State Privacy Laws

Although a comprehensive federal privacy law being passed in 2022 is unlikely, individual states continue to push forward. And no, we are not just referring to California! Below you will find information regarding the states with privacy laws passed, details on who is required to comply with these laws, and insight into which states we are keeping an eye on in 2022.

States with privacy laws…and if they apply to YOUR BUSINESS.

California

The California Consumer Protection Act (CCPA) has been in effect since 2020, but due to the law’s amendment and near-constant media attention, many businesses located outside of the state (who are not purposefully targeting the California market) remain confused on whether or not the CCPA applies to them.

If your business falls into this category, answer the following questions to determine whether CCPA could apply to you:

  1. Does your company collect (or sell) personal information, such as names, email addresses, or phone numbers? If yes, move on to the next question.
  2. Does your company do business in California? More specifically, do you operate a website accessed and used by Californians? If yes, move on to the final question. If not, you are in the clear!
  3. Does your business meet one or more of the following criteria?
    • Annual gross revenue over $25 million, or,
    • Receive personal information of more than 50,000 California residents, households, or devices each year

Answer “yes” to these three questions? The CCPA likely applies to your business.

If you think the CCPA may apply to your business, give us a call. We would love to answer your questions and can assist in getting your company in tip-top shape.

As a note, California recently passed the California Privacy Rights Act (“CPRA”), which replaces the existing CCPA beginning in 2023. Requirements under the CPRA have not yet been published, but once they are, we will be at the ready!

Penalties for non-compliance range from $2,500 to $7,500 for actions brought by the State of California. Additionally, Consumer’s may file private lawsuits in which penalties range from $100 to $750 per violation or the cost of actual damages, whichever is higher.

Colorado

The Colorado Privacy Act (CPA) goes into effect in less than a year, on January 1, 2023, so now is the perfect time to ensure your business will be compliant.

The CPA applies to companies who conduct business in Colorado, including operating a website accessed and used by Coloradans, who also meet one of the following criteria:

  1. Do you collect, control or process personal data of over 100,000 Colorado residents each year? or,
  2. Do you collect, control, or process personal data of at least 25,000 consumers and derive revenue (or receive a discount on the price of goods or services) from the sale of personal data?

If you think the CPA is going to apply to your business, let us know and we can work with your company to ensure compliance into the New Year!

Fun Fact: Unlike the CCPA or the VCDPA, the Colorado law does apply to non-profit organizations.

Penalties for non-compliance range from $2,000 to $20,000 per violation, or between $10,000 to $50,000 per violation against an elderly person.

Virginia

The Virginia Consumer Data Protection Act (VCDPA) goes into effect in less than a year, on January 1, 2023. So as with the CPA, now is the perfect time to ensure your business will be compliant.

The VCDPA applies to companies who conduct business in Virginia, likely including operating a website accessed and used by Virginians, who also meet one of the following criteria:

  1. Do you collect, control, or process the personal data of over 100,000 Virginia residents a year? or,
  2. Do you derive over 50% of gross revenue from the sale of personal data and collect, control, or process the personal data of over 25,000 Virginia residents a year?

If you think the VCDPA applies to your business, give us a call. Compliance with this law includes requirements that vary from the CCPA and CPA, making it a little tricky for many businesses.

For example, the Virginia law has taken some pointers from the European Union’s General Data Protection Regulation (GDPR). So, if your business requires VCDPA compliance, you will soon be learning what a Data Processing Agreement is!

Penalties for non-compliance are up to $7,500 per violation.

States we are keeping an eye on in 2022…

The majority of states have privacy bills working their way through their respective state legislative bodies. However, the jurisdictions on our “watch list” each have bills introduced and legislative environments under which passage may be successful.

These states are Florida, New York, Ohio, Oklahoma, Oregon, and Washington.

Call us, beep us, if you want to reach us.

The Carney Badley Spellman Privacy Team is here to answer your questions and assist you with your privacy policy, data processing agreement, terms of use, and other relevant documents. In addition to state privacy laws, we specialize in federal and European Union privacy compliance. To reach us by phone, please call, (206) 622-8020.

Comments?