Toward a Patchwork of State Privacy Regulations: Recommendations for Colorado Businesses

Opinion

Camila Tobón
DAVIS GRAHAM & STUBBS

Virginia has now joined California as the second state to pass comprehensive privacy legislation with the enactment of the Virginia Consumer Data Protection Act. The VCDPA differs in several respects from the California Consumer Privacy Act of 2018 and is competing with the CCPA as the model to follow in other states, including Colorado. This article discusses the key elements of the VCDA, the main differences between the VCDPA and the CCPA, how Colorado’s privacy bill (SB 190) compares to the VCDPA, and recommendations for Colorado businesses.


THE VCDPA’S SCOPE AND GENERAL REQUIREMENTS

The VCDPA takes effect Jan. 1, 2023, and applies to companies that collect and process the personal data of “consumers.” A consumer is a Virginia resident acting in an individual or household context and not in a commercial or employment context. Personal data is broadly defined as information that is linked or reasonably linkable to an identified or identifiable individual. Covered entities include companies that conduct business in Virginia or produce products or services targeted to residents of the state and that either handle the personal data of at least 100,000 consumers per calendar year or derive over 50 percent of annual gross revenue from the sale of personal data and handle the personal data of at least 25,000 consumers.

The key elements of the VCDPA are accountability and control. Control relates to a consumer’s ability to exercise certain rights over their personal data. Those rights include access (please confirm you process my data), data portability (I want a copy of my data), correction (please correct my data), opt-out for sale, targeted advertising, and profiling (please stop using my data for these purposes) and deletion (please delete my data). The VCDPA also creates a sub-category of personal data deemed sensitive, which includes information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for uniquely identifying an individual, personal data collected from a known child, and precise geolocation data, and requires companies to obtain the consumer’s opt-in consent to process.

Accountability relates to a company’s outward-facing statements on what it does with personal data as well as its internal procedures for appropriately managing the risk of collecting and processing personal data. “Controllers,” which are the entities that determine the purposes and means of processing, must publish clear and meaningful privacy notices and follow data minimization, collection limitation, and secondary use limitation principles as well as implement appropriate security measures and perform assessments of “high-risk” processing activities that weigh the benefits of the activity against the risk to consumers. “Processors,” which are the entities processing personal data on behalf of a controller, must handle personal data consistent with the controller’s instructions, assist the controller in meeting its obligations under the law, and ensure that subcontractors adhere to the same obligations.

DIFFERENCES BETWEEN THE VCDPA AND THE CCPA

Although both laws focus on accountability and control, the CCPA takes a very granular approach to regulation providing specific compliance targets both in the law and regulations (like specific direction on how to provide consumers the right to opt out). The VCDPA, on the other hand, provides general principles and leaves it up to companies to determine how best to meet the specific requirements in the law.

Other differences include the scope of applicability (the CCPA thresholds are $25 million in annual revenue, 50 percent of revenue from sales, or buy/selling the data of 50,000 consumers or more), the commercial and employee data exceptions (the CCPA exceptions sunset on Jan. 1, 2023), and exceptions for entities subject to federal laws like the Health Insurance Portability Accountability Act and the Gramm Leach Bliley Act (the CCPA exceptions cover only the specific data that is subject to those laws while the VCDPA excepts the entities governed by those laws). Enforcement also differs. Although both provide for enforcement by the state attorney general, the CCPA adds a private right of action for breaches where the company fails to implement and maintain reasonable security practices. The VCDPA has no private right of action.

COLORADO’S SB-190 IS LIKE THE VCDPA

Nearly half of the states have introduced some form of privacy legislation this year and the bills tend to follow either the CCPA or the VCDPA. In Colorado, the version of SB-190 that was introduced in late March tracked the VCDPA with a few notable exceptions. First, it included a broader right to opt out, allowing consumers to opt-out of any personal data processing and not just specific processing activities. Second, it did not regulate processors as closely as the VCDPA, including only requirements to adhere to a controller’s instructions for processing and to cooperate with a controller in meeting its obligations. Lastly, although the introduced version did not include a private right of action like the VCDPA, it did allow enforcement by district attorneys as well as the state attorney general.

RECOMMENDATIONS FOR COLORADO BUSINESSES

The increased focus on privacy regulation suggests that Colorado businesses should start looking at their personal data handling practices now and formalizing their internal processes to get ahead of the curve.

First and foremost, businesses should gain a solid understanding of what personal data is collected, how and why it is used, where it is stored, how it is secured, and with whom it is shared and why. This “data mapping” or “data inventory” exercise will help an organization identify its internal personal data handling practices and determine what laws might apply.

Companies can then take a risk-based approach to managing that personal data. Are certain data stores more sensitive? Do certain processing activities pose greater risks to individuals? Are there specific laws coming down the pike that the company will need to comply with? Answering these questions will help the business determine the appropriate and necessary controls for managing personal data.

For transparency, the company should regularly review its privacy notice to confirm that it accurately describes what personal data is collected, how it is used, and with whom it is shared. Agreements with vendors should be reviewed to ensure appropriate limitations and safeguards are in place. Records retention policies and schedules should be updated so that the company does not retain personal data for longer than necessary as keeping such data for too long poses significant risk. Lastly, to the extent consumer data rights will apply, the company should develop internal guidelines for receiving and classifying consumer requests, searching the appropriate repositories, and preparing a response.

As we head towards a patchwork of state regulation, companies will have to adopt internal processes that can be adapted to new laws or changing requirements. When viewed as a matter of “when” privacy rules will apply and not “if,” an organization can allocate the necessary resources to appropriately assess its personal data handling practices and work to formalize policies and procedures that will help it achieve compliance in a timely way.

— Camila Tobón is a member of the finance and acquisitions department and intellectual property and technology law group of Davis Graham & Stubbs

Previous articleSurveys Suggest Virtual ADR Could Be Here to Stay
Next articleLegal Lasso: State House Bill Would Speed up Criminal Courts

LEAVE A REPLY

Please enter your comment!
Please enter your name here