks to the individual of processing what each state defines as “sensitive” data. California requires notification and a right to opt-out prior to processing, as does Utah. But Virginia, Colorado, and Connecticut require consent prior to processing. Also, it’s important to note, Virginia and Connecticut include children’s data in the definition of sensitive data.
- California, Colorado, and Connecticut define sales as for money or other valuable consideration – which is interpreted quite broadly. Virginia and Utah only apply sales for money.
- Colorado Privacy Act, unlike the others, applies to nonprofits.
- Enforcement! California no longer has a cure period allowing companies to correct violations without risk of fines. The CA AG’s office has been actively enforcing already, and the new California Privacy Protection Agency enforcement powers begin on July 1, 2023, so that means more staff dedicated to enforcement.
- Virginia, which became effective 1/1/23, and Utah, Colorado, and Connecticut (which become effective later this year) each have a relatively short cure period.
A couple of big takeaways from US enforcement actions so far? One, respond and engage promptly if you receive a letter from a regulator or a complaint from a consumer. Delay will only make things worse. And two, take the time now to assess your privacy program and take steps to fill any gaps. The new proposed California regulations, expected to become effective in April, allow consideration of “good faith efforts to comply,” among other factors, in determining whether to pursue an investigation.
There are, of course, many more differences.
Privacy advocates often say the US still doesn’t have anything as stringent as GDPR. Do you agree, and if so, how so?
The GDPR is different from U.S. state laws in that it sets out broad guidelines for the processing of personal data generally, not just consumer data, and not just for marketing purposes or consumer rights. The GDPR has no entity revenue or processing thresholds, so it is more comprehensive.
The GDPR fine structure is different, too. Fines can be as high as 4% of annual sales — not profits but sales. The different fine structure has, so far, resulted in higher fines under the GDPR.
However, we need to remember that the U.S. also has sectoral privacy laws that govern information practices in health (HIPAA), financial services (GLBA), and Children’s Online Protection (COPPA).
We’d need to compare all U.S. privacy legislation together to make a fair comparison to the GDPR.
Do you think privacy laws put big companies at an advantage over medium-size companies because the latter don’t have the legal and policy resources required to comply with them?
Sure, a big company having more resources may be at an advantage in achieving compliance, but you need to consider that the problems are bigger, too. We speak with companies of all sizes making really strong, good-faith efforts to assess and address gaps in their privacy programs and mature their privacy compliance, some with big privacy teams and some as small as one person. They all have challenges. Any business that leverages software solutions in the privacy space such as ours can close the resources gap.