Tag: Colorado Privacy Act

Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

The UCPA applies to a controller or processor that (1) conducts business in Utah or produces a product or service targeted to Utah residents; (2) has annual revenue of $25,000,000 or more; and (3) satisfies at least one of the following thresholds: (a) during a calendar year, controls or processes the personal data of 100,000 or more Utah residents, or (b) derives over 50% of its gross revenue from the sale of personal data, and controls or processes the personal data of 25,000 or more consumers.

As with the CPA and VCDPA, the UCPA’s protections apply only to Utah residents acting solely within their individual or household context, with an express exemption for individuals acting in an employment or commercial (B2B) context. Similar to the CPA and VCDPA, the UCPA contains exemptions for covered entities, business associates and protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and financial institutions or personal data subject to the Gramm-Leach-Bliley Act (“GLB”). As with the CCPA/CPRA and VCDPA, the UCPA also exempts from its application non-profit entities.

In line with the CCPA/CPRA, CPA and VCDPA, the UCPA provides Utah consumers with certain rights, including the right to access their personal data, delete their personal data, obtain a copy of their personal data in a portable manner, opt out of the “sale” of their personal data, and opt out of “targeted advertising” (as each term is defined under the law). Notably, the UCPA adopts the VCDPA’s more narrow definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. Unlike the CCPA/CPRA, CPA and VCDPA, the UCPA will not provide Utah consumers with the ability to correct inaccuracies in their personal data. Also unlike the CPA and VCDPA, the UCPA will not require controllers to obtain prior opt-in consent to process “sensitive data” (i.e., racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical or health information, genetic or biometric data, or geolocation data). It will, however, require controllers to first provide consumers with clear notice and an opportunity to opt out of the processing of his or her sensitive data. With respect to the processing of personal data “concerning a known child” (under age 13), controllers must process such data in accordance with the Children’s Online Privacy Protection Act. The UCPA will prohibit controllers from discriminating against consumers for exercising their rights.

In addition, the UCPA will require controllers to implement reasonable and appropriate data security measures, provide certain content in their privacy notices, and include specific language in contracts with processors.

Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not require controllers to conduct data protection assessments prior to engaging in data processing activities that present a heightened risk of harm to consumers, or to conduct cybersecurity audits or risk assessments.

In line with existing U.S. state privacy laws, the UCPA does not provide for a private right of action. The law will be enforced by the Utah Attorney General.

Article By the Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Colorado Privacy Act: New Protections for Consumers in the Centennial State

On July 1, 2023, the Colorado Privacy Act (CPA) will go into effect as the third state law generally governing consumer data privacy and was the second enacted in 2021.  If you do business with consumers in Colorado, regardless of your location, you should begin familiarizing yourself with the requirements of the CPA now.  While the CPA is similar to the California Privacy Rights Act (CRPA) and Virginia’s Consumer Data Privacy Act (VCDPA), certain elements distinguish the Colorado law from its counterparts.  Unlike the California law, the CPA does not apply to personal data in the employee or business-to-business relationship.  This client alert provides a breakdown of the general requirements and obligations on businesses and key distinctions with other state data privacy laws.

Covered Businesses and Applicability

Covered ControllersThe CPA applies to any business, called a “controller” under the statute, who “alone, or jointly with others, determines the purposes for and means of processing personal data,” and “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and:

  • Controls or processes the personal data of 100,000 consumers or more during a calendar year; or
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

There are a number of exemptions to the applicability provision that should be considered as part of the analysis of applicability.  First, the definition of consumers does not include “individual[s] acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.” Second, the Act does not apply to certain types of personal data, as defined by the type of data, such as patient data, or as defined by the statute by which the collection and use of the data is regulated such as Gramm-Leach-Bliley.  Third, the Act does not apply to certain types of businesses, such as air carriers, public utilities (as defined by Colorado Law), or those subject to Gramm-Leach-Bliley. Notably, there is no revenue threshold requirement, meaning an applicability analysis begins by looking at the number of records processed.

Covered Individual To reiterate, the CPA does not apply to employee data, which, like the VCDPA means a consumer is a Colorado resident acting only in an individual or household context.

Personal DataThe CPA defines personal data as “information that is linked or reasonably linkable to an identified or identifiable individual,” but does not include “de-identified data or publicly available information,” including data “that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”  This definition is similar to the VCDPA.

Controller and Processor Obligations

If the CPA is applicable to a controller then they, and their processors (a person that processes personal data on behalf of a controller) must adhere to a set of obligations.  The CPA sets out an analysis for determining whether a person is acting as a controller or a processor.

Obligations and Duties of Controllers

Under the Act, controllers must:

  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
  • Comply with the duty of transparency by providing notice of the sale of personal data and the ability to opt out and by providing “a reasonably accessible, clear, and meaningful privacy notice” that includes:
    • Categories of personal data collected/processed;
    • Purpose(s) of processing;
    • How consumers may exercise rights and appeal controller’s response to consumer’s request;
    • Categories of personal data shared; and
    • Categories of third parties personal data is shared with;
  • Respond to the consumer’s exercise of their rights;
  • Comply with the duty of purpose specification;
  • Comply with the duty of data minimization;
  • Comply with the duty to avoid secondary use;
  • Comply with the duty of care that is appropriate to the volume, scope, and nature of the personal data processed.
  • Comply with the duty to avoid unlawful discrimination;
  • Process sensitive data only with the consent of the consumer. Sensitive data is “(a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child;”
  • Perform data protection assessments before beginning processing activities that present a heightened risk of harm to a consumer – certain situations of targeted advertising or profiling, selling personal data, and processing sensitive data are activities that present a heightened risk of harm; and
  • Engage processors only under a written contract, which shall include the type of personal data processed and other requirements under the CPA.

Obligations of Processors

Under the Act, processors must:

  • Assist controllers in meeting their obligations under the CPA;
  • Adhere to instructions of controller and assist controller in meeting those obligations, including security of processing and data breach notification;
  • Ensure a duty of confidentiality for each person processing personal data; and
  • Engage subcontractors pursuant to a written contract and only after providing the controller an opportunity to object.

Rights of Consumers

Like the VCDPA and CPRA, the CPA includes a suite of rights which consumers may request with respect to their personal data:

  • Right of access;
  • Right to correction;
  • Right to delete;
  • Right to data portability;
  • Right to opt out, including specifically  of targeted advertising or the sale of personal data; and
  • Right to appeal, including the right to contact the attorney general if the appeal is denied.

Within forty-five days of receipt of a request, a controller must respond by (a) taking action on the request, (b) extending the time for taking action up to an additional forty-five days, or (c) by not taking action and providing the instructions for an appeal.  Information provided under a first request within a 12 month period must be at no charge to the consumer.  Controller’s may implement processes to authenticate the identity of consumers requesting rights.

Enforcement of the CPA

There is no private right of action under the CPA with enforcement authority delegated to both the Colorado attorney general and district attorneys.  The CPA doubles the cure period granted to controllers provided under the VCDPA and CPRA to 60 days; however, the entitlement to a cure period will sunset on January 1, 2025.  Under the CPA a violation is a deceptive trade practice under the Colorado Consumer Protection Act, such that while the CPA does not specify a penalty amount, the Colorado Consumer Protection Act specifies a penalty of up to $20,000 per violation.

What’s Next

If the CPA is the first data protection legislation applicable to your organization, the time to transition your team– IT, marketing, legal – is now.  Delays in implementation are likely and could be costly.

 

This article was written by Lucy Tyson, Brittney E. Justice and Matthew G. Nielson of Bracewell law firm. For more articles regarding privacy legislation, please click here.