Patchwork Privacy: U.S. State Legislation Roundup

Privacy protections in the United States take a big leap forward in 2023 with five states having new privacy laws going into effect. This means that by the end of the year, consumers in California, Virginia, Colorado, Utah, and Connecticut will be guaranteed privacy rights. If you are doing business in any of these states it is possible your business will have obligations to respect these rights. 

While each state’s privacy laws have their own nuance, it’s important to understand the core requirements as outlined in each so that you can put in place a comprehensive privacy architecture for all marketing and advertising data processing. In this guide, we’ll explore the basics: who must comply, rights afforded to users, and business obligations. As a marketer or advertiser, get familiar with these concepts now so that you can ensure you are respecting the privacy rights of your consumers.

Who Do The Laws Apply To?

In contrast to Europe’s GDPR and ePrivacy laws, which instill privacy rights for all residents of Europe, U.S. privacy laws have certain thresholds for businesses before they are obligated to comply. Here we list out these thresholds for each of the states with privacy laws on the books.

California

Businesses that collect consumers’ personal information doing business in the State of California and satisfy any one (or more) of the following thresholds are required to comply:

• As of January 1, of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year
• Annually buys, sells, or shares the personal information of 100,000 or more consumers, or households
• Derives 50 percent of more of its annual revenues from selling or sharing consumers’ personal information

Consumers in the context of California’s privacy laws are residents of the State of California.

California already has, in effect and enforceable, the California Consumer Privacy Act (CCPA). On January 1, 2023 the CCPA will be updated by the California Privacy Rights Act (CPRA). The CPRA becomes enforceable on July 1, 2023.

Virginia

All persons who conduct business in Virginia and:

• Control or process personal data of at least 100,000 consumers; or
• Derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers

Consumers in the context of Virginia’s privacy law are residents of Virginia acting in an individual or household context.

The Virginia Consumer Data Protection Act is effective beginning January 1, 2023.

Colorado

Any controller that conducts business in Colorado or produces/delivers commercial products or services targeted to residents of Colorado and:

• Controls or processes the personal data of at least 100,000 consumers during a calendar year; or
• Derives revenue or receives a discount on the price of goods or services from the sale or personal data and processes or controls the personal data of 25,000 consumers or more

Consumers in the context of Colorado’s privacy law are residents of Colorado acting in an individual or household context.

The Colorado Privacy Act is effective beginning July 1, 2023.

Utah

Any controller or processor conducting business in Utah or produces a product or service targeted to consumers that are residents of Utah with an annual revenue of 25 million ($25,000,000) or more; and

• In a calendar year controls or processes personal data of 100,000 or more consumers; or
• Derives over 50 percent of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers

Consumers in the context of Utah’s privacy law are residents of Utah acting in an individual or household context. 

The Utah Consumer Privacy Act is effective beginning December 31, 2023.

Connecticut

Persons conducting business in Connecticut or that produce products or services targeted to residents of Connecticut that during the previous calendar year:

• Controlled or processed personal data of not less than 100,000 consumers, excluding processing solely for purpose of payment processing, or
• Controlled or processed personal data of not less than 25,000 consumers and derived more than 25 percent of gross revenue from the sale of personal data

Consumers in the context of Connecticut’s privacy law are residents of Connecticut.

The Connecticut Data Privacy Act is effective beginning July 1, 2023.

What Data Is Protected?

United States privacy laws protect specific types of information—either “personal information” or “personal data” depending upon the state. Let’s review these terms for each of the states.

California

Term used: Personal Information

Personal Information is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. 

California’s privacy laws outline a number of different types of information as examples of what is in scope. For purposes of marketing and advertising, the following are especially relevant:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
• Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement
• Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

Basically all information which can be associated with a user that is collected for digital marketing and analytics is in scope of these definitions. It does not include consumer information that has been de-identified or aggregate consumer information.

Virginia

Term used: Personal Data

Personal Data is any information that is linked or reasonably linkable to an identified or identifiable natural person. It does not include de-identified data, or publicly available information.

Colorado

Term used: Personal Data

Personal Data is any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information.

Utah

Term used: Personal Data

Personal Data is information that is linked or reasonably linkable to an identified or an identifiable individual. It does not include de-identified data, aggregated data, or publicly available information.

Connecticut

Term used: Personal Data

Personal Data is any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified or publicly available information.

What Rights Are Granted to Consumers?

Each of the state privacy laws in the United States grant different rights to consumers in relation to their personal information/personal data. The rights afforded can be summarized as follows:

1. Right of access
2. Right of rectification
3. Right of deletion
4. Right of restriction
5. Right of portability
6. Right of opt-out
7. Right against automated decision making
8. Private right of action

Let’s review each of these rights and the states that grant them.

Right of Access

The right of access is the ability for consumers to be made aware of the personal information/personal data which is collected from them. 

States granting the Right of Access: California, Virginia, Colorado, Utah, Connecticut

Right of Rectification

The right of rectification is the ability for consumers to have any personal information/personal data which is collected from them to be corrected for any inaccuracies. 

States granting the Right of Rectification: California, Virginia, Colorado, Connecticut

Right of Deletion

The right of deletion is the ability for consumers to submit a verifiable request and have any personal information/personal data collected from them deleted by the organization processing their data. 

States granting the Right of Deletion: California, Virginia, Colorado, Utah, Connecticut

Right of Restriction

The right of restriction is the ability for consumers to have the use of a subset of their personal information, called sensitive data, restricted to only specific use cases following consent.

States granting the Right of Restriction: California

Right of Portability

The right of portability is the ability for consumers to have personal information/personal data provided to them in a portable and readily usable format so that the consumer can transmit the data to another entity. 

States granting the Right to Portability: California, Virginia, Colorado, Utah, Connecticut

Right of Opt-out

The right of opt-out is the ability for consumers to opt-out of the processing of their personal information/personal data for specific use cases. State privacy laws grant the right to opt-out for slightly different activities:

• Right to opt-out of the sale of personal information/personal data

The sale of personal information/personal data is the exchange of the personal information/personal data with a third party for monetary or other valuable consideration.

States granting the right to opt-out of sale: California, Virginia, Colorado, Utah, Connecticut

• Right to opt-out of the sharing of personal information

The sharing of personal information is the sharing of personal information with a third party for cross-context behavioral advertising, including for the benefit of the business when no money is exchanged.

States granting the right to opt-out of sharing: California

• Right to opt-out of the processing of personal data for purposes of targeted advertising

Processing of personal data for purposes of targeted advertising is displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from consumers’ activities over time and across nonaffiliated websites or applications to predict such consumers’ preferences or interests. Notably, targeted advertising does not include:

• Advertisements based on activities within a controller’s own websites or online applications
• Advertisements based on the context of a consumer’s current search query, visit to a website, or online application
• Advertisements directed to a consumer in response to the consumer’s request for information or feedback
• Processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency

States granting the right to opt-out of processing for targeted advertising: Virginia, Colorado, Utah, Connecticut

• Right to opt-out of the processing of personal data for purposes of profiling

Processing of personal data for the purpose of profiling is any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Consumers have the right to opt-out of processing for purposes of profiling when the profiling presents a significant risk to the consumer.

States granting the right to opt-out of processing for profiling: Virginia, Colorado, Utah, Connecticut

Right Against Automated Decision Making

Several states grant users rights to limit, opt-out, or require consent for the processing of some personal information/personal data for uses of automated decision making. Most of these rights are limited to the processing of data for automated decision making when there is a heightened risk to the consumer.

States granting rights against automated decision making: California, Virginia, Colorado, Connecticut

Private Right of Action

The privacy right of action allows for consumers to bring their own lawsuits against a company. These rights are limited, typically to egregious violations such as when an email address in combination with a password is accessed in an unauthorized manner due to a failure in security protections.

States granting the private right of action: California

What Obligations Do Businesses Have?

In addition to the rights granted to consumers within each of the states with privacy legislation, certain obligations are outlined for businesses in order to support and uphold consumer rights. Here, we’ll focus on the general business obligations relevant for marketing and advertising use cases within each state:

California

• Transparency & Disclosure

Consumers must be given transparency as to the personal information collected and processed, as well as the uses of personal information both in an accessible privacy notice as well as the fact of personal information processing at the point of collection.

• Data minimization

The processing of personal information must be reasonably necessary and proportionate to achieve the stated purposes for which the personal information was collected or processed.

• Contractual obligations for the sharing of personal information

When personal information is sold or shared with a third party, or when it is disclosed for a business purpose, an agreement must be entered into with the third party, service provider, or contractor ensuring proper protections are in place. 

• Protection of personal information

For a business collecting a consumer’s personal information, reasonable security practices must be in place to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Virginia

• Transparency & Disclosure

Any personal data processing must be disclosed in a privacy notice. In addition, if personal data is sold or processed for targeted advertising, this fact must be made clear to the consumer along with the manner in which the consumer may exercise their right to opt-out.

• Data minimization

The collection of personal data must be limited to that which is adequate, relevant, and reasonably necessary for the disclosed purposes for which the data is processed. 

• Use limitation

Businesses must not process personal data for purposes that are not reasonably necessary nor compatible with the disclosed purposes for processing unless the consumer’s consent is obtained.

• Data protection

Security practices must be established, implemented, and maintained to ensure the protection of personal data. 

• Data Protection Assessments

Data protection assessments must be completed and documented for processing for the purposes of selling and targeted advertising.

Colorado

• Transparency & Disclosure

Personal data processing must be disclosed in a reasonably clear, accessible, and meaningful privacy notice. The specific purposes for which personal data are collected and processed must be made available. 

• Data minimization

The collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes of which the data is processed.

• Use limitation

Personal data shall be processed for purposes which are not reasonably necessary to or compatible with the specified purposes for which the personal data is processed.

• Data protection

Security precautions must be taken during storage and use of data by imposing duty of care. These measures must be appropriate to the volume, scope, and nature of the personal data processed.

• Data Protection Assessments

Data protection assessments must be completed and documented for processes which present a heightened risk of harm to the consumer—this includes targeted advertising.

Utah

• Transparency & Disclosure

The personal data collected and processed must be disclosed in a reasonably accessible and clear privacy notice. Any selling or targeted advertising must be disclosed explicitly to the consumer.

• Data protection

The business must establish, implement, and maintain reasonably administrative, technical, and physical data security practices.

Connecticut

• Transparency & Disclosure

The collection and processing of personal data must be disclosed in a privacy notice available to the consumer. The sale or use of data for targeted advertising must be explicitly disclosed as well. 

• Data minimization

The collection of personal data must be limited to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.

• Use limitation

A business can not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed as disclosed to the consumer.

• Data protection

Reasonable administrative, technical, and physical data security practices must be established, implemented, and maintained to protect personal data. 

• Data Protection Risk Assessments

Data protection risk assessments are required for any processing which presents a heightened risk of harm to the consumer—this includes targeted advertising and the sale of personal data.

As you can see, privacy rights just became real in the United States. While federal legislation continues to languish in Congress, the landscape continues to be state-specific. This patchwork privacy approach makes it difficult for large businesses with obligations across multiple states to standardize their approach and be compliant in all jurisdictions. Start by understanding these basics and begin implementing the required principles in the design of your marketing and advertising data programs. A strong foundation will protect your business and provide a flexible base from which to adapt to future compliance challenges. 

**Important – The information covered in this article is not intended to be legal advice or counsel. You should not act or refrain from acting on the basis of any content included in this article regarding legal compliance without obtaining appropriate legal guidance. The contents of this article contain general information related to various laws and regulations, but may not reflect your current situation. In addition, applicable laws and regulations regularly change. This is particularly true with respect to data privacy laws and regulations. Therefore, any laws and regulations described or otherwise referenced in this article may not be current when you read the article or even at the time of publication. We disclaim all liability for actions you take or fail to take based on anything in this article. Any action you take or any action you refrain from taking based on the information in this article is entirely at your own discretion and risk.**