Comprehensive State Consumer Data Protection Acts: Part 2 – If One or More of the Acts Apply to You, What are Your Obligations?
If after review of your business and the CCPA, CPA, and VCDPA you determine that you are subject, in whole or in part, to the new legislation, what are your obligations? In this part two of our series on the comprehensive state consumer data protection acts, we look at that question.
If you determined the Act or Acts apply to your company, you then need to determine to what information the Act or Acts apply. Generally, the Acts apply to personal information or data. California uses the term “personal information” which covers information that identifies, relates to, or could reasonably be linked with an individual or their household. For example, California states it could include name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about an individual’s preferences and characteristics. Virginia, like the GDPR, uses the term “personal data” which includes “any information that is linked or reasonably linkable to an identified or identifiable natural person” and Colorado also uses the term Personal Data to mean “information that is linked or reasonably linkable to an identified or identifiable individual.” Not all personal information or data is covered. Each Act has numerous exemptions to what information is covered. Some of the key exemptions are set out below.
If you determine information you collect is subject to the Act or Acts, what must you do to comply? In Colorado and Virginia, similar to the EU’s General Data Protection Regulation (GDPR), that depends on whether you are a “controller” or a “processor” of data. You “control” personal data (and are a “controller”) if you determine the purpose and means of processing the personal data, alone or jointly with someone else. You “process” personal data (and are a “processor”) if you perform any operation(s) on the data, including collecting, using, storing, disclosing, analyzing, deleting or modifying the personal data. This covers just about anything that can be done with data. You can be a controller, processor, or both, depending on what you do with the personal data. In California, the CCPA has overlapping and somewhat confusing categories that impose different obligations.
1. Obligations of a Controller of Data and Business
Data controller and business obligations fall into two categories. One is to respond to consumer requests to exercise certain rights under the Acts. The other includes a set of requirements affecting your collection, handling, and disclosure of personal data.
In each state, the data controller or business must comply with authenticated consumer requests to exercise any of the following rights:
i. Responses to Consumer Requests
- To confirm whether the controller/business is processing that consumer’s personal data, and to access that personal data;
- To correct inaccuracies in the consumer’s personal data;
- To delete the consumer’s personal data;
- To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller/business in a portable and usable format;
- To opt out of the processing of that consumer’s personal data for the purposes of (i) targeted advertising; (ii) sale of the personal data; or (iii) profiling to make decisions that legally or otherwise significantly affect the consumer.
Unfortunately, the differences in each Act mean that your response must be nuanced to reflect each state’s requirements. In short, careful review of all the Acts is critical to understanding the exceptions and impact on your business.
ii. General Controlller/Business Requirements
Independent of your obligations to respond to consumer requests, under all three states’ laws you must also comply with certain ongoing duties.
- You must limit your collection of personal data to what is reasonably necessary to meet the purposes for which it is processed, as disclosed to the consumer.
- Except for a handful of enumerated exceptions, you must not process data for purposes not reasonably necessary to, or compatible with, the purposes disclosed to the consumer.
- You must establish and maintain reasonable security administrative, technical, and physical security practices.
- You must not process personal data in violation of federal or state antidiscrimination laws.
- You must not discriminate against consumers for exercising their rights under the Act, though you may offer consumers certain incentives for not exercising their rights to opt out of targeted advertising, sale, or profiling.
- You must obtain the express consent of the consumer to the processing of certain “sensitive data.”
You must also provide a clear, meaningful, and accessible privacy notice that includes (i) the categories of personal data you process; (ii) the purposes for which the processing is done; (iii) the procedures for exercising the consumer rights we listed earlier; (iv) the categories of personal data you share with third parties; and (v) the categories of third parties with whom you share personal data. California has numerous detailed requirements, whereas Virginia and Colorado Acts are more flexible. Of course, when you post these privacy notices, you must be accurate. If you aren’t, you may be subject to additional liability for violation of other laws.
If you sell personal data, or process it for targeted advertising, you must clearly and conspicuously disclose that you do so, and also must disclose how the customer can opt-out. Note that in Virginia, a “sale” only occurs if money changes hands, but in California and Colorado, any monetary or valuable non-monetary consideration suffices.
You must conduct and document periodic data protection assessments meeting specified requirements.
Finally, you must follow certain requirements with regard to deidentified data, including taking reasonable measures to ensure that it cannot be identified with a specific person, not attempting to so identify it, and contractually requiring anyone with whom you share it to comply with the Act regarding such data. The good news is, if data is deidentified, you aren’t required to re-identify it for purposes of complying with consumer requests.
- Part 1 – Factors that determine whether the Acts apply to your company, as well as the exceptions.
- Part 3 – Enforcement regimes under the Acts, and how the Acts affect business agreements with IT and telecom providers.