Colorado Gov. Jared Polis (D) signed legislation (SB 190) in July making the Centennial State the third to adopt comprehensive data privacy legislation that governs how businesses collect, store, share and process consumers’ personal information.
While the laws in California, Virginia and Colorado share many similarities – including having roots in the European Union’s General Data Protection Regulation (GDPR) – they also have some significant differences worth noting.
How They Are the Same
All of these measures allow consumers greater control over the collection and use of their data, including:
- The right to know if a company is collecting a consumer’s personal data.
- The right to access that data.
- The right to opt-out of having their data collected.
- The right to demand that stored data be deleted or corrected.
- A consumer right to nondiscrimination.
While the California Consumer Protection Act (CCPA) took effect in January of last year, the voter-approved California Privacy Rights Act (CPRA) – which significantly expands the original laws scope and enforcement – goes into effect on Jan. 1 2023. The Virginia law does as well, while enforcement of both the CPRA and the Colorado Privacy Act begins on July 1, 2023.
Where Privacy Laws Differ
There are also a number of differences between the measures, including:
- The Colorado measure grants enforcement authority to district attorneys, whereas the California and Virginia laws grant that power only to the AGs.
- Under the Colorado law, companies in violation of the law have a 60-day “right to cure,” or the opportunity to correct their violations without facing prosecution. The California and Virginia laws allow only 30 days. This element in Colorado sunsets in 2025, while neither the Virginia nor California laws have a sunset provision.
- The Colorado law also requires data collectors to provide consumers with a universal opt-out option, i.e. one button that allows them to exercise all of their opt-out rights with one action.
- The California and Colorado laws apply to companies that do at least $25 million in business in their respective states annually, while the Virginia law has no dollar threshold.
- All three measures apply to companies that process the data of at least 100,000 consumers. The Virginia bill would also apply to companies that process the info of 25,000 consumers while deriving at least 50 percent of their gross revenue from the sale of that data. The California law also applies to companies under the 100K threshold if they garner 50 percent of their revenue from data sales.
More important perhaps than how they compare to one another, says Morgan Lewis LLP partner Reece Hirsch, who co-heads the firm’s privacy and cybersecurity practice, is that these measures are starting to move closer to the more robust regulation found in the GDPR.
“These laws all have differences, but they all are of a piece because they closely align with the GDPR, certainly much more so than the original CCPA did,” he says.
Sheila Fitzpatrick, president and founder of Fitzpatrick and Associates, a California-based data privacy compliance consulting firm, says the Colorado measure has also negated some of the “ambiguities” found in the two California measures.
“Under the Colorado law, not only do you have to perform privacy impact assessments, the default is that you are opted out unless you specifically opt in,” she says. “Colorado also allows consumers to appeal if a data controller rejects their access or deletion requests.”
There are of course many more similarities and differences than can be listed in this space. A fuller, point-by-point comparison of the three measures can be found here.
More Privacy Bills on the Way
As of this writing at least five more states – New York (AB 680, AB 6042, SB 567, SB 6701) Massachusetts (SB 46), Ohio (HB 376), North Carolina (SB 569) and Pennsylvania (HB 1126) – have pending comprehensive privacy measures. Similar bills failed this year in at least 16 states, including Florida (SB 1734), Washington (HB 1433), Texas (HB 3741) and Illinois (HB 3910).
A growing number of bills are also now in the queue in Congress, though progress there in recent years can be summed up by one word: nonexistent. Hirsch says that while the passage of the state measures increases the pressure to have comprehensive federal legislation, he doubts it is enough right now to change that trend.
“You won’t see a groundswell at the federal level until businesses have reached the pain threshold,” he says. “When these new laws come online in 2023 – and perhaps other new laws as well – the privacy compliance landscape is going to become much more complicated. And when those complications reach a level of impeding the ability of companies to do business, then I think you’ll see the outcry for a uniform federal law.”
A new player recently arrived on the scene that could have an impact on this scenario. In July, the Uniform Law Commission (ULC), a nonprofit group comprised of members appointed by each state, the District of Columbia, Puerto Rico and the U.S. Virgin Islands, approved far less comprehensive model legislation it hopes states will take a serious look at in the coming year.
The ULC has produced hundreds of model laws over the years, with varying levels of success, the most notable being 1952’s Uniform Commercial Code.
Under its proposed Uniform Personal Data Protection Act (UPDPA), consumers would not have the right to delete their personal data or request the transmission of that data to another entity. In a blog post, former Future of Privacy Forum Policy Council Pollyanna Sanderson notes the law would also only apply “to data ‘maintained’ in a ‘system of records’ used to retrieve records about individual data subjects for the purpose of individualized communication or decisional treatment.”
The ULC has produced hundreds of model laws over the years, with varying levels of success, the most notable being 1952’s Uniform Commercial Code. It contends the UPDPA would provide “a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.”
Some observers see it much differently.
“This is a very weak piece of legislation,” Fitzpatrick says, pointing to the measure’s “very subjective” interpretations about what constitutes “compatible, incompatible and prohibited” data practices.
That said, she believes at least some states will consider it.
“I think it could be an easy out for states that are otherwise unprepared to adopt a privacy law, or don’t have the appetite for it. For them it could be something where they could check the box and then say ‘we have privacy regulation.’ But would it be effective? No.”
A Private Right of Action
The ability for individuals to sue over privacy violations – the private right of action – has long been one of the most contentious elements of state-level data privacy measures.
To date, only California allows it, and then only in the case of data breaches where a company was profoundly negligent in how they cared for a consumer’s personal data. More could potentially follow, as all of the still pending state measures except the one in Ohio include a similar allowance.
Mary Stone Ross, a former CIA counter intelligence officer and counsel to the U.S. House Intelligence Committee, co-wrote the ballot measure that eventually became the CCPA, which California lawmakers approved in 2018. It originally contained a private right of action, but that element was lost int the distilling process that turned it into legislation instead. It is a loss she says still haunts consumers to this day.
“The laws are complex, but the problem is complex too. And there are so many companies that are just flagrantly abusing our personal information that you just can’t keep up with the problem,” she says.
“There are businesses out there that are just gambling and presuming they won’t get caught,” she adds. “And if they do, there’s a right to cure. If there was a private right of action, that’s not how they would operate.”
Ross also believes the possibility of federal legislation is likely directly tied to the number of privacy laws adopted in the states. But she says Big Tech knows this too, making the likelihood that the battles there will be brutal.
“Big tech’s lobbyists have woken up to the fact that people do care about privacy, and there is going to be a lot more political pressure to pass legislation at both the state and federal level,” she says. “And one way for them to exert their influence is to make sure those laws are relatively weak and their enforcement is relatively weak so they can continue to engage in the same practices they engage in today.”
-- By RICH EHISEN
Momentum Growing for Comprehensive Data Privacy Laws
In July Colorado became the second state this year and the third state overall - after Virginia (2021) and California (2018) - to adopt comprehensive legislation governing how businesses can collect, store, share and process consumers’ personal data. Comprehensive data privacy measures are still pending in at least five other states: Massachusetts, New York, North Carolina, Ohio and Pennsylvania. Similar legislation has also failed this year in at least 16 states, including Florida, Illinois, Texas and Washington.