The State of the States’ Consumer Privacy Laws
Rita Garry examines data privacy laws in the US and how they have developed across multiple jurisdictions.
The Origins and Importance of Privacy
In 1789 when the US Constitution was ratified, the word privacy was nowhere to be found. Rather, it was baked into the Third, Fourth, Fifth Amendments’ limitations on governmental intrusions into personal territorial, bodily, and communication privacy. In 1890, Samuel Warren and Louis Brandeis published “The Right to Privacy” in the Harvard Law Review, describing privacy as “the right to be let alone”. Elsewhere in the world, in 1948 the General Assembly of the United Nations proclaimed privacy as a human right, declaring: “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”.
In contrast, the 1972 amendment to the California Constitution added an explicit guarantee of the right to privacy, stating: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy”.
Regardless of the historical or societal origins, it is clear that a person’s right to privacy is universally viewed as a fundamental individual right and an essential element of personal freedom. In the New Millennium, the concept of personal privacy has expanded past unlawful governmental intrusions and grown more sensitive in this digital age. Technological advances have produced exponential growth in the volume and variety of personal data being generated, collected, stored, and analysed, which presents both promise and potential peril. It is true that the ability to harness and use data in positive ways drives innovation and brings beneficial technologies to society, but it also has created risk to privacy and freedom.
Regardless of the historical or societal origins, it is clear that a person’s right to privacy is universally viewed as a fundamental individual right and an essential element of personal freedom.
The unauthorised disclosure of personal information and loss of privacy can have devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm. Therefore, a critical question is: can privacy laws coexist with enterprise growth innovation?
US Privacy Law Development
In the US, privacy laws have developed sector-specifically, with notable examples including the 1978 Family Educational Rights and Privacy Act (FERPA) protecting student education records; the 1996 Health Insurance Portability and Accountability Act (HIPAA) governing personal healthcare date (as augmented by the 1999 HIPAA Privacy Rule, the 2003 HIPAA Security Rule, and the 2010 Health Information Technology for Economic and Clinical Health Act (HITECH)), the 1998 Children’s Online Privacy Protection Act (COPPA) concerning children’s online privacy; and the 1999 Gramm-Leach-Bliley Act (GLBA) governing personal information as used by financial institutions. To date, however, there is no comprehensive federal data privacy or protection law.
The European Union (EU) led the world in 2018 with its General Data Protection regulation 2016/679 (“GDPR”), setting up a legal privacy framework for all 27 EU nations and countries in the European Economic Area (“EEA”). GDPR is now being modelled by some US States, such as California, Colorado, and to a lesser degree, Virginia; the first three US States to enact comprehensive personal data protection legislation. This article is meant to describe these laws’ statutory constructs in broad terms and examine differences, commonalities, and the protection gaps these laws create for US consumers and the confusion they place on business compliance efforts.
The enacted States’ data privacy and protection laws (CA, CO, VA) all set a two-tiered jurisdictional threshold model for assessing applicability of these laws. In the first instance, the laws apply to all businesses that collect, process, or store personal information of each States’ residents. eCommerce has transformed consumer data into a core asset of all enterprises; big, small or in between.
Obviously this applicability standard makes such laws’ applicability very broad. However, to lessen the burdens on small business, the laws become more tailored and set screening mechanisms by judging enterprises by annual worldwide gross revenues ($25 million in CA, no revenue thresholds in CO or VA); or by volume of personal information (50,000 records in CA (as counted by residential consumers, households, or devices) and 100,000 records in CO and VA); or by a percentage of worldwide annual revenue derived from selling residents’ personal information (50% in CA, at least 25,000 records for CO residents, and 50% in VA involving at least 25,000 VA residents).
Exclusions or Exceptions
Generally, these States’ consumer privacy laws grant exclusions for personal data already protected by HIPAA, HITECH, GLBA, etc. and exempts certain categories of personal information such as public records and aggregated or deidentified personal data.
The enacted US States’ data protection laws all include key definitions and assign meanings to the backbone words and terms of consumer data protection legislation. These always include: “Consumer”, being the residents of the enacting State; “Covered Entity” or similar scoping term that sets the thresholds for the law’s reach; “Personal Data” or sometimes “Personal Information” which is generally described as information that is linked or reasonably linkable to an identified individual, and “Sensitive Personal Information” which adds special protections for categories of personal information such as biometric and genetic data, racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation and, sometimes, citizenship status. Each definitional difference matters because enterprises seeking to comply must first know each consumer’s home state and then also assess whether their data is included within such definitions.
The enacted US States’ data protection laws all include key definitions and assign meanings to the backbone words and terms of consumer data protection legislation.
Consumer Rights and Request Response
These laws give their residents certain rights to control their personal information, including:
- Right of Access or Right to Know
- Right to Correction
- Right to Deletion
- Right to Data Portability
- Right to Opt-Out of Sale
- Right to Opt-Out of Targeted Advertising – Beginning 1 January, 2023 in CA, CO, and VA
These consumer rights require enterprises to set up one (CO and VA) or two (CA) methods for making consumer requests, and duties to respond to such requests and implement processes to do so fairly, without charge or discrimination, and on a timely basis, which is usually 45 days at the most. Some States, such as Colorado, also require the business to have an internal appeal process for requests they refuse to process. Also, a Consumer’s exercise of these rights cannot face obstacles such as added fees, new account creation, or discrimination in pricing or service in the future.
Countervailing consumers’ data rights are controllers and processors duties. Broadly speaking, these duties include:
- Duty of Transparency (Privacy Notice)
- Data Minimisation and Purpose Specification
- Duty of Notice and Provide Opt-Out Methods
- Duty of Care to Safeguard Personal Information
- Duty to Avoid Discrimination
Annual Reviews of Privacy Policies and Data Protection Assessments
In addition to having the means to respond to consumer requests, businesses controlling personal information must also give consumers an accessible, clear, and meaningful privacy notice that includes a laundry list of required disclosures, such as the categories of personal data collected or processed and by whom; the reasons these categories of personal data are processed; Instructions on how consumers can exercise their data rights; the personal data that is shared, with whom, and why; and conspicuous notices about its “sale.” On 1 January, 2023 (the effective date for CO, VA, and the California Privacy Rights Act (“CPRA”)), enterprises must conduct and document annual “data protection assessments” to measure whether their data processing activities create a “heightened risk of harm” to consumers.
Each of CA, CO, and VA’s regulations impose a reasonable data security requirement for enterprises to establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. In CA, under the CPRA, annual cybersecurity audits will also soon be required.
Without a private right of action (only available in California on a limited basis), these laws are to be enforced by each States’ Attorneys General statutorily empowered to write regulations and impose civil penalties. Said penalties are: $2,500 per violation ($7,500 for intentional or willful violations) in CA; $20,000 per violation in CO, and $7,500 per violation in VA.
The Future of Data Privacy Laws
As CA, CO, and VA’s consumer privacy laws illustrate, legislators view privacy as an individual fundamental right and an essential element of personal freedom worthy of protection. With 10 or more other States considering similar legislative protections for their citizens, it is obvious that privacy laws will soon dominant enterprise use of personal information. That said, the current US approach stands in stark contrast to GDPR, produces an expensive compliance matrix for all enterprises seeking to be good data stewards, creates an unlevel playing field for enterprises that can afford compliance and those that cannot, and differentiates residents with fundamental privacy rights and those without them.
Rita W Garry, Shareholder
Robbins, Solomon & Patt
Address: 180 N. La Salle Street, Suite 3300, Chicago, Illinois 60601
Tel: 312 456 0285
RSP is an Illinois-based law firm that has represented clients across the Chicagoland and Midwest area for over 50 years, building strong relationships with small- and medium-sized businesses across a broad range of industries.
Rita W Garry is a seasoned corporate, transactional and data privacy attorney. Among her other work, she guides enterprise clients, both nationally and internationally, in designing and operationalising data management and protection law compliance programmes.