New laws of the USA on data protection in 2023

Currently, the United States of America (the «US») does not have a single codified act (except for the Children’s Online Privacy Protection Act) that would establish general rules for all states on how to collect, store, transmit and otherwise process personal data. Therefore, individual states took matters into their own hands and passed local laws to protect the privacy of their residents. 

Until recently, lawyers have tended to focus their attention on the legislation of California, but from 2023, new rules on personal data protection will come into force not only in this state but also in Virginia, Colorado, Utah and Connecticut.

In this article, we will review who needs to know the new rules of the US legislation, when exactly they will come into force and what obligations these laws provide.

Contents:

• California
• Virginia
• Colorado
• Utah 
• Connecticut

California

In California, the California Consumer Privacy Act (CCPA) has been in effect since January 01, 2020. The California Privacy Rights Act (CPRA)  amends the CCPA and came into force (for the most part) on January 01, 2023.

The CPRA operates with the concepts of «personal information», «business», «service provider», «contractor», «consumer», «household», «third party», «biometric information», «sensitive personal information», «sale or sharing of personal information», etc. The correct understanding of these concepts is a mandatory component of determining the scope of the CPRA and its application/non-application to specific business processes. 

The CPRA applies, in particular, to sole proprietorships, partnerships, limited liability companies, corporations, associations, and other legal entities – «businesses» that collect personal information of consumers, either alone or through an intermediary, determine the purposes and means of processing, do business in the State of California, and satisfy one or more of the following criteria:

• has an annual gross revenue of more than 25,000,000 USD;
• individually or in combination annually buys, sells or transfers personal information of 100,000 or more consumers or households; 
• receives 50% or more of its annual revenue from the sale or sharing of personal information.

A business may also be any entity that (1) controls or is controlled by a business defined above and (2) shares a trademark with it. 

Compared to the CCPA, the CPRA introduced the following novelties to California law: 

• the California Privacy Protection Agency (CCPA) was established; 
• the concept of «sensitive personal information» was introduced; 
• two additional consumer rights were introduced: the right to correct inaccurate personal information and the right to restrict the use and disclosure of sensitive personal information;
• the act was extended not only to the «sale», but also to the «sharing» of personal information; 
• the obligation to conduct an annual cybersecurity audit that is thorough and independent, and to regularly provide a risk assessment to the CPPA in case of processing of personal information that poses a significant risk to the privacy or security of consumers (although the CPRA does not explicitly require companies to conduct risk assessments, it authorizes the CPPA to issue rules that may require it; the exact requirements for these regular risk assessments will be determined by the CPPA as part of its rulemaking, as these rules do not yet exist); and 
• other changes.

Virginia

The Virginia Consumer Data Protection Act (VCDPA) was adopted in the spring of 2021 and came into force on January 01, 2023.

The VCDPA operates with the concepts of «personal data», «controller», «processor», «consumer», «third party», «biometric data», «sensitive data», «sale of personal data», etc.

This act applies to persons (natural and legal persons) who do business in Virginia or manufacture products/provide services intended for Virginia residents and who meet one or more of the following criteria: 

• control or process the personal data of at least 100,000 consumers during a calendar year; 
• control or process personal data of at least 25,000 consumers and receive more than 50% of gross revenue from the sale of personal data.

Unlike the CPRA, the annual income of the entity is not taken into account. But similarly to the CPRA, it is not necessary to be physically located or have a registered office in California or Virginia to fall within the scope of the VCDPA. «Doing business» also means offering your goods or services to residents of a particular territory.

Under the VCDPA, controllers have stricter obligations than processors, the latter’s obligations are generally related to their contracts with controllers. The VCDPA obliges controllers to:

• limit the collection of personal data only to those that are sufficient, relevant and reasonably necessary for the purposes for which such data is processed, as communicated to the consumer;
• not to process personal data for purposes that are not communicated to the consumer and sensitive personal data, unless the controller obtains the freely given, specific, informed and unambiguous consent of the consumer;
• provide end users with a privacy notice;
• establish administrative, technical and physical security measures for the collection and processing of personal data;
• respect the rights of consumers, including the right to refuse («opt-out») from the collection or processing of personal data for the purposes of targeted advertising, sales and profiling;
• respond to consumer requests within 45 days from the date of receipt of the request,
• not to discriminate against consumers based on the processing of their data; and
• other obligations.

In addition, according to the VCDPA, the controller and the processor must enter into a contract regarding the processing of personal data. The controller must also conduct a data protection assessment if the processing poses a heightened risk of harm to consumers (e.g., for the purposes of targeted advertising, sale of personal data, or certain profiling) and disclose the results of the assessment if lawfully requested by the Virginia Attorney General.

Colorado

The Colorado Privacy Act (CPA), passed in July 2021, will take effect on July 01, 2023. On September 30, 2022, the Colorado Attorney General’s Office published for public comment the CPA Rules, a set of provisions that, if adopted without substantive changes, would expand and clarify the requirements of the CPA.

The CPA operates with the concepts of «personal data», «controller», «processor», «consumer», «third party», «sensitive data», «sale of personal data», «dark pattern», etc.

This act applies to a controller that does business in Colorado or produces or delivers commercial products or services that are intentionally targeted to Colorado residents and meets one or more of the following criteria:

• controls or processes the personal data of 100,000 or more consumers per year; 
• derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers.

Similarly to the VCDPA, no income threshold is applied.

The CPA contains requirements for both controllers and processors. The CPA sets out a special article, which imposes the following duties on controllers:

• the duty of transparency – controllers are obliged to provide consumers with a comprehensive privacy notice;
• the duty of purpose specification – controllers must identify the specific purposes for which personal data is collected and processed;
• the duty of data minimization – controllers must limit data collection to the extent necessary for the clearly defined purposes for which the data is processed;
• the duty to avoid secondary use – controllers may not process personal data for purposes that are incompatible with the direct purposes for which these data are processed;
• the duty of care – controllers must take reasonable measures to protect personal data;
• the duty to avoid unlawful discrimination – controllers may not process personal data in violation of anti-discrimination laws; and
• the duty regarding sensitive data – controllers cannot process sensitive data without the consent of the consumer.

Controllers must also respect the rights of consumers as defined by the CPA and respond to their requests within 45 days of receiving them. 

The CPA prohibits a controller from processing that poses an heightened risk of harm to consumers without conducting and documenting a data protection assessment, which must be provided to the Colorado Attorney General upon request. Data processing by a processor must be governed by a contract between the controller and the processor, which is binding on both parties.

Utah

The Utah Consumer Privacy Act (UCPA) was passed in March 2022 and will take effect on December 31, 2023. 

The UCPA operates with the concepts of «personal data», «controller», «processor», «consumer», «third party», «biometric data», «sensitive data», «sale of personal data», etc.

This act applies to any controller or processor that does business in Utah or produces goods or provides services intended for Utah residents, has annual revenues of $25,000,000 or more, and meets one or more of the following criteria: 

• controls or processes the personal data of 100,000 or more consumers during a calendar year; 
• derives more than 50% of its gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.

The UCPA contains requirements for both controllers and processors. In particular, the UCPA imposes the following obligations on controllers:

• provide consumers with a reasonably clear and accessible privacy notice; 
• establish, implement and maintain reasonable administrative, technical and physical security measures to protect data; 
• not to process sensitive data collected from a consumer without first providing the consumer with clear notice and an opportunity to opt-out of the processing (unlike the VCDPA and CPA, which require consent); 
• not to discriminate against consumers based on the processing of their data;
• other obligations.

A controller is not obliged to provide a product, service or functionality to a consumer if the consumer’s personal data is reasonably necessary for the controller to provide that product, service or functionality and the consumer has not provided personal data or has not authorized the controller to process his or her personal data.

Controllers must also comply with the rights of consumers set out in the UCPA and respond to their requests within 45 days of receiving them. 

Before processing on behalf of a controller, the processor and controller shall enter into a contract. Unlike the VCDPA and CPA, the UCPA does not contain any requirement to conduct a data protection assessment.

Connecticut

The Connecticut Data Privacy Act (CDPA) was adopted in May 2022 and will enter into force on July 01, 2023. 

The CDPA operates with the concepts of «personal data», «controller», «processor», «consumer», «third party», «biometric data», «sensitive data», «sale of personal data», «dark pattern», etc.

This act applies to persons doing business in Connecticut, or to persons who manufacture products or provide services intended for Connecticut residents and who during the previous calendar year: 

• controlled or processed personal data of at least 100,000 consumers; or 
• controlled or processed the personal data of at least 25,000 consumers and generated more than 25% of its gross revenue from the sale of personal data.

The CDPA contains requirements for both controllers and processors similar to those discussed above. In particular, controllers are required to:

• provide consumers with a reasonably accessible, clear and meaningful privacy notice (“privacy notice”);
• limit the collection of personal data only to those that are sufficient, relevant and reasonably necessary in relation to the disclosed purposes for which the data is processed;
• avoid secondary use – unless the controller obtains the consumer’s consent, it may not process personal data for purposes that are not reasonably necessary or compatible with the disclosed purposes;
• establish, implement and maintain reasonable administrative, technical and physical security measures to protect the confidentiality, integrity and availability of personal data;
• not to process personal data about the consumer without his or her consent;
• not discriminate against consumers based on the processing of their data;
• provide consumers with an effective method of withdrawing consent that is as simple as the method they used to provide consent;
• perform other duties.

Similar to other comprehensive state privacy laws, controllers must comply with consumers’ rights under the CDPA and respond to their requests within 45 days of receiving them.

Data processing by a processor must be governed by a contract between the controller and the processor, which is binding on both parties. The controller must also conduct a data protection assessment for data processing activities that pose an increased risk of harm to the consumer.

Conclusion

What does it actually mean for business? If goods or services are targeted at the US as a separate market, then residents of the mentioned states (California, Virginia, Corollaro, Utah, Connecticut) are potential consumers of such business. Therefore, the compliance program can sparkle with new colors, taking into account the individuality of each act.

To properly assess whether you need to comply with the requirements of a particular legislative novelty on privacy, we recommend that you contact a specialized lawyer. First of all, it is necessary to assess whether your business falls within the scope of the act, and then implement specific changes. 

2023-01-17