In the absence of a comprehensive federal privacy law in the United States, California, Virginia, and Colorado have each enacted state-level frameworks to protect the data privacy of their residents. The California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) become effective on January 1, 2023, and the Colorado Privacy Act (ColoPA) on July 1, 2023.
The CPRA, VCDPA, and ColoPA have a lot of overlap in the protections they provide consumers and the requirements they impose on businesses within their scope. However, there are also notable differences that could cause confusion for covered businesses when preparing to comply with the three frameworks simultaneously. As 2023 approaches, it will be important for impacted businesses to develop a compliance plan that addresses all three frameworks to reduce their privacy risk.
One of the key challenges to developing a privacy program is balancing the risk of violation against the resources it takes to comply. This article describes strategies to address some of the most significant discrepancies between the CPRA, VCDPA, and ColoPA by creating a normalized program to cover all jurisdictions with a one-size-fits-all approach. However, some businesses may opt to segregating their privacy program by authority to get the maximum value from the data they hold, or to reduce their effort to comply. These decisions are determined on a case-by-case basis upon considering a host of factors, including the business’s future, its risk posture, and the value of the data.
The CPRA, CDPA, anThe CPRA, VCDPA, and ColoPA all require businesses to provide opt-out rights to consumers. The CPRA requires businesses to provide an opt-out of selling and sharing of personal information. Additionally, the VCDPA and ColoPA’s opt-out requirements give consumers the right to prohibit for-profit sharing by requiring an opt-out for the sale personal information, targeted advertising, and profiling.
Businesses seeking to comply with both opt-out approaches can satisfy the requirements of each by providing an opt-out for the sharing and sale of personal information. Allowing consumers to opt-out of sharing is broader than opting out of the targeted advertising and profiling because opting out of sharing prohibits any form of sharing personal information whether it is for profit or not.
Data Subject Rights
Beyond opt-out rights, all three frameworks also provide consumers with the following data subject rights:
- the right of access
- the right of correction
- the right of portability
- the right of deletion
The most notable difference is that the VCDPA and ColoPA apply the right to deletion broadly toward any personal data collected by the business that relates to the consumer (e.g., from data brokers or third parties). The CPRA’s deletion right is narrower in scope, as it only covers the right to delete personal information that the business has collected from the consumer. Another significant difference is that data subject rights are granted to employees and sub-contractors under the CPRA. The VCDPA specifically exempts employees and sub-contractors from the definition of consumer, and the ColoPA is silent on whether the law applies to employees or contractors.
To comply with all three laws using a normalized approach, provide consumers the right of access, correction, portability, and deletion of any personal information relating to the consumer, regardless of whether the business collected it from the consumer or not. Additionally, in a normalized program, employees and sub-contractors should be considered consumers and granted data subject rights by the business
However, data companies should weigh the benefit of implementing a segregated approach to deletion, as the loss of personal information collected from third parties in California may be costly. Additionally, depending on the business, a segregated privacy approach may save significant resources by avoiding data subject requests by employees and sub-contractors in Virginia and Colorado.
The CPRA expressly requires a do-not-sell or share my personal information link on businesses’ homepages. The ColoPA requires the regulating body to create an opt-out rule by 2024, and currently the VCPA does not specify how a business should signal an opt-out. The CPRA and the ColoPA also allow DSR requests to be made by authorized agents. The VCDPA does not require businesses to comply with rights requests from authorized agents.
To comply with all three frameworks using a normalized privacy approach, provide an opt-out link on the homepage and accept DSRs made by authorized agents on the consumer’s behalf. As with deletion, there is a broad swath of companies (e.g., those that sell data) which are likely to benefit by choosing not to signal this right broadly. Businesses that segregate their approach toward signaling should look for further regulator guidance for more clarity around VCDPA and ColoPA signal preferences.
Sensitive Personal Information
The CPRA provides a right for consumers to limit the use of sensitive personal information notwithstanding specified purposes allowed by law. Alternatively, the ColoPA and VCDPA require the business obtain opt-in consent from the consumer before processing any sensitive personal information.
To streamline compliance, follow the VCDPA and ColoPA opt-in approach. Obtaining opt-in consent prior to processing sensitive personal information provides a stronger right to the consumer than the CPRA’s approach – which amounts to an opt-out. The opt-in requirement prohibits the processing of sensitive data, and it is a presumptive right that does not need to be exercised. As such, using an opt-in will satisfy the CPRA’s requirement because it provides the consumer with a higher level of protection than the law requires. However, there remains uncertainty about whether sensitive information collected prior to the effective date will be retroactively covered. Businesses should be on the lookout for more clarification here.
Data Protection Assessments
TThe VCDPA and ColoPA each require businesses to carry out data protection assessments for different processing activities, such as the sale of personal information, targeted advertising, profiling that creates certain risks for consumers, and processing sensitive personal information. In addition to those, the ColoPA requires data protection assessments for any other activities that may present a heightened risk to consumers. The CPRA does not require data protection assessments for any processing activities, but there is a provision that calls for the regulator to issue regulations that require assessments for processing activities that present a significant risk to privacy or security.
To comply with the data protection assessment requirements in all three frameworks, businesses should follow the requirements of the VCDPA and require data protection assessments for the sale of personal information, targeted advertising, profiling that creates certain risks for consumers, the processing of sensitive personal information, and any other activities that may present a heightened risk to consumers. Businesses will not be required to perform data protection assessments for processing activities that occurred prior to the effective date of the law, but keep an eye out for additional requirements for California in this area.
Right to Appeal
The VCDPA and ColoPA both grant consumers the right to appeal a controller’s decision to deny a rights request. If the appeal is denied, both frameworks also require the business to notify the consumer of their right to submit a complaint with the respective state’s Attorney General. Alternatively, the CPRA does not require businesses to provide consumers with the right to appeal denied right requests, or to inform consumers of the right to complain to a regulator.
Under a normalized privacy program, businesses can follow the guidance of the VCDPA and ColoPA and provide consumers with a right to appeal, and as well as the right for consumers to file a complaint with the regulator. However, some businesses may benefit more from segregating the right to appeal due to the significant resources to comply with the volume of appeals from California consumers.
Time to Cure
The VCDPA provides a 30-day period to cure violations before the initiation of an enforcement action can occur. Where possible, the ColoPA provides businesses with a 60-day cure period. Alternatively, the CPRA removed the existing cure period in the California Consumer Privacy Act (CCPA). However, the California AG is currently developing a tool to crowd source do-not-sell complaints.
A normalized privacy program should aim to cure alleged violations within 30 days to satisfy the timeframe of the VCDPA and ColoPA. However, there is no guarantee that a business will be permitted to cure a violation against a California consumer. Any claims of violations should be escalated to the appropriate department as soon as possible as the cure period may be triggered by the complaint.
The Ethos Privacy consulting team is assisting many organizations — from Fortune 100s to small businesses — manage challenges such as multi-jurisdictional compliance. If you would like to talk to one of our team members about how we can help you, email us.