Starting in 2023, several new privacy laws go into effect in California, Virginia, Colorado, Connecticut, and Utah. These laws apply not only to businesses based in those states but to any business that meets certain thresholds and collects, stores, or processes personal information from any residents in those states. Penalties for non-compliance with these laws can be steep.
California, which already has the most comprehensive privacy laws in the United States, has passed a new law, the California Privacy Rights Act (“CPRA”) that amends the existing California Consumer Privacy Act. Some of the material changes made by the CPRA include:
- The creation of a new category of “sensitive personal information” that carries with it additional obligations for the business
- A requirement that a business allow consumers to opt out of the “sharing” of personal information for cross-contextual marketing purposes
- A change to what constitutes a “business purpose” in relation to advertising
- The specific application of the CPRA to personal information a business obtains about its employees and independent contractors as well as B2B information
- The addition of new consumer rights to correct inaccurate information, opt out of the sharing (as well as the sale) of personal information for certain purposes, and restrict the processing of sensitive personal information
- A requirement that a business identify and disclose the retention period of personal information that it collects
- A requirement that a business must delete personal information after its retention is no longer necessary for the purposes discussed at the time of collection
- Additional terms that must be included in every service provider agreement
- The new laws in Virginia, Colorado, Connecticut, and Utah, while not as robust as the CPRA, provide for similar consumer protections. In addition, all four of those states also provide consumers the right to opt out of not only cross-contextual advertising (as included in the CPRA) but also the right to opt out of targeted advertising. These four states also provide consumers with the right to opt out of the use of their personal data for certain profiling purposes.
It is important for any business that collects personal data to ascertain whether it meets the thresholds that would mandate compliance with these new laws and then to assure such compliance from both a legal as well as technical standpoint. In addition, these laws apply not only to ecommerce businesses but to any business that collects personal information, even if only by having a “contact us” link on a website and collecting emails. The laws also apply to any personal information collected off-line.
Please contact the Olshan attorney with whom you regularly work or the attorney listed below if you would like to discuss further or have questions with respect to this matter.
Mary L. Grieco
Olshan Frome Wolosky LLP
+1 212 451 2389