New State Compliance Laws in 2023

In 2023 five states are implementing new laws to protect consumer data and privacy rights. Those states are California, Virginia, Colorado, Connecticut, and Utah. Don’t stop reading if you don’t live in these states because even if you don’t operate your business from one of these states if you process the personal data of consumers in those states these laws could still apply to you.

Before we get into the specifics of each state it would be helpful to define a few terms. 

What is PII?

PII stands for Personally Identifiable Information. This is data that could be used to identify an individual. Examples of PII include names, addresses, phone numbers, social security numbers, and bank account numbers. 

What does PHI stand for?

PHI stands for Protected Health Information, also known as HIPAA data. The HIPAA Privacy Rule provides federal protections for past, present, and future data that relates to the health of an individual (https://www.hhs.gov/hipaa/index.html). Examples of PHI include name, address, city, county, zip code, and dates related to an individual, including birthday, date of admission, and date of death. PHI can show up in many different documents, forms, and communications. For example, billing information from your doctor, emails to your doctor’s office in reference to medications and prescriptions, appointment scheduling notes, MRI scans, blood test results, and phone records. 

State Laws and HIPPA 

There are already states that have enacted their own more stringent data privacy laws, Texas’ HB300 is an example that expands patient privacy protections beyond HIPAA and HITECH. It revised the definition of a “covered entity” and mandates customized employee training. And also establishes standards for the use of electronic health records “EHR’s,” granting enforcement authority to several state agencies and increasing civil and criminal penalties for the wrongful electronic disclosure of PHI.

California Privacy Rights Act

CPRA only applies to employees that are California residents. When CPRA comes into effect, all of the requirements with respect to a business’ handling of consumer personal information will apply to employee personal information.  

How is CPRA different from CCPA?

CCPA refers to the California Consumer Privacy Act that was passed in 2018. CPRA refers to the California Privacy Rights Act. It is actually an amendment to CCPA. The CPRA amends the CCPA and includes additional privacy protections for consumers and particularly it has laws that will affect California Employers. It eliminates the exemption for employee personal information. Businesses with employees who are California residents will need to implement internal policies, procedures, and processes to ensure compliance.

How Businesses Will be Effected

1. Currently, under the CCPA, businesses are required to provide employees and job applicants a notice when they fill out paperwork. This notice should explain the types of personal information collected and the purposes for which the information will be used. Businesses should update these notices with the additional required disclosures, including information about rights, retention periods, and personal information disclosed by employers (for example, to service providers). 

2. Businesses should establish methods for employees to exercise these rights and develop internal processes for verifying and responding to such requests. An important piece of developing these processes will include data mapping specific to employees' personal information. Businesses need to understand what information is collected and where it is stored in order to respond to requests within the required timeframe. Additionally, businesses must train appropriate personnel to respond to employee rights requests.

3. Contracts with service providers - review agreements with vendors that handle employee personal information. 

4. New regulations will include requirements for certain businesses to perform cybersecurity audits and risk assessments. They will also need to have rights to access and opt-outs with respect to a business' use of automated decision-making technology.

The Colorado Privacy Act (CPA)

CPA applies to all data controllers that conduct business in Colorado that control or process the personal data of 100,000 or more Colorado resident consumers in a calendar year. Or they get revenue or receive a discount on the price of goods or services from the sale of personal data. And process or control the personal data of 25,000 or more Colorado resident consumers. There are exceptions such as information and documents that are created to comply with HIPAA.

The Colorado Privacy Act gives Colorado resident consumers five rights over their personal data:

• The right to opt-out of the processing of personal data for targeted advertising purposes, the sale of their personal data, and automated profiling.
• The right to access their personal data held by a data controller.
• The right to make corrections to their personal data if they find discrepancies
• The right to have their personal data deleted.
• The right to have their data portability.

Violations of the Colorado privacy act will be considered a deceptive trade practice. 

The Virginia Customer Data Protection Act (VCDPA)

The VCDPA can apply to businesses that are not headquartered or incorporated in Virginia but do business there. VCDPA provides customers with rights related to their personal data. These rights include:

1. The right to know, access, and confirm personal data.
2. The right to delete personal data.
3. The right to correct inaccuracies in personal data.
4. The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company).
5. The right to opt out of the processing of personal data for targeted advertising purposes.
6. The right to opt out of the sale of personal data.
7. The right to opt out of profiling based on personal data.
8. The right to not be discriminated against for exercising any of the foregoing rights.

What does this mean for companies that are affected? 

Companies need to inform consumers of their rights under the Act. They need to have a process so that consumers can exercise those rights. VCDPA also implements other business implications in regard to personal data. 

Utah Consumer Privacy Act (UCPA)

• Goes into effect on December 31, 2023
• Resembles Virginia and Colorado laws

Connecticut Data Privacy Act (CTDPA)

The CTDPA applies to data “controllers” and “processors.” The CTDPA applies to persons conducting business in Connecticut or producing products or services targeted to Connecticut residents. Who during the preceding calendar year either:

• Controlled or processed the personal data of 100,000 or more consumers annually, except for personal data controlled or processed solely for the purpose of completing a payment transaction.
• Derived over 25 percent of their gross revenue from the sale of personal data and controlled or processed the personal data of 25,000 or more consumers

The CTDPA grants consumers the right to appeal denials of requests by controllers, along with the CPA’s right to opt-out of processing for either targeted advertising or sales of personal data.

Similar to other comprehensive privacy laws, the CTDPA grants consumers the following rights:

• Access. Consumers have the right to confirm whether a controller is processing their personal data and accessing such personal data unless such actions would reveal a trade secret.
• Correction. Consumers have the right to correct inaccuracies in their personal data (with some limitations).
• Deletion. Consumers have the right to delete personal data provided by or about the consumer.
• Data portability. Consumers have the right to obtain a portable copy of their personal data to the extent technically feasible and provided the controller will not be required to reveal any trade secret.
• Opt-out of certain data processing. Consumers have the right to opt-out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer.

As with the CCPA and CPA, the CTDPA also grants consumers the ability to designate another person as an authorized agent to exercise the right to opt-out on their behalf.

The important thing is to be aware of new data privacy regulations. To know if they apply to your business, and have steps in place to make sure that you are complying with them. Failure to comply has consequences for your business. If you want more information about what you can do, listen to our podcast on the topic.