It hasn’t been long since the California Consumer Privacy Act (CCPA) was the only comprehensive privacy law in the United States. Less than two years after the CCPA went into effect, California passed a new privacy law through a ballot initiative — the California Privacy Rights and Enforcement Act (CPRA) — and has been joined by Virginia and Colorado as other states that have passed their own privacy laws. These three states are already creating a patchwork of compliance obligations for businesses and may be joined by other states in the near future.
The recently-passed privacy laws in California, Colorado and Virginia are different from one another in significant ways. However, as other state regulators and legislatures debate passing their own privacy laws, it is worth assessing the current U.S. privacy landscape and how these new laws could impact future legislation. Risk professionals can use these existing laws and their similarities to analyze which aspects other states are most likely to adopt in the future, should they pass their own bills.
Here are four privacy law trends that are likely to influence other states:
The GDPR remains a key model
Though the passage of the CCPA in 2018 inspired other state legislatures to consider their own comprehensive privacy laws, the European Union’s General Data Protection Regulation (GDPR) may serve as more of a model for U.S. states than California’s law. For example, Virginia’s Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA) both adopt the GDPR’s controller/processor framework, rather than the CCPA’s business vs. service provider distinction. They also incorporate some of the GDPR’s privacy by design principles, like data minimization and purpose limitation, which were not included in the original CCPA. Even the CPRA, while mostly maintaining the CCPA’s core framework, expands the law using some GDPR techniques, such as adding a category of sensitive personal information and a right to rectify for consumers.
Focus on targeted advertising
While the CCPA did not address targeted advertising directly, the ambiguity over what constituted a “sale” under the law (and thus required an opt-out) had a substantial impact on the industry. The CDPA and CPA directly regulate targeted advertising by requiring that controllers provide an opt-out for such processing and conduct a data protection assessment prior to engaging in this activity. Given the notoriety of this topic, targeted advertising is likely to be on the agenda for other states.
Sensitive information may require special protection
The CPRA, CDPA and CPA all distinguish between information that is generally regulated under the law and “sensitive” data: information that requires additional protection. While the exact definition of what information is considered sensitive under these laws varies, there are a number of common elements between the three. Other states may adopt special protections for health information, genetic and biometric data and information about race and ethnicity, among other topics.
Laws include many exemptions
The CDPA and CPA have adopted the CCPA/CPRA’s approach of broadly exempting information governed by various federal laws, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). These laws have also incorporated employment and B2B exemptions akin to the CCPA/CPRA. While these exemptions will likely continue to be a trend, the exact scope of these exemptions may vary. For example, the CDPA creates an entity-wide exemption for financial institutions regulated by the GLBA and for covered entities and business associates governed by HIPAA. This is much broader than the CCPA/CPRA’s exemptions for these laws, which apply to regulated information itself rather than to the entities that process them. The CPA and CDPA’s employee and B2B exemptions are also written more broadly than the CCPA/CPRA’s exemptions for these categories of information. Other states will likely continue to exclude these categories of information but the exact approach they implement may vary.
In addition to the trends discussed above, future U.S. privacy legislation may include other elements that are typical of comprehensive privacy laws, such as individual rights for consumers and contractual obligations for businesses. Whether it be New York, Washington, Ohio or even Congress that passes the next comprehensive privacy law in the U.S., the above trends are likely to be addressed in some form.