Colorado has just adopted a brand-new data privacy law and Nevada has just significantly amended its law. These changes add rights for consumers, and compliance obligations for businesses, that take the U.S. further in the direction of European-style privacy law. Colorado and Nevada join California and Virginia in adding to the growing patchwork of disparate state laws — making it that much harder for any business seeking to have a single privacy program that is compliant everywhere.
Privacy bills also recently were considered in New York, Florida, and Washington, but did not pass; these bills or others like them are expected to be revisited when the legislatures reconvene. If passed, these bills would further increase consumer rights, business obligations, and the patchwork problem.
Bills That Passed This Term
Colorado’s SB 21-190 (“Protect Personal Data Privacy”) was signed by Governor Jared Polis on July 7, 2021 and will go into effect on July 1, 2023. SB 21-190 imposes several new requirements on certain businesses that conduct business in Colorado or with residents of Colorado.
SB 21-190 has more than twenty exemptions, including for financial institutions and data governed by the Gramm-Leach-Bliley Act (“GLBA”) and for data governed by the federal Health Insurance Portability and Accountability Act and the Children’s Online Privacy Protection Act.
Key Provisions and Comparison with Other State Laws
The requirements for businesses under SB 21-190 are largely similar to those prescribed by the CPRA and the VCDPA. For example, similar to the CPRA, SB 21-190 obligates businesses to allow consumers to access, correct, or delete their personal data, and enables consumers to obtain a portable copy of their data in certain circumstances. SB 21-190 also obligates businesses to allow consumers to opt out of the processing of their personal data for targeted advertising as well as for sale.
Going beyond the CPRA, SB 21-190 also permits consumers to opt out of data processing for the purpose of profiling resulting in legal consequences (defined as “the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services”). SB 21-190 further requires businesses to provide a universal opt-out mechanism by July 1, 2024.
Additionally, SB 21-190 does not grant consumers the right to restrict businesses from processing their personal information outside of the circumstances highlighted above, nor does it grant consumers the right to opt out of AI or automated decision making specifically, a right included in both the CPRA and the VCDPA.
Like the VCDPA, Colorado’s bill follows the European model of according enhanced rights, and imposing enhanced compliance obligations, for so-called “sensitive” data. Businesses would also need to obtain consumer consent prior to collecting any sensitive data. The bill defines “sensitive data” as data that reveals “racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status” or “genetic or biometric data that may be processed for the purpose of uniquely identifying an individual” or “personal data from a known child.”
Data Protection Assessments
Also similar to a provision of the VCDPA that has often been criticized for being vague and overly burdensome, SB 21-190 requires businesses to conduct regular data protection assessments for each of their activities that involve personal data and present a heightened risk of harm to consumers. Companies need to make these assessments available to the Colorado Attorney General upon request. SB 21-190 defines activities that present a heightened risk of harm as including: targeted advertising or profiling, selling personal data, and processing sensitive data.
Data Controllers and Processors
Colorado’s SB 21-190 adopts similar language to the VCDPA and the General Data Protection Regulation (“GDPR”) in that it covers “data controllers” (essentially, data owners) and “processors” (essentially, firms that assist controllers with their data). A processor, under SB 21-190, has a duty to “assist the controller” in adhering to its obligations. Further, “processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties” and includes specific provisions such as setting out processing instructions to which the processor is to be bound by, the type of personal data to be processed, and the duration of processing. Controllers are obligated to respond to requests from consumers, and may not use discriminatory methods when controlling the personal data of consumers.
Controllers also have a duty of care to take “reasonable measures in order to secure consumers’ personal data from unauthorized acquisition during both storage and use. The data security measures that controllers implement must be “appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.” To determine what measures are “reasonable” and “appropriate,” businesses should pay attention to industry-standard data security practices and measures taken by their industry peers.
No Consumer Right of Action
Colorado’s SB 21-190 does not grant consumers a private right of action. Rather, the Attorney General and District Attorneys of the state will have the exclusive enforcement authority to bring actions either in the name of the state or on behalf of those residing in the state. Violations will be punishable by civil penalties or by injunction, but prior to taking any enforcement action the Attorney General and District Attorneys are required to issue a notice to the business in question if the violation is one that can be cured. The business will then have sixty days to cure the violation. This cure provision will expire on January 1, 2025.
Nevada’s SB 260 was signed by the governor and will become effective on October 1, 2021. SB 260 expands Nevada’s existing notice and opt-out regime, passed in 2019, governing the sale of personal information online.
Nevada’s existing privacy statute required website operators that collected personal information to allow consumers to opt out of the sale of their personal data; Nevada’s SB 260 expands the scope of these requirements to encompass the activities of data brokers, as well as website operators. Nevada’s SB 260 also expands the definition of “sale” under the statute to cover any transfer of covered information in exchange for monetary consideration. The statute previously required that the transaction be for the purpose of licensing or selling covered information to additional persons. SB 260 brings Nevada’s law more in line with the CCPA, but the definition of “sale” is still narrower than California’s and SB 260 did not adopt the CPRA’s inclusion of data sharing or the exchange of data for some other non-monetary valuable consideration.
The Nevada bill also requires data brokers to establish a designated request address where consumers may submit requests “directing the data broker not to make any sale of covered information about the consumer that the data broker has purchased or will purchase.”
SB 260 is enforceable only by the Attorney General. Nevada’s SB 260 exempts data governed by the FCRA, DPPA, and GLBA, as well as data processed for fraud prevention and publicly available data. Consumer reporting agencies and financial institutions subject to the GLBA are also exempt.
Bills Not (Yet) Passed
The New York Privacy Act (NYPA) failed to pass before the New York legislature’s adjournment. It is expected to be re-introduced in the next session.
NYPA contained several novelties. First, covered businesses would have to obtain “specific, informed, and unambiguous opt-in consent” to collect, use, share, or sell consumers’ personal data. Such requirements go beyond the opt-out regime of the CCPA and CPRA and, if passed, would align New York’s law more closely with the GDPR.
Also of note, the NYPA would impose a duty of loyalty and duty of care on entities that control, process, or sell the personal data of consumers.
The NYPA would establish a private right of action to enjoin any violation of the statute, and provides that any injured plaintiff could seek compensation for actual damages or $1,000 (whichever is greater) and attorneys’ fees in a private cause of action, and on a class-wide basis.
Florida’s HB 969 attracted considerable media attention throughout the spring of 2021. The original bill was modeled off the CCPA; in its original form, it granted consumers rights of access, correction, and deletion, as well as a private right of action for data breaches. Businesses would be bound to use consumers’ data only for the purposes they had disclosed when collecting the data, and would have thirty days to cure any violations.
The original bill was substantially revised by the State Senate after passing the House. In the face of substantial concern from the local business community, Florida legislators removed the private right of action, leaving enforcement to the Florida Attorney General. The Florida legislative session ended on April 30, 2021 without passing the bill, as the House was unwilling to compromise on the removal of the private right of action. Businesses should keep an eye out for a return of the bill next session in light of the continuing interest in privacy legislation by both state and federal lawmakers.
Washington considered two comprehensive privacy bills similar to the CCPA and GDPR, both of which gained national media attention. The Senate’s bill, SB 5062, guaranteed consumers the right to access, correct, and delete data, as well as the right to data portability, and the right to opt out of data processing for targeted advertising, data sale, or profiling that could have legal effects. The bill also included notice requirements, risk assessment requirements, and limits on how data could be used. By contrast, the House bill, HB 1433, did not require risk assessments from businesses but was notable in that it would have required universal opt-ins from consumers before data could be used rather than opt-outs.
The House bill died in committee. Debate raged within the state regarding whether the bill should have a private right of action, which is largely viewed as the reason why the bill failed to pass for the third year in a row. If the past three years are anything to go by, another version of one of the two bills is almost guaranteed to be re-introduced in some form in the next session of the legislature.
* * * *
Businesses should begin to plan their compliance strategies for Nevada’s SB 260 and Colorado’s SB 21-190. Further, businesses should expect that bills, such as the NYPA, Florida’s HB 969, and Washington’s two bills, or others like them, may succeed in the next legislative session, as public and legislative interest in digital privacy shows no signs of abating.
This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s memorandum, “New Privacy Legislation in the U.S.: The Patchwork Problem Grows,” dated July 9, 2021, and available here. The authors would like to thank Debevoise law clerk Samuel Allaman and summer associates Abigail Liles and Trevor Sikes for their contributions to the memorandum.