U.S. State Consumer Privacy Guide

March.14.2022

To help your company get its United States (U.S.) state privacy compliance program on the right track in 2022, Orrick's Cyber, Privacy & Data Innovation Group has analyzed the differences between key topics for the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). With U.S. state laws constantly evolving and more developments expected this year, it is never too late to get started on your compliance planning.

  1. Categories of Processors
  2. Profiling and Automated Decision-Making
  3. Sensitive Data
  4. What Should Be in Your Privacy Notice
  5. Fair Information Practice Principles
  6. Data Subject Rights
  7. Healthcare Exceptions
  8. Penalties Enforcement Risk (Private Right of Action)
  9. Security

1. Categories of Processors 

The CCPA uses the term “service provider” to refer to an entity processing information on behalf of a business. The CPRA retains this term, while introducing a new category of processor called a “contractor,” to which additional monitoring requirements apply. The CPA and the VCDPA adopt neither of these terms. Instead, these laws mirror the GDPR in referring to any entity that processes personal information on behalf of a controlling entity as a “processor.”

Under each of these laws, these processing entities are required to be bound by certain contractual obligations to the “controller” entity. The obligations placed on service providers and contractors in the CCPA and the CPRA are primarily focused on ensuring the information processed is not sold or used outside of the business purpose contemplated in the contract. The CPA and the VCDPA obligations are more focused on confidentiality, deletion of personal data at the end of service provision, and allowing for audits arranged by the controller. The chart below describes the processor role and associated obligations under each law in more detail.

CCPA

CPRA

CPA

VCDPA

Cal. Civ. Code §§ 1798.140.(v); 1798.140.(t)(2)(C); 1798.145.(h)

Under the CCPA, a service provider is an entity that processes information on behalf of a business for a specific business purpose pursuant to a written contract. The contract must prohibit the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than performing the services specified in the contract, and in particular any other commercial purpose.

When the business and the service provider act in accordance with a contract that conforms to the CCPA requirements, the personal information exchange between the business and the service provider will not be considered a “sale” under the law.

 

Cal. Civ. Code §§ 1798.100.(d); 1798.105.(c)(3); 1798.105.(d); 1798.130.(3)(A); 1798.140(ag)(1); 1798.145.(i)

The CPRA expands on the contractual provisions required to engage a service provider under the CCPA, and also applies these requirements to a new category of personal information recipients called contractors. Under the CPRA, service providers and contractors must be bound by written contracts prohibiting the service provider or contractor form doing the following:

  • Selling or sharing the personal information;
  • Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract;
  • Retaining, using, or disclosing the information outside of the direct business relationship between the service provider or contractor and the business; and
  • Combining the personal information that the service provider or contractor receives with personal information that it receives from others, barring certain exceptions.

In addition to these requirements, agreements to bind contractors must include:

  • A certification by the contractor stating that they understand these restrictions; and
  • Permission for the business to monitor the contractor’s compliance with the contract.

While service providers must process personal information, contractors are simply entities to which the business makes consumers’ personal information available for a business purpose, and as such, this category is broader. Another key difference between service providers and contractors is that contractors must receive personal information directly from the business, while a service provider can receive personal information “on behalf of the business.” As such, businesses have a greater degree of responsibility over contractors, which is reflected in the additional requirements for their contracts.

The CCPA’s reciprocal liability shield for the violations within the business/service provider relationship remains in the CPRA and is expanded to include contractors. The CPRA also specifies several circumstances in which businesses, service providers, and contractors are not required to comply with requests to delete personal information.

C.R.S. § 6-1-1303.19

Under the CPA, a processor is an entity that processes personal data on behalf of a controller. Processors must be bound by contracts with controllers that establish the following:

  • The processing instructions, including the nature and purpose of the processing;
  • The type of personal data subject to the processing, and the duration of the processing;
  • Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  • The right for the controller to object to engaging a subcontractor; and
  • A plan to implement appropriate technical and organizational security measures appropriate to the risk that establishes a clear allocation of responsibilities between the controller and the processor.

A processor must either delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law, and produce all information necessary to show the controller that this has been done. A processor must also submit to reasonable audits and inspections by the controller or the controller’s designated auditor, or otherwise make alternative auditing arrangements with the controller.

Should a controller or processor that receives personal data commit a violation, the disclosing controller or processor will not be held liable unless the disclosing party had knowledge of the recipient’s intent to commit a violation.

 

S.B. 1392 §§ 59.1-571; 59.1-575

Under the VCDPA, a processor is a natural or legal entity that processes personal data on behalf of a controller.

A processor must be bound to a contract with a controller to govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. It must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall:

  • Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  • At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
  • Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with its obligations under the law;
  • Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, or arrange for a qualified and independent assessor to assess the processor’s policies and technical and organizational measures and provide a report to the controller upon request; and
  • Engage any subcontractor pursuant to a written contract in accordance with the law, and require the subcontractor to meet the obligations of the processor with respect to the personal data.

 

2. Profiling and Automated Decision-Making  

While the CCPA is silent about profiling and automated decision-making, the CPA, the CPRA, and the VCDPA all grant consumers rights regarding opting out of the processing of their personal data for purposes of profiling and create requirements that impact automated decision-making, including profiling. These rights and requirements are explored in detail below.

CCPA

CPRA

CPA

VCDPA

Cal. Civ. Code § 1798.140

The CCPA is silent on automated decision‑making, though some of its provisions include implications for businesses that utilize artificial intelligence (AI) and automated decision-making. For example, the CCPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The inclusion of “reasonably” means that de-identified data could become re-identified personal data if an AI or automated decision-making application is able to connect it with a particular consumer or household with reasonable contextual data.

In contrast, the CPRA, which amends and expands the concepts in the CCPA, directly addresses automated decision-making, as discussed in more detail below.

Cal. Civ. Code §§ 1798.140(z); 1798.185(a)(16)

The CPRA added a new definition of “profiling” to the CCPA. The CPRA gives consumers opt-out rights with respect to businesses’ use of “automated decision making technology,” which includes profiling consumers based on their “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

The CPRA authorizes the new California Privacy Protection Agency (CPPA) to issue regulations governing automated decision‑making, including “governing access and optout rights with respect to businesses use of automated decision making technology, including profiling and requiring businesses’ response to access requests to include meaningful information about the logic involved in such decision making processes, as well as a description of the likely outcome of the process with respect to the consumer.” Notably, this language lacks the “legal or similarly significant” caveat, meaning that the CPRA requirements around access and opt outs may extend to processing activities such as targeted advertising based on profiling. The CPRA does not include any exceptions to the opt-out right and may, therefore, have a more significant impact on businesses, including on the use of artificial intelligence.

The CPRA requires the issuance of regulations regarding mandatory risk assessments and cybersecurity audits for high-risk activities and requires in-scope businesses to maintain “reasonable” security measures. These regulations must be adopted by July 1, 2022 and will likely provide further guidance on the scope of and process for conducting and documenting risk assessments vis-à-vis profiling and automated decision-making. Under the CPRA, processing activities that present a “significant risk” to consumers’ privacy or security will require annual audits and periodic risk assessments on a “regular basis.” The concept of a “regular basis” is not defined in the CPRA and is likely to be expanded upon in the implementing regulations. Although not required for lower-risk processing, the purpose, proportionality and retention obligations make assessments practically necessary for all processing.

C.R.S. §§ 6-1-1306; 6-1-1308; 6-1-1309(1)

Under the CPA consumers have the right to opt out of the processing of their nonsensitive personal data for purposes of targeted advertising, the sale of personal data, or “profiling in furtherance of decisions that produce legal or similarly significant effects,” which is defined as “a decision that results in the provision or denial of financial and lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods or services.” The right to opt out of processing for profiling that produces legal effect does still apply to pseudonymous data.

The CPA permits consumers to communicate this opt out through technological means, such as a browser or device setting. By July1, 2024, consumers must be allowed to opt out of the sale of their data or its use for targeted advertising through a “user-selected universal opt-out mechanism.” Opting out of profiling, however, does not appear to be explicitly addressed by this mechanism. Exactly what the universal opt-out mechanism will look like will be up to the Colorado attorney general, who will be tasked with defining the technical requirements of such a mechanism by July1, 2023.

The CPA requires controllers to conduct a data protection impact assessment (DPIA) if the processing of personal data creates a heightened risk of harm to a consumer. This requirement only applies to personal data acquired on or after July1, 2023. Processing that presents a heightened risk of harm to a consumer includes processing sensitive data, selling personal data, and processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:

  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial or physical injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers.

The CPA does not specify the frequency with which these assessments must occur, but controllers are required to make DPIAs available to the Colorado attorney general upon request.

S.B. 1392 §§ 59.1-571; 59.1-573(5); 59.1-576

By way of comparison, the VCDPA’s definition of “profiling” aligns with that of the CPRA and includes a right-to-opt-out provision that is identical to the CPA’s right to opt out that allows consumers to opt out of having their personal data processed for the purpose of profiling in the furtherance of decisions that produce legal or similarly significant effects concerning the consumer. The VCDPA imposes a responsibility upon data controllers to conduct DPIAs for high‑risk profiling activities.

The VCDPA grants consumers the right to submit an authenticated request to opt out of the processing of personal data for purposes of profiling “in the furtherance of decisions that produce legal or similarly significant effects concerning the consumer,” which is defined as “a decision made by the controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities, such as food and water.” The right to opt out of processing for profiling that produces a legal effect does still apply to pseudonymous data.

The VCDPA requires controllers to conduct a DPIA if the processing of personal data creates a heightened risk of harm to a consumer. This requirement only applies to personal data acquired on or after July 1, 2023. Processing that presents a heightened risk of harm to a consumer includes processing sensitive data, selling personal data, and processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:

  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial or physical injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers.

These DPIAs are required to identify and weigh the benefits against the risks that may flow from the processing, as mitigated by safeguards employed to reduce such risks. They are not intended to be made public or provided to consumers. Instead, these confidential documents must be made available to the state attorney general upon request, pursuant to an investigative civil demand. However, the VCDPA does not specify the frequency with which these DPIAs must occur.

3. Sensitive Data  

The CPA, the CPRA, and the VCDPA protect sensitive data as a separate category of personal data.

CCPA

CPRA

CPA

VCDPA

The CCPA does not define “sensitive personal information.”

Cal. Civ. Code § 1798.140(ae) (as amended)

“Sensitive personal information” includes:

  • Personal information that reveals a consumer’s social security card, driver’s license, state identification card, passport number; account log-in information, financial account, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; the content of email, mail or text messages, unless the business is the intended recipient of the communication; or genetic data.
  • The processing of biometric information for the purpose of uniquely identifying a consumer.
  • Personal information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation.

Colo. Rev. Stat. § 6-1-1303(24)

“Sensitive data” includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status.
  • Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual.
  • Personal data from a known child.

Va. Code § 59.1-571

“Sensitive data” includes:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
  • Personal data collected from a known child.
  • Precise geolocation data.

4. What Should Be in Your Privacy Notice  

Every U.S. state privacy law requires some form of a privacy policy on a business’s website.

CCPA

CPRA

CPA

VCDPA

Cal. Civ. Code §§ 1798.100, 1798.121, 1798.130

The CCPA requires an entity’s privacy notice to include:

  • personal information to be collected and the purposes for which those categories of personal information are collected or used;
  • the categories of sensitive personal information to be collected and the purposes for which the information is collected and used;
  • whether or not the company sells or shares a consumer’s personal information or sensitive personal information; and if the business uses or discloses a consumer’s sensitive personal information
  • the length of time a business intends to retain each category of personal information and sensitive personal information; if this is not possible, the criteria used to determine the information retention period.

Cal. Civ. Code § 1798.130

The CPRA remains largely aligned with the CCPA’s requirements for privacy notices. Notices should include:

  • a description of a consumer’s rights;
  • two or more designated methods for submitting consumer requests. At a minimum, this should include a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address;
  • a list of the categories of personal information collected about consumers in the preceding twelve (12) months;
  • categories of sources from which consumers’ personal information is collected;
  • the business or commercial purpose for collecting, sharing, or selling consumers’ personal information;
  • categories of third parties to whom the business discloses consumers’ personal information; and
  • a list of the categories of personal information the business has sold, shared, or disclosed about consumers in the preceding twelve (12) months. If the entity has not sold or shared consumers’ personal information in the preceding twelve (12) months, the business must disclose that in its privacy policy.

C.R.S. § 6-1-1308

The CPA requires privacy notices to include:

  • the categories of personal data collected or processed by the controller or a processor;
  • the purposes for which the categories of personal data are processed;
  • how and where consumers may exercise their rights; specifically, this includes the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
  • the categories of personal data that the controller shares with third parties (if any);
  • the categories of third parties with whom the controller shares personal data; and
  • if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must disclose the sale or processing of personal information and the manner in which the consumer may exercise their right to opt out.

S.B. 1392 § 59.1-574

The VCPDA requires privacy notices to include:

  • the categories of personal data processed by the controller;
  • the purpose for processing personal data;
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
  • the categories of personal data that the controller shares with third parties (if any);
  • the categories of third parties, if any, with whom the controller shares personal data;
  • ·one or more secure and reliable means for consumers to submit a request to exercise their consumer rights; and
  • if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which the consumer may exercise the right to opt out of the processing.

5. Fair Information Practice Principles  

The Fair Information Practice Principles form the foundational underpinnings of most privacy policies. The principles are guidelines that represent widely recognized concepts concerning data and the use of information in the internet and cyber marketplace. Because these principles are the foundation for most privacy agreements, many of the standards codified in the CCPA/CPRA, the VCDPA and the CPA are the same. The following is a high-level overview of the Fair Information Practice Principles that are found in the CCPA/CPRA, the VCDPA and the CPA.

CCPA

CPRA

CPA

VCDPA

CA Civil Code California Consumer Privacy Act of 2018 § 1798.100

Purpose Specification Principle: A business that collects personal information must inform consumers about the categories of personal information it is collecting and the purposes for which the personal information will be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice.

Accountability Principle: A data controller should be accountable for complying with measures that give effect to the above principle.

Ca. Civil Code § 1798.100

Storage Limitation Principle: A controller must inform consumers of the length of time the business intends to retain each category of personal information.

Collection Limitation Principle: There should be limits to the collection of personal data, and any such data should be lawfully and fairly obtained, and where appropriate, with the knowledge or consent of the data subject.

Data Minimization Principle: Obligation to limit data to what is adequate, relevant, and reasonably necessary for the disclosed purposes.

Consent to Process Sensitive Data: Obligation to obtain affirmative consent from the consumer before collecting or using sensitive data for any purpose.

Notice Principle: Obligation to post a privacy notice and specific requirements for what must be included, including all intended purposes for use of the personal data.

Purpose Specification Principle: A business’ collection and use of personal information shall be reasonably necessary and proportionate to achieve the purposes for which the information was collected or processed.

Colo. Rev. Stat. § 6-1-1308(2) – (7)

Data Minimization Principle: Controllers have a duty to limit data to what is adequate, relevant, and reasonably necessary for the disclosed purposes.

Purpose Specification Principle: The reasons for the collection of personal data should be specified by the time of data collection, and the subsequent use must be limited to the fulfillment of those purposes.

Data Security Principle: Controllers have a duty to maintain reasonable security safeguards that protect personal data against the risks of loss or unauthorized access, destruction, use, modification, or disclosure of data. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.

Consent to Process Sensitive Data: Controllers have an obligation to obtain affirmative consent from the consumer before collecting or using sensitive data for any purpose.

Notice Principle: Controllers must post a privacy notice and specific requirements for what must be included, including all intended purposes for use of the personal data.

Va. Code Ann. § 59.1-574(A)(1) – (5)

Data Minimization Principle: Data controllers have a duty to limit data to what is adequate, relevant, and reasonably necessary for the disclosed purposes.

Purpose Specification Principle: Except as otherwise stated, controllers should not process personal data for purposes that are not reasonably necessary to, or compatible with, the disclosed purposes for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.

Data Security Principle: Controllers are obligated to maintain reasonable security safeguards that protect personal data against the risks of loss or unauthorized access, destruction, use, modification, or disclosure of data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.

Consent to Process Sensitive Data: Data controllers must obtain affirmative consent from the consumer before collecting or using sensitive data for any purpose.

Notice Principle: A controller has an obligation to post a privacy notice and specific requirements for what must be included, including all intended purposes for use of the personal data.

6. Data Subject Rights  

The CCPA, the CPA, the CPRA and the VCDPA provide various privacy rights to California, Colorado, and Virginia residents (“data subjects” or “consumers”).

CCPA

CPRA

 

CPA

VCDPA

Cal. Civ. Code §§ 1798.110; 1798.115; 1798.130; 1798.105; 1798.145; 1798.120; 1798.125

The CCPA requires a business to comply with requests to exercise the following rights:

Right to Know: To request any or all of the following information relating to the consumer’s personal information the business has collected and disclosed in the previous twelve (12) months, upon verification of the consumer’s identity:

  • The specific pieces of personal information the business has collected about the consumer;
  • The categories of personal information the business has collected about the consumer;
  • The categories of sources of the personal information;
  • The categories of personal information that the business has disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed;
  • The categories of personal information the business has sold about the consumer, and the categories of third parties to whom the information was sold; and
  • The business or commercial purposes for collecting or, if applicable, selling the personal information.

Right to Delete: To request the deletion of personal information the business has collected from the consumer, subject to certain exceptions.

Right to Opt Out: To opt out of the “sale” of their personal information.

  • “Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

    While this definition may be broad, the CCPA outlines a number of exceptions where the disclosure of personal information does not constitute a sale, including when:

  • a consumer uses or directs the business to intentionally disclose personal information or interact with one or more third parties;
  • the business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons of the consumer’s opt out or restriction;
  • the business uses or shares the personal information with a service provider that is necessary to perform a business purpose; and
  • the business transfers personal information to a third party pursuant to a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with the business’s prior disclosures to the consumer.

If the business sells consumers’ personal information, information about this right must be provided to consumers in the business’s privacy notice and a link titled “Do Not Sell My Personal Information” must be included on the business’s Internet home page, if any.

Right to Nondiscrimination: To not receive discriminatory treatment for exercising any consumer right, subject to certain exceptions.

A business typically must provide two (2) or more methods for a consumer to submit a consumer request under the Right to Know and Right to Deletion. Methods include a toll‑free number, an email address or an online form. The business must verify Right to Know and Right to Deletion requests and may need to gather additional information from the requesting consumer to ensure the consumer is authorized to submit the request, and/or to receive the information requested. For Right to Know and Right to Deletion requests, the business must acknowledge receipt of the requests within ten (10) business days, and must respond within forty-five (45) calendar days of receipt of the request, though this period may be extended an additional forty-five (45) days in certain circumstances. Additionally, authorized agents are permitted to submit requests on behalf of consumers subject to specific authorization requirements.

Cal. Civ. Code §§ 1798.110; 1798.115; 17.98.130; 1798.105; 1798.145; 1798.106; 1798.185; 1798.120; 1798.185(a)(16); 1798.125; 1798.121

The CPRA expands several consumer rights established by the CCPA as well as adds new consumer rights and protections. Additional guidance on the revised or additional CPRA consumer rights obligations are expected from the California Attorney General in the forthcoming regulations.

The CPRA provides for the following consumer rights:

Right to Know: The CPRA modifies and/or expands the CCPA’s Right to Know by:

  • Requiring the business to also provide information about the categories of personal information shared with third parties, where “shared” is defined as providing personal information to a third party for cross‑contextual behavioral advertising.
  • Removing the twelve (12)-month look-back limitation by requiring a business to provide more than twelve (12) months of information, so long as such a disclosure would not be “impossible” or “involve a disproportionate effort,” though this requirement would not apply to any data collected by the business prior to January 1, 2022.
  • Clarifying that these requests encompass personal data collected by the business directly or indirectly, including through or by a service provider or contractor. The CPRA also emphasizes the obligation for service providers or contractors to aid the business with respect to the business’s response to a verifiable consumer request.
  • Clarifying the obligation that the business provide specific pieces of personal information in a structured, commonly used, machine-readable format “which also may be transmitted to another entity at the consumer’s request without hindrance” to the extent it is technically feasible.
  • Directing the CPPA to issue regulations governing access rights with respect to the business’s use of automated decision‑making and profiling. The CPRA further directs the forthcoming regulations to require businesses’ response to access requests to include meaningful information about the logic involved in such decision‑making processes, as well as a description of the likely outcome of the process with respect to the consumer.

Right to Delete: The CPRA modifies and/or expands the CCPA’s Right to Delete by requiring the business to notify its service providers and contractors and also notify any third parties to whom the business has sold or shared (for cross‑contextual advertising purposes) the consumer’s personal information, unless this “proves impossible or involves disproportionate effort.” Additionally, service providers and contractors must pass deletion requests downstream in certain circumstances. The CPRA also provides several new exceptions or clarifications to the deletion requirement under the CCPA. Under the CPRA, the business is not required to delete:

  • household data, defined as data relating to a group of consumers who cohabitate at the same residential address and share common devices or services;
  • personal information about the consumer that belongs to, or that the business maintains on behalf of, another natural person;
  • personal information that applies to a student’s grades, test scores, or educational test results that the business holds on behalf of a local education entity;

     

  • a particular piece of information if the consumer has consented to the business’s use of that information to produce a physical item (such as a yearbook) if the business has incurred significant expense and compliance with the deletion request would not be commercially reasonable; and
  • personal information that the business bought or received, subject to certain exceptions, of the consumer’s request.

Right to Correction: To correct inaccurate personal information maintained by the business. Once a business receives a verified request to correct inaccurate personal information, the business must use “commercially reasonable efforts” to correct said personal information as directed by the consumer and the adopted regulations. The CPRA calls on the California attorney general to promulgate regulations governing how a business should respond to such a request, including exceptions for requests for which the response would be impossible or involve disproportionate effects, and how concerns over the accuracy of personal information should be resolved.

Right to Opt Out of the Sale or Sharing: The CPRA expands on the CCPA’s existing opt-out right to also include the “sharing” of personal information. Accordingly, the link posted on a business’s home page must be titled “Do Not Sell or Share My Personal Information.”

  • “Sharing” is defined by the CPRA as the transfer or making available of a consumer’s personal information by the business to a third party for cross-contextual behavioral advertising, whether or not for monetary or other valuable consideration.

The business is further prohibited from selling or sharing personal information of a consumer under the age of sixteen (16) unless the consumer (for consumers at least thirteen (13) years old) or the consumer’s parent (for consumers who are less than thirteen (13) years old) has affirmatively authorized the sale or sharing.

Additionally, the CPRA directs the CPPA to issue regulations governing access and opt-out rights with respect to the business’s use of automated decision-making technology and profiling. The text suggests that such regulations may include a requirement for a business to disclose information about the logic involved in the automated decision-making process in response to a consumer request.

Right to Opt Out of Automated Decision‑Making Technology: The CPRA authorizes and directs the CPPA to issue regulations governing access and opt-out rights with respect to a business’s use of automated decision-making and profiling.

See Section 2: Profiling and Automated Decision‑Making above for additional information.

Right of Non-Retaliation: To not discriminate against a consumer because the consumer exercised any of the consumer’s California rights, unless the price or service difference is reasonably related to the value provided to the business by the consumer’s data. The right to non-discrimination does not prohibit the business from offering loyalty, rewards, premium features, discounts, or club card programs.

Right to Limit the Use and Disclosure of Sensitive Personal Information: To direct a business to limit its use of “sensitive personal information” to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services,” or for the performance of specific enumerated business purposes. The CPRA requires a second link on the website home page titled “Limit the Use of My Sensitive Personal Information.” In some circumstances, a business may provide a single home page link that combines this link with the Do Not Sell or Share My Personal Information link to allow consumers to make one or both of these selections. The CPRA also contemplates the creation of an “opt-out preference signal” sent by the consumer’s request indicating the consumer’s intent to opt out of the sale or sharing of the consumer’s personal information or to limit the use and disclosure of sensitive personal information, or both, though leaves the details to be presented in the forthcoming regulations.

Colo. Rev. Stat. §§ 6-1-1306(1)(b); 6‑1‑1306(1)(d); 6-1-1306(1)(e); 6-1-1306(1)(c); 6‑1-1306(1)(a)(I); 6-1-1306(1)(a)(IV)(B); 6‑1‑1313(2); 6-1-1306(3); 6-1-1307(3)

The CPA requires controllers to comply with authenticated requests to exercise the following rights:

Right of Access: To confirm whether a controller is processing personal data and to access such personal data.

Right to Deletion: To delete personal data concerning the consumer.

Right to Portability: To obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to easily transmit the data to another entity. A consumer may exercise this right now more than twice per calendar year.

Right to Correction: To correct inaccuracies in the consumer’s personal data, taking into consideration the nature of the personal data and the purposes of the processing of the personal data.

Right to Opt Out: To opt out of the processing of personal data for the purposes of (1) targeted advertising; (2) the sale of personal data; and (3)“profiling in furtherance of decisions that produce legal or similarly significant effects.” The controller must provide a “clear and conspicuous” method to exercise the right to opt out of the processing of personal data for the purposes of targeted advertising or sale in their privacy notice and in a readily accessible location outside of the privacy notice.

  • “Targeted advertising” means displaying ads based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.
  • “Sale” means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.
  • “Profiling” means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

    The CPA contains a number of exemptions from the definition of a “sale,” including:

  • the disclosure of personal data to a processor that processes personal data on behalf of a controller;
  • the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • the disclosure or transfer of personal data to an affiliate;
  • the disclosure or transfer of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; or
  • the disclosure of personal data (a) that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or (b)internationally made available by a consumer to the general public via a channel of mass media.

Note that the CPA prohibits controllers from processing sensitive data without first obtaining the consumer’s opt-in consent or, if pertaining to a known child, without first obtaining consent from the parent or lawful guardian.

Right to Universal Opt-Out Mechanisms: Effective July 1, 2024, controllers that process personal data for the purposes of targeted advertising or sale must allow consumers to exercise the right to opt out through a user‑selected universal opt-out mechanism. The attorney general is directed to adopt rules that clarify the technical specifications for such an opt‑out mechanism by July 1, 2023.

The controller must respond to consumer requests within forty-five (45) days (with the option to extend the period to an additional forty-five (45) days). The controller must honor a consumer request free of charge; however, for a second or subsequent request within a twelve (12)-month period, the controller may charge the consumer an amount calculated in the manner specified in the CPA. Controllers are required to authenticate consumer requests. The CPA has a statutory right to appeal denied consumer requests, and requires that controllers establish internal processes for consumers to appeal a refusal to act on a request to exercise any of the rights above. The appeal process must be made readily available and as easy to use as the process for submitting a request. Furthermore, the CPA mandates that controllers inform the consumer of their ability to contact the attorney general if the consumer has any concerns regarding the result of an appeal.

The consumer rights above do not apply to pseudonymous data if (1) the controller can demonstrate that the information necessary to identify the consumer is kept separately, and (2)the data is subject to effective technical and organizational controls that prevent the controller from accessing such information.

Va. Code §§59.1-573.A.1; 59.1-573.A.2; 59.1‑573.A.3; 59.1-573.A.4; 59.1-573.A.5; 59.1‑573.C

The VCDPA requires a controller to comply with authenticated requests to exercise the following rights:

Right to Access: To confirm whether or not a controller is processing the consumer’s personal data and to access such personal data.

Right to Deletion: To delete personal data provided by or obtained about the consumer.

Right to Portability: To obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

Right to Correction: To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data

Right to Opt Out: To opt out of personal data processed for the following purposes: (1)targeted advertising; (2) the “sale” of personal data; and (3) profiling for decisions that produce legal or similarly significant effects for the consumer.

  • “Targeted advertising” is defined to include displaying ads based on personal data obtained from consumer activities over time and across nonaffiliated websites or applications.
  • “Sale” is defined to include the exchange of personal data for monetary consideration. Similar to the CPA, the VCDPA excludes the following disclosures from the definition of “sale”: to a processor that processes the personal data on behalf of the controller; to a third party for purposes of providing a product or service requested by the consumer; to an affiliate of the controller; of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
  • “Profiling” is defined to include automated processing of personal data to analyze or predict consumer activities or characteristics. “Legal or similarly significant effects” include, among other things, decisions that impact financial services, housing, employment, and health care.

Additionally, like the CPA, the VCDPA prohibits controllers from processing sensitive data without first obtaining the consumer’s opt-in consent or, if pertaining to a known child, without first obtaining consent from the parent or lawful guardian in accordance with the Children’s Online Privacy Protection Act.

The VCDPA provides a statutory right to appeal the denial of a consumer rights request. If such an appeal is denied, the controller must ensure the consumer is provided with “an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.”

7. Healthcare Exceptions  

The CCPA, the CPRA, the CPA, and the VCDPA each contain exceptions for medical information or healthcare entities.

CCPA

CPRA

CPA

VCDPA

Cal. Civ. Code §§ 1798.145(c)(1);

The CCPA does not apply to medical information or providers governed by the California Confidentiality of Medical Information Act (CMIA). The CCPA also does not apply to protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) and its regulations

Cal. Civ. Code § 1798.145(c)(1)

The CPRA does not apply to medical information or providers governed by the CMIA. The CPRA also does not apply to protected health information subject to HIPAA and its regulations.

Colo. Rev. Stat.§ 6-1-1304(2)

The CPA does not apply to protected health information that is collected, stored, and processed by a HIPAA-covered entity or its business associates. In addition, it does not apply to information and documents created by a covered entity to comply with HIPAA. The CPA also does not apply to certain information maintained by a HIPAA-covered entity or business associate, a health-care facility or health-care provider, or a program of a qualified service organization as defined in 42 C.F.R. 2.11.

Va. Code §§ 59-1-572(B); 59-1-572(C)

The VCDPA does not apply to a covered entity or business associate that is subject to HIPAA and its regulations.

In addition, the VCDPA does not apply to protected health information under HIPAA, information used only for public health activities and purposes as authorized by HIPAA, or “information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as information exempt under this subsection that is maintained by a covered entity or business associate as defined by HIPAA.”

8. Penalties Enforcement Risk (Private Right of Action)  

The CCPA, the CPRA, the CPA, and the VCDPA may each be enforced by the respective state’s attorney general. While the CPA and the VCDPA do not provide a private right of action, California consumers are empowered to file suit against businesses under the CCPA and the CPRA. These four statutes also require a cure period before any enforcement action is brought, although this will be phased out in Colorado starting in 2025.

CCPA

CPRA

CPA

VCDPA

Cal. Civ. Code §§ 1798.150; 1798.155

Enforcement by Consumers

  • The CCPA permits consumers to file suit against businesses when certain types of personal information, not encrypted or redacted, are subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security practices and procedures. Consumers can recover statutory damages of between $100 and $750 per consumer per incident or actual damages suffered, whichever is greater.
  • The following types of personal information can trigger the private right of action, in combination with a person’s last name and first name or initials: (1) a social security number, (2) a driver’s license or other government identification number, (3) an account number and any code or password that would grant access to a financial account, (4) medical information, (5) health insurance information, or (6) unique biometric data. The CPRA adds one more category to this list, as discussed below.
  • Under the CCPA’s notice-and-cure requirement, before the consumer files suit for statutory damages, he or she must give the business thirty (30) days’ advance notice identifying the alleged violations. If the business cures the violations within that period and gives the consumer a written statement that the violations have been cured and no further violations will occur, the consumer may not bring an action against that business—unless any further violations occur.

Enforcement by Regulators

  • The CCPA permits the California attorney general to enforce it. The attorney general may seek an injunction and statutory civil penalties of up to $2,500 per violation or $7,500 per intentional violation after a thirty (30)-day cure period. In July 2021, the attorney general released a summary of the actions it brought in the first year of its CCPA enforcement. As noted below, the CPRA also gives enforcement authority to a new privacy agency.

Cal. Civ. Code §§ 1798.81.5; 1798.150; 1798.155; 1798.199.45-55; 1798.199.90

Enforcement by Consumers

  • As noted above, the CPRA adds a new category of data that, if breached, can give rise to a private right of action: an email address in combination with a password or security question that would permit access to the account.
  • The CPRA also narrows the notice-and-cure requirement of the CCPA. It states that implementation and maintenance of reasonable security procedures and practices does not constitute a cure with respect to that breach, and thus is not a bar to filing suit.

Enforcement by Regulators

  • The CPRA created a new agency, the California Privacy Protection Agency, to enforce the CCPA and CPRA. The Agency may investigate potential violations on its own initiative or after receiving a sworn complaint. If, after notice and a hearing, the Agency determines that a violation occurred, it may impose fines of up to $2,500 per violation or $7,500 per intentional violation or violation involving the personal information of minors.
  • The CPRA does not strip the attorney general of the enforcement authority that the CCPA provided.

C.R.S. §§ 6-1-1310 and 6-1-1311

Enforcement by Consumers

  • The CPA does not provide a private right of action.

Enforcement by Regulators

  • The Colorado attorney general and district attorneys have exclusive authority to enforce the CPA by bringing an action either in the name of the state or on behalf of Colorado residents. Up until January 1, 2025, the Colorado attorney general or district attorneys must provide controllers a sixty (60)-day cure period before bringing any enforcement action; following this date, there is no statutory obligation to provide a cure period.

Va. Code Ann. §§ 59.1-583; 59.1-584

Enforcement by Consumers

  • As with the CPA, the VCDPA does not provide a private right of action.

Enforcement by Regulators

The Virginia attorney general has exclusive authority to enforce the VCDPA. The Virginia attorney general must provide a thirty (30)-day cure period, after which it may seek an injunction to restrain any violations and civil penalties up to $7,500 for each violation, assuming the violations are not rectified during the cure period. The Virginia attorney general may also recover reasonable expenses, including attorney fees.

9. Security  

The CPRA, the CPA, and the VCDPA each require that covered businesses employ “reasonable security procedures and practices” to protect personal data. The VCDPA mandate is slightly more specific, requiring that covered businesses “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” (emphasis added). The CCPA does not itself contain an affirmative “reasonable security” requirement, but rather provides for a private right of action where a consumer’s personal information is subject to a breach, and the breach was a result of the business violating a duty to implement and maintain reasonable security procedures and practices.

CCPA

CPRA

CPA

VCDPA

Cal. Civ. Code § 1798.150(a)(1)

“Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.”

Cal. Civ. Code § 1798.100(e)

“A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”

Cal. Civ. Code § 1798.81.5(b)

“A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

Colo. Rev. Stat. § 6-1-713.5

“(1) To protect personal identifying information, as defined in section 6-1-713(2), from unauthorized access, use, modification, disclosure, or destruction, a covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

Va. Code Ann. § 59.1-578(A)(3)

“A controller shall…Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.”