It hasn’t been long since the California Consumer Privacy Act (CCPA) was the only game in town for comprehensive privacy laws in the United States. Less than two years since the CCPA went into effect, California passed a new privacy law through a ballot initiative — the California Privacy Rights and Enforcement Act (CPRA) — and has been joined by Virginia and Colorado as other states that have passed their own privacy laws. These three states are already creating a patchwork of compliance obligations for businesses and may be joined by other states in the near future.
The recently passed privacy laws in California, Colorado, and Virginia differ significantly from one another (and this topic could merit its own article). However, as other state regulators and legislatures debate passing their own privacy laws, it is worth taking a step back and assessing how the current US privacy landscape stands and how these new laws could impact future legislation. The purpose of this article is to identify similarities between these laws and analyze which aspects other states are most likely to adopt should they pass their own bills.
Here are the most notable trends from the privacy laws in California, Colorado and Virginia that are likely to influence other states:
The GDPR Remains a Key Model
Though the passage of the CCPA in 2018 has inspired other state legislatures to consider their own comprehensive privacy laws, the EU’s General Data Protection Regulation (GDPR) may serve as more of a model for US states than California’s law. For example, Virginia’s Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA) adopt the GDPR’s controller/processor framework rather than the CCPA’s business–service provider distinction.
They also incorporate some of the GDPR’s privacy by design principles — like data minimization and purpose limitation — which were not included in the original CCPA. Even the CPRA, while mostly maintaining the CCPA’s core framework, expands the law in such a way to bring it more in line with the GDPR, such as by adding a category of sensitive personal information and a right to rectify for consumers. States are likely to continue to look overseas when developing comprehensive privacy legislation.
Targeted Advertising is an Area of Concern
While the CCPA did not address targeted advertising directly, the ambiguity over what constituted a “sale” under the law (and thus required an opt-out) substantially impacted the industry. The CDPA and CPA have taken this one step further and directly regulate targeted advertising by requiring controllers to provide an opt-out for such processing and to conduct a data protection assessment before engaging in this activity. Given the notoriety of this topic, targeted advertising is likely to be on the agenda for other states.
Sensitive Information Will Likely Require Special Protection
The CPRA, CDPA and CPA distinguish between information generally regulated under the law and “sensitive” data or information requiring additional protection. While the exact definition of what information is considered sensitive under these laws varies, there are several common elements between the three. Look for other states to also adopt special protections for health information, genetic and biometric data, and information about race and ethnicity, among other categories of information.
Much Information Will Be Exempt
The CDPA and CPA have adopted the CCPA/CPRA’s approach of broadly exempting information governed by various federal laws, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). These laws have also incorporated employment and B2B exemptions akin to the CCPA/CPRA. While these exemptions will likely continue to be a trend, the exact scope of these exemptions may vary. For example, the CDPA creates an entity-wide exemption for financial institutions regulated by the GLBA and for covered entities and business associates governed by HIPAA. This is much broader than the CCPA/CPRA’s exemptions for these laws, which apply to regulated information itself rather than to the entities that process them. The CPA and CDPA’s employee and B2B exemptions are also written broader than the CCPA/CPRA’s exemptions for these categories of information (and the CCPA/CPRA’s exemptions for these categories of information are currently set to expire on January 1, 2023). Other states will likely continue to exclude these categories of information but the exact approach they implement may vary.
Conclusion
In addition to the trends discussed above, future US privacy legislation is also likely to include other elements typical of comprehensive privacy laws, such as individual rights for consumers and notice and contractual obligations for businesses. Thus, whether it be New York, Washington, Ohio, some other state, or even Congress that passes the next comprehensive privacy law in the US, the issues raised in this article are likely to be addressed in some form.