Privacy Watchers Brace for Changes to 3 State Laws Coming in 2023
Privacy attorneys and consumer advocates are closely watching rulemakings and possible legislative tweaks to three state laws taking effect in the next year and half, they said in interviews. The California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) will become law Jan. 1, and the Colorado Privacy Act (CPA) takes effect July 1, 2023. More state laws are expected soon.
Pay attention “because things are changing,” with many unknowns, said Bracewell attorney Lucy Porter: What happens in rulemakings and legislatures could significantly affect the specifics of how businesses must comply. “They’re potentially going to prescribe the way certain things are done.” Most organizations that will be subject to new laws will have “at least a passing relationship” with the EU's general data protection regulation, she said. Compliance isn’t “complex,” but it's expensive and time-consuming.
Businesses shouldn’t wait to assess what data they possess and how they use it, said Porter. Companies also can start building backend systems for handling data access requests from consumers, she said: “From now on, privacy needs to be a part of your decision-making.” The lawyer had clients who initially thought they didn’t sell people’s data but later realized “they do in fact -- within the definition of the law -- sell data.” Companies subject to multiple state laws must decide whether to manage each state separately or follow the most restrictive state law everywhere, she said.
“Momentum has picked up and there will be more states that actually pass very similar laws in the coming year and years to come,” said attorney Tara Cho, who chairs Womble Bond’s privacy and cybersecurity team. Managing all the laws will require “advanced planning and resource allocation, with pretty substantial penalties if you fail to comply.” Companies now complying with 2018’s California Consumer Privacy Act (CCPA) may be able to tweak current practices for any nuances in new state laws, she noted. “Sometimes it’s easier to create a universal program.”
Virginia “copycat” bills are “flying through legislatures” in Indiana, Wisconsin, Utah and Iowa, said Consumer Reports Senior Policy Analyst Maureen Mahoney: There’s a gray area between California and Virginia, though copycats of the latter are moving fast while the stronger bills face a tougher uphill battle.
VCDPA Amendments
Virginia legislators have until March 12 to weigh various possible amendments to VCDPA. Unlike the other two states, Virginia didn’t give rulemaking authority to the attorney general or an agency, though a working group last year recommended changes now appearing in bills, said Porter. “They relax the rules and make it a little easier to manage for businesses.”
VCDPA was already “so weak” for consumers, said Electronic Frontier Foundation Legislative Activist Hayley Tsukayama: Proposed changes don’t strengthen the law, which she said combines poorly funded AG enforcement with a right to cure and no private right of action. All the Virginia bills are designed to water down the measure, said Mahoney: Data brokers asking for an exemption from right-to-delete provisions is one frustrating example.
The legislature passed a proposed amendment (HB-381) last week that would allow companies to honor consumers’ delete requests by opting them out of future targeted advertising, data sales or profiling, even if the companies retain older data. Gov. Glenn Youngkin (R) still must sign the bill that unanimously cleared the House and Senate last week.
HB-1259 would say consumer consent isn’t required for processing sensitive data “if such data is being used solely for the purposes of marketing, advertising, fundraising, or other similar uses related to outreach, communications, or information sharing that do not result in decisions that could produce legal or similarly significant effects concerning the consumer.” The House voted 96-4 Feb. 15 to send the bill to the Senate.
Another proposed change would repeal the law’s consumer privacy fund, placing money collected by enforcement into a different fund, and expand VCDPA’s nonprofits exemption. The House Commerce Committee voted 22-0 Thursday to clear SB-534, which passed the Senate Feb. 11 by a 38-1 vote. The Senate General Laws Committee voted 14-0 Wednesday to clear the similar HB-714, which passed the House 100-0 Feb. 15.
When the tech industry couldn’t pass privacy legislation in Washington state, it found a partner in Virginia, said Virginia Citizens Consumer Council President Irene Leech. A proposal to exempt political organizations and a proposal to alter the funding source for attorney general enforcement would further weaken an already weak piece of legislation, she said. “What they’ve done is create something that appears to be consumer protection, but in reality, is business protection and is going to be a consumer nightmare.” States replicating Virginia’s model are only furthering tech’s goal of getting favorable regulation into place so something stronger can’t replace it, she said.
Calif., Colo. Rulemakings
California’s CPRA rulemaking is delayed. At a Feb. 17 meeting, California Privacy Protection Agency Executive Director Ashkan Soltani said CPPA plans hearings this spring and a rulemaking starting in Q2 that could extend as late as Q4. That would mean the agency will miss a July 1 statutory deadline to adopt final rules.
That timeline leaves little time between final rules and the effective date, but don’t expect California to postpone Jan. 1 enforcement, said Cho: CCPA rules “went through multiple iterations right up to the enforcement date,” and the AG office sent violation notices on the first day. With an expert, resourced privacy agency behind CPRA enforcement, “scrutiny will be forthcoming,” the privacy attorney warned. Porter said businesses can get an early jump on CPRA compliance by reviewing draft rules expected this summer.
California privacy law amendment bills are surfacing in the legislature, which doesn’t adjourn until Aug. 31. BakerHostetler attorneys blogged about 16 bills Thursday. The most consequential proposals so far would extend CCPA business-to-business and employee exemptions, currently set to expire Jan. 1, said Porter: Having to apply privacy laws in a business context has been a “huge concern.” AB-2871 would extend exemptions indefinitely, while AB-2891 would extend them just until Jan. 1, 2026.
Colorado Attorney General Phil Weiser outlined this year’s CPA rulemaking in remarks last month (see 2201310060). The AG office will seek comments over the next few months, post an NPRM by fall with proposed rules and seek more comments, then adopt final rules in early 2023, the Democrat said. The Colorado legislature isn’t mulling amendments, said Porter, who doesn’t expect any.
Weiser previewed a focus on dark patterns, which is “the practice of websites making you do things that you didn’t mean to do, like accidentally putting something in your cart,” said Porter, the Bracewell lawyer. Expect the AG to “be very clear on what type of consent” is needed and how explicit businesses must be about what they’re collecting. Weiser also foreshadowed more guidelines on data protection impact assessments and data subject access requests, said Porter.
Weiser's “key theme ... was the symbiotic relationship between effective data privacy and attention to data security, and the role that data minimization plays in both,” Wyrick Robbins lawyer Mario Meeks blogged Feb. 22. “Unnecessary collection and retention of data will count against a finding that a business’s data security practices are reasonable.”
Mahoney is more optimistic about potential updates in Colorado and California, where the tech industry hasn’t been able to push through proposals easily, the CR official said.