Privacy Laws

Privacy law is becoming increasingly more complex. With major privacy regulations changes in the United States, Europe and China, you may have a lot of questions about how your business can stay up-to-date and compliant. SixFifty recently conducted a webinar to answer all your questions regarding privacy laws in California, Virginia, Colorado, Europe, and China. Questions and answers covered Applicability, Personal Information, Opt Out Rights, Exceptions and Exclusions, and more.



Applicability of Privacy Laws

Personal Information

Privacy Laws and Personal Information

Exceptions and Exclusions

Exceptions and Exclusions in Privacy Laws

Opt Out Rights

Opt-Out Rights and Privacy Laws

What Do You Need To Know About Competing Rights Requests?

If the same customer uses do-not-sell requests and  deletion requests simultaneously, you have a few options. If everything is deleted, you can’t sell it, so deleting the data also fulfills the “do not sell” request. If the consumer wants to keep an account or you need to fulfill existing orders you may need to mark data as “to-be-deleted” on a future date in order to stay in compliance.

If simultaneous access and deletion requests are submitted separately, you should ensure the access request is fulfilled first.

Is Compliance with the CCPA Enough for Other US State Privacy Laws?

The short answer is no. However, it can definitely help! Data mapping is the first step to staying compliant and is  important for companies to implement. Data mapping is the process of taking inventory of the personal data in your company’s systems and having an up-to-date “map” of where that data comes from and where it’s stored,. Existing processes for rights requests should be updated, as Colorado and Virginia require an appeal process. Colorado will also require recognition of universal opt-outs. And it is important to note that the CPRA (The California Privacy Rights Act) will amend and expand on the CCPA in 2023

Virginia and Colorado’s new privacy laws will include a requirement that companies conduct “data protection impact assessments.” DPIAs help organizations identify, assess and reduce privacy risks to a company’s data processing activities. They are crucial when introducing new data processes, systems and technologies, and are already required under the GDPR in Europe.

What to Know About Not-So-Standard Contractual Clauses?

In accordance with the General Data Protection Regulation (GDPR), contractual clauses ensure the appropriate data protection safeguards are being used as a ground for data transfers from the European Commission (EU) to another country. This includes model contract clauses that are called “standard contractual clauses” (SCCs), which have been pre-approved by the EU. And for now the United Kingdom still uses the old European Union SCCs while they are working on publishing new ones. And to be in compliance, your company must use SCCs for all new agreements. Meanwhile, China is working on publishing new SCCs for  what will be required for transferring data outside of China. China has not commented on when these new SCCs will be issued.

GDPR: New Standard Contractual Clauses and What to Know

There are four scenarios to the GDPR regarding SCCs:

  • Controller-to-Controller
  • Controller-to-Processor
  • Processor-to-Processor
  • Processor-to-Controller

To be compliant, Europe contracts will need to start using the new SCCs (Standard Contractual Clauses) starting September 27, 2021 and contracts with the old SCCs will need to be updated by no later than December 27, 2021.

Are Europe and the United Kingdom Drifting Apart with Privacy Law regulations?

SCCs are still the biggest exception, as the United Kingdom is still using the old GDPR SCCs. For now, no SCCs are needed for transfers between Europe and the United Kingdom. However, companies may still need a representative in both the United Kingdom and Europe if they operate in both places.

What to Know About CPRA January 2023

The California Privacy Rights Act (CPRA) amends and expands on CCPA. It strengthens the rights of California residents and tightens a company’s regulations on the use of personal information. The new CPRA looks back to January 2022 for “right to know” and access. So, when a consumer submits a request to know, the business must supply all relevant information going back at least 12 months. In addition, the CCPA requires a business to include categories of third parties that disclose personal information. And the CPRA adds the requirement to let consumers know the categories of service providers and contractors to whom it discloses information.

Is a recruiting agency collecting data for a job opportunity exempt in Virginia?

The Virginia Consumer Data Protection Act ( VCDPA) applies to personal data of data subjects acting in an individual or household (not employment or commercial) context. And any employment and business-to-business contexts are exempt. In addition, this scenario is likely outside the scope of the VCDPA if collecting directly from the data subject. Data is exempt to the extent that the data is collected and used within that context.

What’s the Virginia appeal process?

The VCDPA requires an internal appeal process for rights requests that are refused. And any appeals can be made within a reasonable time period, which is similar to the regular rights request process. To appeal you will need a written explanation of reasons, and appeals can take up to 60 days to act on. If an appeal is denied, your company must inform consumers of how to submit a complaint to the Virginia Attorney General.

Will Colorado have more privacy enforcers?

Colorado Governor Jared Polis signed into law the Colorado Privacy Act (CPA) on July, 7, 2021, making Colorado the third state to pass comprehensive consumer privacy legislation, following California and Virginia. The Colorado Privacy Act will go into effect July 1, 2023. The CPA is unique as it gives the Colorado Attorney General and the district attorneys the right to enforce. And the general consumer protection law determines fines up to $20,000 per violation, not to exceed $500,000 in total, for any related series of violations, or $10,00 per violation if the Consumer is 60 years old or older, with no cap. With that said, there will also be a 60-day cure provision.

What is the Universal Opt-out in Colorado?

Starting July 1, 2024, companies must recognize a “universal opt-out mechanism,” with targeted ads and sales being a part of the universal opt-out. However, despite a universal opt-out company’s can still let users choose to allow these processes. The attorney general will issue regulations by July 1, 2023. As an added note, the CCPA ( California Consumer Privacy Act) regulations also require businesses to honor “user-enabled global privacy controls.”

What Are the COVID-19 Privacy Issues with CCPA?

This will only apply if an organization is covered by CCPA. If your company is dealing with California residents’ protected health information, you will need to give proper notice to employees and non-employees. You will need to limit information collected according to the notice, the use of data according to the notice, and sharing of data according to the notice. In addition, your company will need to provide non-employees from whom you collect protected health information with ways to exercise their CCPA rights.

What are the COVID-19 Privacy Issues with ADA?

The ADA ( Americans with Disabilities Act) applies if you have 15 or more employees.

What would be considered a Medical Record or Exam?

  • Self-Screening
  • Health Professional Screening
  • Temperature Taking
  • Collecting Vaccination Cards
  • Vaccination Self-Reporting

Medical Records must be kept confidential and separate from personnel files. Records must also be kept confidential for at least 1 year following creation or employee termination, whichever is later.

What are COVID-19 Privacy Issues with OSHA?

This gives employees the right to access medical records and your company must retain medical records for 30 years after employment.

  • Medical records include:
  • Records concerning your health status created or maintained by a healthcare professional.
  • Health Professional Screening
  • Vaccination Card

Results of medical examinations and laboratory tests included:

  • Covid Test Result
  • Medical records do not include:
  • Self-Screening
  • Vaccination Self-Report

What are the COVID-19 Privacy Issues with HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) only applies to covered entities such as health care providers, insurers and medical billing companies. HIPAA does not prevent an employer, a restaurant, or a gym from asking for your vaccination status. It is solely about the release of protected health information (PHI) without an individual’s consent.

Want to Learn More

Want to learn more? Watch SixFifty’s recent webinar, “Everything You Wanted to Know About Privacy Laws (and were brave enough to ask.)“


SixFifty Solutions

Privacy law has become increasingly more complex over the past year. There are now major privacy regulations in the United States, Europe, and China. With SixFifty’s automated privacy solution, you can stay up to date and draft the legal documentation you need to comply with the ever-changing privacy laws worldwide.

Ready to get started?

Learn more about SixFifty’s privacy compliance solutions and book a free demo at