Consumer Data Privacy Laws - Where Are We Now?

In the void left by the absence of a comprehensive federal privacy law, states continue to consider, and pass, their own laws regarding the collection, use and maintenance of consumer personal information. As we closely follow how these laws will impact our clients and various industries, we offer this brief summary of current activity and what we will be monitoring in the coming months.

Probably the first thing on every privacy lawyer's mind is what is going on in California. By way of background, the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, though its impact on many businesses was muted due to the CCPA's exemptions for employee/human resources (HR), independent contractor and business (B2B) data as well as broader exemptions for data subject to the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act, the Gramm-Leach-Bliley Act, and other regulatory schemes. A major revision to the CCPA, dubbed the California Privacy Rights Act (CPRA), was passed in November 2020. The status of the CPRA remains highly uncertain, and its ultimate effect on businesses remains to be seen.

In its present form, the CPRA would usher in significant changes to privacy at many organizations. Effective January 1, 2023, it would apply a broad range of individual rights (think access, correction, deletion) and other legal obligations to broad swaths of employee/HR, contractor/1099 and B2B data held by businesses. Other changes would affect a business's vendor agreements, risk assessments and privacy strategy for new initiatives.

Though the January 1, 2023, effective date is on the horizon, much remains uncertain. First, state regulations regarding the details of how to comply with CPRA that were promised no later than July 1 are now delayed, and the state has provided few hints on when we can expect such regulations to be published. Second, two bills in the state legislature (AB 2871 and AB 2891) would delay application of the CPRA to employee/HR, contractor/1099 and B2B data; one bill would delay application until 2026, and the other would delay application indefinitely. Given that these categories represent many businesses' greatest exposure under CPRA, we are tracking these bills closely, as passage of either would have a material impact on compliance obligations.

As we move eastward, Colorado, Utah and Virginia all have recently passed consumer privacy laws. While similar in many respects to CCPA and CPRA, these laws notably exempt employment and B2B data, making their application much narrower than what we may see in California. Effective dates for these laws are January 1, 2023, in Virginia; July 1, 2023, in Colorado; and December 31, 2023, in Utah. And as of the date this newsletter is published, we are closely monitoring Connecticut, Iowa and Oklahoma to see which will be the next state to pass a consumer data privacy law.

We are working now with in-house counsel and business leaders on evaluating the application of these laws, devising privacy compliance solutions and future-proofing programs as states continue to pass their own laws.

Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.