By: Phil Yannella, Kim Phan and Greg Szewczyk1
Over the past four years, U.S. companies have been forced to expand their compliance programs to comply with an expanding array of international and U.S. state privacy laws. The wave of privacy laws began in May 2018, when the General Data Protection Regulation (GDPR) became effective, triggering new compliance obligations for U.S. companies with operations in the European Union. On the heels of the GDPR, other countries such as Brazil, Australia, India, Canada and China passed or expanded new privacy legislation, further expanding the scope of privacy compliance for U.S. multinationals.
In the U.S., there has likewise been a creeping expansion of state privacy laws. In 2020, the California Consumer Privacy Act (CCPA) became effective, triggering new legal requirements for U.S. companies that conduct business in California and generate yearly revenues of greater than $25,000,000.2 Other states, such as Nevada, Utah, and Maine, have since passed smaller less comprehensive privacy laws.
In November 2020, California voters approved via ballot initiative, the California Privacy Rights Act (CPRA), which significantly expands on the CCPA and introduced a number of GDPR-like privacy concepts as well as some entirely new legal obligations. In March 2021, the Virginia legislature passed the Virginia Consumer Data Protection Act (VCDPA)3 , which incorporates many of the same concepts as the CPRA, but varies in enough ways that compliance with the CPRA does not necessarily entail compliance with the CPRA.
At the same time, numerous other states have proposed, but ultimately failed to pass state privacy laws. Recently, proposed privacy laws in Florida4 and Washington5 , for example, failed to pass. The Washington Privacy Act (WPA) has now failed three consecutive years, foundering on the issue of a private right of action - a common point of disagreement in many state legislatures. Presently, other proposed state privacy laws, such as bills in New York and Connecticut, remain alive and could potentially become law in 2021. Due in part to a lack of a federal privacy law - various proposals continue to stalldue to disagreements over enforcement and pre-emption - it is very likely that U.S. states will continue to propose and consider privacy legislation after 2021.
The dilemma for U.S. multinationals is how to manage compliance with the growing patchwork of state and international privacy obligations. These laws, as discussed in more detail in this article, share many characteristics but they each differ in ways that complicate compliance. If privacy law was a Venn diagram, the GDPR would form the outermost ring, with the CPRA, CCPA, and VCDPA fitting within the GDPR in loosely concentric circles. But there is enough variance between these laws that simply complying with the GDPR would not be sufficient for companies subject to all these laws.
The purpose of this article is to compare and contrast the major U.S. privacy laws, identifying areas of overlap as well as areas where compliance will require state-specific analysis, disclosures and policies
II. Status and Timeline of U.S. State Privacy Legislation and Laws
Since November 2020, two U.S. states - California and Virginia -- have passed comprehensive privacy legislation. The new California law, the CPRA, is essentially a redline and expansion of the CCPA, and will become effective in January 2023. In July 2021, the California Privacy Protection Agency - a first of its kind state privacy regulator created by the CPRA - will announce formal rule making for CPRA regulations.6 These regulations are expected to be finalized by July 2022. The CPPA will commence enforcement of the CPRA in July 2023. 7
Virginia's privacy law, the VCDPA, will become effective in January 2023.8 Unlike the CPRA, however, there is no provision for rule-making in Virginia.
As has become a yearly pattern, numerous other states proposed privacy legislation in 2021, but presently none have passed. Proposed legislation in Alabama, Arizona, Colorado, Connecticut, Illinois, Kentucky, Maryland, Massachusetts, Minnesota, and New York is still under consideration. Legislatures failed to pass proposed privacy legislation in Mississippi, Oklahoma, Florida, Washington, and Utah.
III. Comparing Different State Approaches to Key Privacy Issues
A. Compliance Thresholds
Generally speaking, state privacy laws apply to entities that collect personal information from a state's residents in connection with their business operations, plus the satisfaction of certain qualifying thresholds. One of the key differences between state privacy laws and legislation is what thresholds must be met in order for the laws to apply.
Under the CCPA, those thresholds are set forth in the definition of "business." 9 The CCPA defines business to mean virtually any for-profit entity, including any "sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners." 10
1 Philip N. Yannella is the Practice Leader of Ballard Spahr 's Privacy & Data Security Group and the firm's Cybersecurity Incident Response Team. He provides clients with 360-degree advice on the transfer, storage, and use of digital information.
Kim Phan is a Partner at Ballard Spahr, who counsels clients on federal and state privacy and data security laws and regulations. Her work in this area encompasses strategic planning for companies to incorporate privacy and data security considerations throughout product development, marketing and implementation.
Greg Szewczyk is a Partner in Ballard Spahr's Privacy and Data Security and Litigation groups. He has represented companies in cases in numerous privacy and cybersecurity contexts, including data breach class actions, post-incident business-to-business disputes, and alleged violations of laws for online tracking practices.
2 Cal. Civ. Code § 1798.140(d).
3 Va. S.B. 1392, § 59-572(A).
4 HB 969 (proposed Florida Privacy Protection Act).
5 S.B. 5062 (Washington Privacy Act).
6 Cal. Civ. Code § 1798.185(d).
8 Va. S.B.1392, § 59-572(A)
9 Cal. Civ. Code §1798.140(c)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.