July 28, 2021
Since 2018, with the passing of the California Consumer Privacy Act( CCPA) and taking of effect of the General Data Protection Regulation (GDPR), U.S. companies have been presented with an expanding patchwork of privacy compliance obligations at the international and national level.
In the U.S. particularly, due to the absence of federal level data privacy legislation, companies look to emergent state laws and associated regulatory rules for guidance on data privacy compliance. Following California’s passage of the CCPA, there’s been a spate of state-based legislative activity:
· In 2020/2019/2021 Main, Nevada, and Utah passed laws less comprehensive than the CCPA;
· In 2021 Virginia and Colorado passed privacy laws (the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA)) which have elements comparable to the CCPA and its successor (the California Privacy Rights Act (CPRA)); and
· Proposed bills in Florida, Washington, Minnesota, New York, and Connecticut that are comparable to the CCPA/VCDPA/CPA in comprehensiveness are in various stages of legislative contemplation.
These state laws/bills are at least on the margin inconsistent from one state to another and tend to be complicated, ambiguous in parts, and subject to revision or replacement (e.g., the most well-known of these laws – the CCPA - was hurriedly passed in June 2018, amended significantly in September 2018 and October 2019, went into force (but only in part) January 2020 and has been superseded by the enactment of the CPRA in November of 2020 (to go into effect January 2023).
This regulatory dynamic naturally creates administrative challenges and expense in adopting and managing legally compliant operational practices and privacy notices with respect to the collection, sharing and storage of personal information (PI). This is salient for any company but particularly for companies (such as many growth companies) that are not financially or strategically positioned to rely on or hire a singularly focused internal compliance function.
While there is no overarching compliance standard which would be sufficient for compliance across state laws (a GDPR compliance standard would come closest) and indeed most industry coverage of the privacy landscape focuses on the differences between these laws (and the necessity for nuanced analysis), there is a baseline of commonality that startups can look to as they (1) assess and review their PI collection, use and sharing practices (AKA “data mapping”) and (2) sketch out a foundational set of internal compliance standards.
1. Commonalities.
a. Scope. U.S. state laws (and proposed bills) generally share three qualifying criteria before a business is in scope. First, the business needs to “do business” in the applicable state. This is a murky standard but a working assumption is that economic activity sufficient to trigger tax liability or personal jurisdiction in that state qualifies as “doing business.” Second, the laws limit their applicability to businesses that collect PI from that state’s residents. The GDPR by contrast applies to data processing activities rather than data subjects (i.e., its protections extend beyond EU residents). Third, the laws generally have revenue or data volume/activity thresholds, which at least at this point conform to one of two models. The California model established by the CCPA has three basic triggers that apply to any company “doing business” in that state: (1) gross revenues in excess of $25 million, or (2) buying, receiving, or sharing PI of 50,000 or more California residents (increased to 100,000 under CPRA), or (3) deriving 50%+ of revenues from selling PI of California residents. The Virginia model is similar but lacks the revenue trigger and instead is based on satisfying one of two prongs: (1) processing PI of 100,000 Virginia residents in a year or (2) processing PI of 25,000 Virginia residents but deriving 50%+ of revenues from selling PI. Follow-on bills/laws from other states tend to model one these two approaches (e.g., Colorado follows the Virginia model). Note that for larger companies the California model is more problematic as they are swept into the scope of the law under the revenue prong even if they do not have a significant presence in that state (although some presence would be required).
b. Privacy Rights and Responsive Operational Procedures. The second commonality is the overlap regarding the essential privacy rights of state residents to control their data. Generally, residents have two basic bundles of rights. The first bundle relates to the access, correction, deletion, and data portability of PI. Businesses must give residents notice of these rights at points of collection as well as build internal procedures that enable them to respond to, and where appropriate comply with, requests from residents invoking those rights. Additionally, residents have “opt out” rights related to the “sale” or sharing of their PI (particularly for targeted advertising and certain types of profiling). The protections related to “sale” of data vary between states, however, the variance broadly speaking is between states that define “sale” as involving purely monetary consideration (Virginia, Nevada) and states (like California) with a definition sufficiently expansive to cover barter arrangements (i.e., the statute reads something like “any exchange of valuable consideration”).
The hard operational work for companies here is in building a set of automated and manual processes to be able to respond to and honor requests from data subjects exercising their privacy rights in a manner that’s operationally efficient and consistent with law. At a bare minimum this requires the organizational capacity to (a) “match” PI a business collected on date X to a particular data subject on date Y (the date the business receives a request) and (b) if appropriate initiate an operation to port/delete/correct/not sell that PI or otherwise enable the data subject to exercise their rights.
c. Sensitive Data. The laws also generally impose special treatment obligations with respect certain types of data, usually including health data, financial data, social security information, and data relating to children, that is classified as “sensitive” (or an analogous term), namely that there are heightened notice and “opt-in” requirements and procedures apply with respect to a business’ processing of such data.
d. Privacy Notices. Generally, businesses must provide residents with a timely and reasonably accessible and clear privacy notice. This notice must set forth what types of PI is collected, how it is used, how it is shared with third parties, and how it is stored together with an explanation of the residents’ rights under applicable law and how and where residents can exercise their rights.
e. Processor Contracts. Another basic privacy requirement for businesses within scope of the laws is to enter into a data processing agreement with any person that processes PI on behalf of it (which would include about any third party vendor to which the business provides PI (even incidentally)). That agreement should contain specific requirements for processing and protecting PI (which though varying from state to state in specifics at a bare minimum require the processor (vendor) use PI that the business provides it for the limited purposes of fulfilling the services the vendor is contracted to provide).
2. Variations. Among the key differences between the various state laws are:
· Applicability to non-profits (yes in Colorado, no in California and Virginia);
· B2B and employee data (yes in California, no in Colorado and Virginia);
· Availability of a private right of action (yes in California, no in Virginia and Colorado); and
· Exemptions for PI subject to other laws, such as the Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA) - businesses should anticipate state by state differences in the scope and extent of exclusions relating to GLBA, HIPAA and Fair Credit Reporting Act.
3. What to do Next. While there are some distinctions between the laws that require fine-tuning at the operational, vendor contracting and privacy notice levels, there are some baseline steps that businesses can take to get directionally compliant across state laws. The first is to perform a basic data mapping exercise and determine what PI is collected, who the PI was collected from, where the PI is stored, how the PI is used and shared. Attendant to this it is advisable to perform a preliminary gap analysis to assess whether the business’s processing activities deviate (in an obvious way) from fundamental privacy laws requirements (e.g., consider how the business is handling sensitive data (such as that of minors) or whether the business is “selling” PI). The second step is to consult with legal counsel to update the business’s privacy notices to clearly and accurately disclose its data processing activities (based on the data mapping exercise) and inform data subjects of their data rights and how to exercise those rights. The third is to develop rudimentary processes for responding to data rights requests. The fourth step is to develop a baseline awareness of the terms of the business’s vendor contracts and a path to updating those contracts. The foregoing taken as a whole serve to establish a privacy framework which can scale with the growth of the business and evolving privacy landscape.
This alert was prepared by Jake Molland, a Principal at Bound Legal Strategy P.C. The content of this alert is informational only and does not constitute legal or professional advice. Please note that the law changes frequently and further that the generalized information reflected in this alert may not address the specifics of a given factual situation. Please contact Jake at jake.molland@boundlegal.com if you have specific questions or concerns relating to any of the topics covered in here.
Comments