After the passage of the Colorado Privacy Act earlier this month, businesses that operate across the U.S. are now confronted with the challenge of developing privacy compliance programs for three new privacy laws by 2023: (1) the California Privacy Rights Act (CPRA), which takes effect January 1, 2023; (2) the Virginia Consumer Data Protection Act (VCDPA), which takes effect January 1, 2023; and (3) the Colorado Privacy Act, which takes effect July 1, 2023. While similarities across the three laws will allow businesses to take a unified compliance approach on some issues, there are also significant differences between the three laws that may require businesses to take a state-by-state approach on certain issues or to adopt the strictest requirements of the three laws for a national compliance program. In this post, we highlight 10 of the most significant differences between the laws that businesses should be aware of as they move forward with developing their U.S. privacy compliance plans for 2023.

1. Complete Exemptions for Certain Types of Entities

California (CPRA)

  • Relatively few entity-wide exemptions apart from its exemption for certain entities regulated by HIPAA or the Confidentiality of Medical Information Act.
  • Largely exempts nonprofits from most requirements of the law by defining "businesses" as for-profit entities.

Virginia (VCDPA)

  • Entity-wide exemptions for: (1) financial institutions subject to the GLBA; (2) entities regulated by HIPAA; (3) nonprofit organizations; and (4) certain higher education institutions.

Colorado (CPA)

  • Entity-wide exemptions for: (1) financial institutions subject to the GLBA and affiliates of such institutions; and (2) state institutions of higher education.
  • Notably lacks an entity-wide exemption for HIPAA-regulated entities. However, it includes broad exemptions for HIPAA-regulated data and certain other data maintained by covered entities, business associates, and other health care entities.

2. Exemptions for Human Resources (HR) and Business-to-Business (B2B) Data

California (CPRA)

  • No exemptions for HR or B2B data. While the CCPA contains exemptions for such data, these exemptions will expire on January 1, 2023 when the CPRA takes effect.

Virginia (VCDPA)

  • Relatively broad HR data exemption that covers, among other things, data maintained about applicants, employees, and contractors, and data maintained about emergency contacts and beneficiaries.
  • Seems to exempt many types of B2B data by virtue of its definition of "consumer," which expressly excludes persons acting in a "commercial or employment context."

Colorado (CPA)

  • General exemption for "data maintained for employment records purposes." While this will likely cover many types of HR data, the absence of a definition for this term leaves some ambiguity about the scope of the exemption.
  • Seems to exempt many types of B2B data by virtue of its definition of "consumer," which expressly excludes persons acting in a "commercial or employment context."

3. The Scope of Opt-out Rights

California (CPRA)

  • Consumers can opt-out of (1) the "sale" of personal information and (2) "sharing" of personal information.
    • "Sale" is defined to include making personal information available to a third party for monetary or other valuable consideration.
    • "Sharing" is defined to include sharing personal information with a third party "for cross-context behavioral advertising, whether or not for monetary or other valuable consideration."

Virginia (VCDPA)

  • Consumers can opt-out of: (1) targeted advertising; (2) the "sale" of personal data; and (3) profiling in furtherance of decisions that produce legal or similarly significant effects.
    • "Targeted advertising" is defined to include displaying ads based on personal data obtained from consumer activities over time and across non-affiliated websites or applications.
    • "Sale" is defined to include the exchange of personal data for monetary consideration."
    • "Profiling" is defined to include automated processing of personal data to analyze or predict consumer activities or characteristics. "Legal or similarly significant effects" include, among other things, decisions that impact financial services, housing, employment, and health care.

Colorado (CPA)

  • Consumers can opt-out of: (1) targeted advertising; (2) the "sale" of personal data; and (3) profiling in furtherance of decisions that produce legal or similarly significant effects.
    • Largely follows the VCDPA's definitions for targeted advertising and profiling in furtherance of decisions that produce legal or similar significant effects.
    • Follows the CCPA/CPRA definition for "sale" (i.e., it covers transfers of personal data for "other valuable consideration").

4. Opt-out Signals

California (CPRA)

  • Allows businesses to forgo a "Do Not Sell or Share My Personal Information" link on their homepages if they allow consumers to signal their intent to exercise those rights via a technical opt-out signal that complies with specifications to be set forth in regulations.
  • Consumers may also authorize another person to exercise opt-out rights on their behalf, including through an opt-out preference signal.

Virginia (VCDPA)

  • Does not have any provisions that address opt-out preference signals.

Colorado (CPA)

  • Allows consumers to exercise their opt-out rights via authorized third parties, including via browser/device signals.
  • Calls for the Attorney General to develop rules for a universal opt-out signal to allow consumers to simultaneously opt-out from targeted advertising and the sale of personal data. Controllers must offer this universal opt-out mechanism by July 1, 2024.

5. Sensitive Data Requirements

California (CPRA)

  • Gives consumers the right to limit the use of "sensitive personal information" (e.g., government identification numbers, precise geolocation data, biometric data) to certain business purposes (e.g., purposes necessary to provide a service requested by the consumer). In other words, if a business is processing sensitive personal information for purposes that go beyond the core purposes permitted by the CPRA, consumers have a right to stop such processing.

Virginia (VCDPA)

  • Requires that controllers obtain opt-in consumer consent to process "sensitive data" (e.g., data revealing racial or ethnic origin, health data, precise geolocation data, biometric data, data of a known child).
  • Parental consent is required to process the data of a consumer under 13 years of age.

Colorado (CPA)

  • Requires that controllers obtain opt-in consumer consent to process "sensitive data" (e.g., data revealing racial or ethnic origin, health data, biometric data, data of a known child).
  • Parental consent is required to process the data of a consumer under 13 years of age. However, it is important to note that data regulated by COPPA is completely exempt from the requirements of the CPA.

6. Data Protection Assessments

California (CPRA)

  • Does not currently have any requirements for data protection assessments.
  • However, there is a provision in the rulemaking section that calls for the issuance of regulations requiring risk assessments for processing activities that present significant risk to consumers' privacy or security. Therefore, this requirement may be added before the law takes effect.

Virginia (VCDPA)

  • Requires controllers to conduct data protection assessments for a range of activities, including: targeted advertising, sales of personal data, the processing of personal data for profiling that creates certain risks for consumers, the processing of sensitive data, and any other activities that present a heightened risk of harm to consumers.

Colorado (CPA)

  • Requires controllers to conduct data protection assessments for a range of activities, including: targeted advertising, sales of personal data, the processing of personal data for profiling that creates certain risks for consumers, and the processing of sensitive data.

7. Contracting Requirements

California (CPRA)

  • Imposes a general set of contract requirements that businesses must implement with (1) third parties to which the business sells or shares personal information and (2) contractors and service providers to which the business discloses personal information for business purposes. Among other things, these contracts must specify that the personal information is sold, shared, or disclosed for limited and specified purposes, obligate the recipient to comply with applicable CPRA requirements, and give the business the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
  • In addition to the above requirements, requires that specific provisions be included in contracts with service providers and contractors. Among other things, these contracts must prohibit the recipient from selling or sharing the personal information or retaining, using, or disclosing personal information other than for specified purposes.

Virginia (VCDPA)

  • Similar to the GDPR, requires that a contract govern a processor's processing of personal data on behalf of a controller. These requirements are somewhat similar to the GDPR Article 28 requirements for controller-processor contracts (e.g., set out the details of the processing activities, allow for controller audits).

Colorado (CPA)

  • Similar to the GDPR, requires that a contract govern a processor's processing of personal data on behalf of a controller. These requirements are somewhat similar to the GDPR Article 28 requirements for controller-processor contracts (e.g., set out the details of the processing activities, allow for controller audits).

8. Appeals for Rights Requests

California (CPRA)

  • No consumer right to appeal denied rights requests.

Virginia (VCDPA)

  • Consumers have the right to appeal a controller's denial of a rights request. If the appeal is denied, the controller must provide the consumer with a mechanism to contact the Attorney General and submit a complaint.

Colorado (CPA)

  • Consumers have the right to appeal a controller's denial of a rights request. Controllers must also inform consumers of their ability to contact the Attorney General if they have concerns about the results of the appeal.

9. Regulator Enforcement

California (CPRA)

  • Enforced by both the California Attorney General and the California Privacy Protection Agency, both of which have the power to impose penalties/fines of up to $2,500 per violation or $7,500 per intentional violation/violation involving consumers under 16 years of age.

Virginia (VCDPA)

  • Enforced exclusively by the Virginia Attorney General, who has the power to impose penalties of up to $7,500 per violation.

Colorado (CPA)

  • Enforced by the Colorado Attorney General and the 22 Colorado District Attorneys. Violations of the CPA are treated as deceptive trade practices, which are subject to penalties of up to $20,000 per violation under the Colorado Consumer Protection Act.

10. Cure Periods

California (CPRA)

  • The CPPA is permitted, but not required to offer a period to cure violations of the CPRA.

Virginia (VCDPA)

  • The Attorney General must give controllers or processors 30 days to cure alleged violations of the VCDPA before initiating an enforcement action.

Colorado (CPA)

  • The Attorney General and District Attorneys must offer a 60-day cure period prior to initiating an enforcement action "if a cure is deemed possible." This cure period provision of the CPA expires on January 1, 2025.

Next Steps

As we move into the latter half of 2021, businesses should begin giving thought to the changes they will need to make to their privacy compliance programs in order to address the next generation of U.S. state privacy laws that will come online in 2023. While this post highlights 10 of the most significant areas where the CPRA, VCDPA, and CPA have differences, there are many others. A thorough understanding of the similarities and differences between the three laws will be necessary in order to design an efficient and effective U.S. privacy compliance program that is fit for 2023.

Businesses should also continue to monitor policy developments in this space. Many state legislatures took up consumer privacy legislation in 2021 and some could look to do so again in 2022. Additionally, the requirements for the CPRA and CPA will be further built out through rulemaking in 2022. While the VCDPA does not contain a rulemaking provision, it does call for a working group to study the law and report back to the legislature by November 2021. It is possible that this report will lead to amendments to the law in the 2022 legislative session. Businesses may want to consider participating in those rulemaking processes in order to raise any concerns they have about the implementation of these laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.