Insights
Day Pitney remains committed to providing quality legal counsel, while protecting our clients and employees, and transforming our communities into more just, equal and equitable spaces. For more information, please visit our COVID-19 Resource Center | Racial Justice and Equity Task Force.
In the void left by the absence of a comprehensive federal privacy law, states continue to consider, and pass, their own laws regarding the collection, use and maintenance of consumer personal information. As we closely follow how these laws will impact our clients and various industries, we offer this brief summary of current activity and what we will be monitoring in the coming months.
Probably the first thing on every privacy lawyer's mind is what is going on in California. By way of background, the California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, though its impact on many businesses was muted due to the CCPA's exemptions for employee/human resources (HR), independent contractor and business (B2B) data as well as broader exemptions for data subject to the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act, the Gramm-Leach-Bliley Act, and other regulatory schemes. A major revision to the CCPA, dubbed the California Privacy Rights Act (CPRA), was passed in November 2020. The status of the CPRA remains highly uncertain, and its ultimate effect on businesses remains to be seen.
In its present form, the CPRA would usher in significant changes to privacy at many organizations. Effective January 1, 2023, it would apply a broad range of individual rights (think access, correction, deletion) and other legal obligations to broad swaths of employee/HR, contractor/1099 and B2B data held by businesses. Other changes would affect a business's vendor agreements, risk assessments and privacy strategy for new initiatives.
Though the January 1, 2023, effective date is on the horizon, much remains uncertain. First, state regulations regarding the details of how to comply with CPRA that were promised no later than July 1 are now delayed, and the state has provided few hints on when we can expect such regulations to be published. Second, two bills in the state legislature (AB 2871 and AB 2891) would delay application of the CPRA to employee/HR, contractor/1099 and B2B data; one bill would delay application until 2026, and the other would delay application indefinitely. Given that these categories represent many businesses' greatest exposure under CPRA, we are tracking these bills closely, as passage of either would have a material impact on compliance obligations.
As we move eastward, Colorado, Utah and Virginia all have recently passed consumer privacy laws. While similar in many respects to CCPA and CPRA, these laws notably exempt employment and B2B data, making their application much narrower than what we may see in California. Effective dates for these laws are January 1, 2023, in Virginia; July 1, 2023, in Colorado; and December 31, 2023, in Utah. And as of the date this newsletter is published, we are closely monitoring Connecticut, Iowa and Oklahoma to see which will be the next state to pass a consumer data privacy law.
We are working now with in-house counsel and business leaders on evaluating the application of these laws, devising privacy compliance solutions and future-proofing programs as states continue to pass their own laws.
Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.
This website may use cookies, pixel tags and other passive tracking technologies, including Google Analytics, to improve functionality and performance. For more information, see our Privacy Policy. By using our website, you are consenting to our use of these tracking technologies. You can alter the configuration of your browser to refuse to accept cookies, but if you do so, it is possible that some areas of web sites that use cookies will not function properly when you view them. To learn more about how to delete and manage cookies, refer to the support instructions for each browser (e.g., see AllAboutCookies.org). You may locate Google Analytics' currently available opt-outs for the web here.
This website may use cookies, pixel tags and other passive tracking technologies, including Google Analytics, to improve functionality and performance. For more information, see our Privacy Policy. By using our website, you are consenting to our use of these tracking technologies. You can alter the configuration of your browser to refuse to accept cookies, but if you do so, it is possible that some areas of web sites that use cookies will not function properly when you view them. To learn more about how to delete and manage cookies, refer to the support instructions for each browser (e.g., see AllAboutCookies.org). You may locate Google Analytics' currently available opt-outs for the web here.