Businesses as diverse as grocery store chains, delivery services, and marketing companies, among countless others that collect personal information from consumers, will have a legal obligation to adopt and implement a slate of data privacy requirements affecting all manner of how the business collects, uses, and discloses consumer data. While specific dates vary, these laws generally come into effect in 2023.
Following the lead of the European Union (which passed its groundbreaking data privacy law – the GDPR – in 2018), these state consumer data privacy laws seek to fill a gap in American data privacy regulation. As many readers of this article know, data privacy law in the United States has been primarily sector-based, with different data privacy laws applying to different sectors of the economy. For example, HIPAA for health care, FERPA for education, GLBA for finance, and so forth. While this approach has allowed laws to be tailored to specific contexts, it has also resulted in many businesses being exempt from meaningful data privacy regulation. Recognizing these gaps, these state consumer data privacy laws seek to establish a comprehensive framework for the control and processing of personal data by many businesses currently exempt from other regulatory schemes. While the state laws vary somewhat, they share a few common principles:
- Establishing standards and responsibilities regarding a business’s collection of personal data from consumers;
- Granting consumers certain individual rights with respect to their data, such as the rights to access, correct, delete, and obtain a copy of the personal data a business holds about them; and
- Establishing an enforcement mechanism to allow state governments to hold businesses accountable for violations of law.
By this point, you may be thinking “But my business is located in Wisconsin – do I really need to worry about the laws of these other states?” The answer to that question is an emphatic “yes.” While, again, the details vary, these state consumer data privacy laws may apply to businesses located in the five states (California, Colorado, Connecticut, Utah, and Virginia) and to any business, no matter where it is located, if that business targets products or services to residents of such states, as long as certain other thresholds are met. This means that, for example, a hardware store chain located in New York that opens locations in Connecticut may need to comply with Connecticut’s new data privacy law when its Connecticut resident consumers use the hardware store’s mobile app. Similarly, an online market research company based in North Carolina may need to comply with the laws of all five states if it collects the personal data of residents of those five states.
In light of the broad application of these new data privacy laws, it is important for businesses to begin analyzing their compliance obligations now in order to give themselves sufficient time to develop and implement any necessary compliance programs. Businesses should consider at least the following: (a) if and how the business collects personal data from consumers; (b) whether the business makes available its goods and services to residents of California, Colorado, Connecticut, Utah, or Virginia and whether the business markets such goods and services to the residents of those states; and (c) whether the state data privacy laws apply to the business or whether any legal exemptions apply to the business in one or more states.
A business that is subject to one or more of these data privacy laws must then begin the process of complying prior to the applicable effective date. A roadmap for compliance would include the following steps:
- Identify the categories of personal data being collected from consumers, how the personal data is stored, and how it is re-disclosed.
- Consider whether the business sells any personal data as part of its operations.
- Plan for drafting and issuing legally-compliant privacy notices.
- Develop a program for processing requests from consumers who desire to exercise their individual rights, such as the right to access or request the deletion of the personal information the business maintains about them.
- Map or link all data of each consumer that the business has collected, so that the business can easily access all collected data belonging to the consumer when responding to requests from them.
- Institute an opt-out process for the sale of personal data and/or targeted advertising.
- Implement a privacy rights nondiscrimination policy.
- Conduct data impact assessments.
- Enter into appropriate contracts with vendors and suppliers in a manner consistent with the privacy laws to ensure that the vendors and suppliers of the business also protect the privacy of consumer data.
The above list can be daunting, even for the most sophisticated of businesses. To be compliant on-time, businesses should start the process of evaluating these laws now. Non-compliance with these data privacy laws may result in government enforcement actions, fines and penalties, reputational damage in the marketplace, and loss of business partners that desire to work with only compliant entities. The good news though is that with a proper plan and sufficient resources in place, every business can be ready to comply with these laws and satisfy its legal obligations.
William Roberts is a data privacy and cybersecurity attorney with the law firm of Day Pitney LLP and is based out of the firm’s Hartford, Connecticut office.