New comprehensive privacy frameworks in California, Virginia and Colorado are set to come into effect in 2023, and in recent days attention has turned to Utah, where a privacy bill closely resembling Virginia’s is on the governor’s desk for signature. The rulemaking processes for the enacted laws are in their early stages. To the chagrin of covered businesses, privacy advocates and interested spectators alike, it is too soon to tell what regulations will be promulgated and how the laws will be implemented and enforced. However, the relevant state organizations—which include newly created agencies, state Attorneys General (“AGs”) and so-called “Work Groups”—have made early progress and are signaling what we may see in the future. This Legal Update provides an overview of recent developments for each of the new laws.
I. California and the CPRA
The California Privacy Rights Act (“CPRA”), which amends the currently effective California Consumer Privacy Act (“CCPA”), will take effect on January 1, 2023. (For more on the CPRA, please review our previous Legal Update: “What Comes Next After “Yes” on 24? From the CCPA to the CPRA and Beyond.”) Notable CPRA provisions include:
- Creation of a new category of “sensitive personal information,” the use of which must be disclosed to consumers and limited at the request of consumers
- Enhancement of the consumer opt-out right, with an emphasis on targeted advertising
- Creation of a consumer right to correct inaccurate data
- Stronger penalties for violations related to minors’ data
- Creation of a new agency, the California Privacy Protection Agency (“CPPA”), which is charged with administering, implementing and enforcing the law
Among the first orders of business for the five-member CPPA board, which has oversight of the agency, was appointing an executive director for the agency. The executive director is responsible for day-to-day operations, including hiring and overseeing staff, leading rulemaking efforts and overseeing enforcement. For this position, the board selected Ashkan Soltani, former chief technologist for the Federal Trade Commission (“FTC”); senior advisor to the Obama White House; and privacy advocate who played a key role in drafting the CPRA.1
From September 22, 2021, through November 8, 2021, the CPPA collected public comments, which are available in four parts on the CPPA website.2 On October 21, 2021, the CPPA notified the California AG that it was ready to assume rulemaking authority. Six months after this notification, in late April 2022, the CPPA will formally take over rulemaking for the CCPA and the CPRA.3 On February 17, 2022, at a CPPA board meeting, Soltani laid out a rough timeline for the rulemaking process. He indicated that informational hearings regarding rulemaking with subject matter experts would start in mid- to late-March, before the CPPA seeks input from a broader group of stakeholders in April. Given this timeline, Soltani noted that he did not expect to adopt draft regulations by the statutory deadline of July 1, 2022. Rather, draft regulations may be delayed until fall 2022, with final regulations coming later. This is not entirely surprising, given timing constraints related to the public comments process, that the CPPA is a brand-new agency and that Soltani was appointed in October 2021. This is also not the first time California has fallen behind its own rulemaking schedule—the California AG missed the CCPA’s statutory deadline of July 1, 2020 (issuing the first draft of CCPA final regulations on August 14, 2020).
II. Virginia and the CDPA
Following close on the heels of the CPRA, Virginia passed the Consumer Data Protection Act (“CDPA”), which also takes effect on January 1, 2023. (For more on the CDPA, please review our previous Legal Update “Virginia’s New Data Privacy Law: Comparing to California and Preparing for Next Steps.”) Notable CDPA provisions include:
- Establishment of a “Work Group” to investigate and submit recommendations related to the law
- Adoption of a nomenclature—e.g., “controllers” and “processors”—akin to the EU General Data Protection Regulation (“GDPR”)
- Requirement of opt-in consent for the processing of “sensitive data”
Rather than requiring rulemaking by the state AG or a dedicated agency, the CDPA created a “Work Group” composed of legislators, industry leaders, consumer rights advocates and state executives to review the CDPA and issues related to its implementation, as well as to submit findings, best practices and recommendations to the Virginia legislature. This Work Group met six times, from June 14, 2021, to October 25, 2021, and released a report summarizing information presented at the meetings.4 Among other things, the Work Group highlighted the need to educate consumers and businesses about consumers’ rights and how to comply with the law; suggested that the state AG office pursue actual damages for consumer harm and direct an agency to promulgate regulations; and discussed potential expansions to the law, such as more specific protections for children, a limited right to cure violations and a global opt-out. Following the Work Group’s recommendations, Virginia lawmakers proposed several bills to amend the CDPA accordingly. One such bill—amending the right to delete by presenting deletion alternatives for data controllers that obtain consumers’ personal data from a source other than the consumer—passed the state House and Senate on February 25, 2022, and March 4, 2022, respectively.5 Given the limited authority to promulgate regulations under the CDPA, further activity from the Virginia legislature may be seen in the run-up to the CDPA coming into effect.
III. Colorado and the CPA
The most recent of the three, the Colorado Privacy Act (“CPA”) is due to take effect July 1, 2023. Like the CDPA, the CPA shares similarities with the GDPR but has a few unique distinctions from the other states. (For more on the CPA, please review our previous Legal Update “Colorado’s New Data Privacy Law: Comparing to Other States and Looking Ahead.”) Notable CPA provisions include:
- Mandate of a “universal opt-out mechanism”—effective July 1, 2024, with rulemaking due July 1, 2023—for controllers that process personal data for sale or targeted advertising to allow Coloradans to freely and easily opt out of all such processing
- Requirement of opt-in consent for the processing of “sensitive data”
- Ability of district attorneys—in addition to the state AG—to enforce the statute
On January 28, 2022, the office of the Colorado AG hosted a seminar for Data Privacy Day featuring a panel with the CPA’s sponsors; an overview of privacy legal developments across the country; a keynote from Paul Ohm, law professor and chief data officer at Georgetown University, as well as noted technology policy expert; and remarks from Phil Weiser, the Colorado AG. During the panel, state legislators described the CPA as the “strongest” data privacy bill in the nation. The lawmakers were especially enthused that, starting in July 2024, Coloradans will be able to exercise a universal opt-out for all activity across the internet. Expect rulemaking by the AG office before the July 1, 2023, deadline on what this opt-out will look like, how consumers may exercise it and how service providers would be expected to comply with requests.
During Ohm’s keynote, he announced that he would serve in an advisory role during the CPA implementation and as a member of the rulemaking team. Ohm remarked that he was pleased that Colorado’s statute goes beyond addressing purely economic injury to consumers, indicating his preference to protect privacy as a fundamental right.
Weiser’s remarks focused on the broader privacy landscape and his role in enforcing the CPA.6 Weiser worked in the Obama White House on what could have become a privacy bill of rights. Due to the lack of federal action, Weiser remarked that it is up to the states to address privacy law. Weiser pronounced that violators of the CPA (and its implementing regulations, once they are promulgated) should face real consequences, noting that if some companies are allowed to ignore regulations, other companies that follow the law will be at a disadvantage. As Colorado is a first mover in this space, Weiser announced his intent to be transparent about the process; accordingly, relatively more detailed documentation and notice may accompany CPA rulemaking and enforcement actions.
A formal Notice of Proposed Rulemaking, with proposed rules, is expected by fall 2022. On March 7, 2022, the AG office issued a public invitation seeking informal comments about the CPA and future rulemaking.7 Interested individuals may share comments through this dedicated form; these informal comments made prior to the Notice of Proposed Rulemaking will not be considered part of the rulemaking record.
Also in connection with Data Privacy Day, the AG office published guidance on data security best practices.8 Although not part of the CPA rulemaking process, this guidance identifies the sort of practices Colorado regulators may enforce and the practices companies should consider adopting to prepare for the CPA. This guidance largely focuses on management of data at an institutional level, including developing, updating and enforcing written information security policies and plans; inventorying the types of data collected and using practices tailored to the sensitivity of information; vetting the security practices of vendors before hiring; training employees on how to prevent and respond to cybersecurity incidents; and notifying and proactively protecting and compensating consumers in the event of a breach.9 Weiser emphasized that Colorado requires companies to not only notify Coloradans when their data is at risk of being misused but also take reasonable steps to protect data and dispose of it when no longer needed. Adhering to these recommended procedures, following industry guidelines and best practices, maintaining a written data security policy and incident response plan and being vigilant of attacks on vendors will help companies prepare for compliance with the CPA.
* * *
We will continue to monitor developments in these states and others where privacy legislation is under consideration during this active legislative term. Please do not hesitate to reach out to any of the Mayer Brown lawyers on this Legal Update with questions about these or related developments.