With new consumer privacy regulations going into effect this year, companies need to know what’s required when it comes to consumer information. In 2023, five states—California, Colorado, Connecticut, Utah, and Virginia—plan to roll out new regulations, which will affect 1 in 5 American consumers.
SixFifty recently participated in a consumer privacy webinar facilitated by the International Association of Privacy Professionals (IAPP). At the webinar, SixFifty COO and General Counsel Marie Kulbeth and VP of Legal Product Austin Smith discussed what’s on the horizon this year. Here’s a recap of what business owners need to know about consumer privacy this year.
Five states have new privacy laws
The California Consumer Privacy Act (CCPA) went into effect in 2020, and followed a lot of the data protection principles laid out by Europe’s GDPR. But changes are coming: the California Privacy Rights Act made significant amendments to the CCPA, implementing even stricter requirements for businesses that process the personal information of California residents. As with all state-level privacy laws these rules only apply to businesses that meet certain thresholds.
While the exact thresholds vary from state-to-state, in general, these privacy laws apply to businesses that:
- Process data of a significant number of residents of that state (e.g. 100,000 in California and Colorado);
- Make a certain percentage of their revenue from processing the data of state residents (e.g. 50% in California);OR
- (In some states) Exceed a certain amount of gross annual revenue (e.g. $25M in California).
Most of these laws include express carve-outs for certain types of personal data, such as information a company collects from its employees. However, California’s exemption for employee data sunsetted at the end of 2022, and employee data will therefore be covered under the CPRA moving forward. Several bills have been proposed to extend the exemption, and “we really do anticipate one of those bills will get passed,” Kulbeth says, “but we don’t know for sure.”
There are also exemptions for businesses in certain industries. Most states (except Colorado) provide exemptions for nonprofits, and some exempt entities covered under the Health Insurance Portability and Accountability Act (HIPAA) as well. One important point to keep in mind: just because your business has health information about its employees doesn’t mean it is covered under HIPAA exemptions. “I often say if HIPAA applies to you, you probably already know,” Smith says. Businesses should make sure they think critically about what privacy exemptions exist in a given state and carefully consider whether those exemptions apply before assuming they are exempt from compliance.
Another important point: if you’re a HIPAA-regulated entity that also collects marketing data, that data might not be subject to exemptions and instead be subject to data privacy laws. Both Kulbeth and Smith note that it’s important to differentiate between an exempt organization and exempt data, as you might have one but not the other.
For credit reporting, all five states have exempted information covered by the Fair Credit Reporting Act (FCRA). So if you deal in consumer credit reports, that data is covered under an exemption, but the entire company itself may not be exempt. And because the FCRA is notoriously tricky, both panelists recommend staying on top of what the new regulations are and exercising extra caution around using that data.
Each state also has some special exemptions, such as:
- California exempts vehicle information based on the driver privacy act.
- Colorado exempts air carriers and its state universities (as long as the university is using the data for non-commercial purposes).
- In Utah, air carriers and tribal nations are exempt.
- Connecticut, Utah and Virginia all completely exempt state universities.
- All five states provide exemptions for FERPA data.
Focusing on risk assessment can save time and decrease liability
In all five states, data controllers are required to notify consumers about their information gathering practices, as well as the methods consumers can use to make privacy requests. Additionally, starting on January 1, 2023, California requires controllers to notify consumers as to how long the controller plans to retain the data it collects.
Plan on doing and disclosing more about data retention, Smith advises. “But it’s also an opportunity … for data minimization and more efficient practices. I do think it has a lot of benefits.”
“It increases your efficiency and it also decreases your liability,” Kulbeth agrees.
Higher-risk activities, such as selling consumer data to third parties or engaging in consumer profiling, also come with increased risks of enforcement and fines. States differ in their requirements, but most mandate that businesses engaged in high-risk activities create risk assessments that weigh the potential harm of a processing activity against its benefits to determine whether the activity is justified. Both panelists agree these assessments are a crucial part of any business’ data privacy practices. Processing sensitive information—such as biometric data, facial recognition data, sexual orientation, religious affiliation, trade union membership, and more—is subject to extra requirements and higher penalties as well.
Whatever the regulations, businesses have an obligation to ensure that they have clear documentation and are ready to make it available as the law requires. “Transparency is the goal here,” Kulbeth says.
Finally, enforcement and penalties vary by state too. Some have a cap on the fine that can be assessed for each offense or each individual whose data is compromised; others impose additional penalties if the data belongs to a minor or an elderly person; and still others delineate whether the offense was intentional or accidental, while some make no distinction between the two. Whatever the rules, it’s always less headache (and expense) to stay ahead of the regulations and avoid the legal hassle of fines and fees.
SixFifty makes data privacy compliance easy
Of course, evolving regulations require evolving documentation. And because there’s so much nuance among the states, companies are faced with a choice: implement broader universal policies that cover all possible rules, with fewer updates but a heftier page count, or attack it piecemeal with a higher number of smaller documents, which will require more monitoring as updates (and potential liabilities) continue to roll out.
Choosing the right fit for your business doesn’t have to be a hassle. SixFifty’s All-US Privacy toolset can help businesses of any size generate legal documents to cover existing and evolving privacy regulations throughout the United States, for a fraction of the cost of in-house counsel. And when more states pass new laws, they’ll be covered too.
Request a demo today.