The (More) Current State of State Privacy Laws

This article was produced exclusively for Mailers Hub by Stacy O. Stitham & David Swetnam-Burland of Brann & Isaacson.
The firm is the Mailers Hub recommended legal counsel for mail producers on legal issues, including tax, privacy, consumer protection, intellectual property, vendor contracts, and employment matters.

In June 2021, we published an article advising our readers about three states that had enacted significant new consumer privacy laws at the time: Nevada, California, and Virginia.  We concluded our analysis with the following prediction:

While we have focused on the three states that have successfully enacted state privacy legislation – Nevada, California, and Virginia – a number of other states have considered or are considering such legislation – including New York, Florida, and Washington.  Absent federal legislation, the list of state privacy law appears destined to grow, possibly even before the January 1, 2023, start date of the newest California and new Virginia statutes.

Everyone – consumers, businesses, legislators, and regulators – is committed to consumer privacy. Yet the current situation, with a growing number of state privacy laws with different, confusing – possibly conflicting requirements – makes it difficult and expensive for businesses to know how to do the right thing.  Comprehensive federal legislation could create a clear national privacy standard; but the issue does not appear to be front-of-mind in Congress right now.  That makes it all the more vital to keep track of new laws coming online in January 2023 in California and Virginia – and very possibly other states as well.

While New York, Florida, and Washington have not (yet) joined the fray, our assumption that other relevant state laws would emerge by 2023 has indeed come to pass.  In this article, we provide a quick update on California as well as describe three recent additions; the Utah Consumer Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, and the Colorado Privacy Act.

California (1/1/2023)

Perhaps the most significant sea change on the horizon is that as on January 1, 2023; California’s privacy law will cover personal information gathered in business-to-business (B2B) relationships.  While most B2B relationships do not lead to the disclosure of much (if any) personal information, this change in the law will require at least some action by businesses covered by it.  Especially with so many people using personal smartphones and email addresses for business purposes, B2B businesses subject to California’s privacy law will need to consider: (1) what personal and sensitive personal information is collected on B2B contacts; (2) how to provide adequate notice of personal information gathered in B2B relationships; (3) how to honor requests to review, delete, or correct personal information, or to limit the use of sensitive personal information; and (4) how to make sure third-party agreements satisfy California requirements.  At a minimum, B2B sellers covered by the law will have to provide the required notice regarding what personal information they collect and why.

Utah (12/31/2023)

The first characteristic to note about Utah’s Consumer Privacy Act is that it may be limited in application.  First, it only applies to for-profit entities with annual revenues of at least $25 million.  Second, assuming that box is checked and a company is conducting business in Utah, that company must still annually control or process the personal data of 100,000 or more Utah residents (25,000 if over 50% of gross revenue is derived from the sale of personal data) to fall under the Utah law’s umbrella.  Other aspects generally make Utah’s law easier to implement than many of the states we have already looked at:

• There is no right for a consumer to appeal a denial of their attempt to exercise one or more consumer privacy rights.
• There is no risk/benefit data protection assessment requirement.  The right to deletion is limited only to data the consumer has provided to the data controller (the business), not to data that may otherwise be in the data controller’s possession.
• Utah follows California in requiring an opt-out for sensitive data processing, and not, as in Colorado or Virginia, instituting an opt-in requirement.
• Like Virginia, Utah limits the definition of “sale” to an exchange for monetary consideration – not the catch-all “other valuable” consideration that significantly expands this definition in other states.
• Finally, Utah’s law has the latest effective date of any we have looked at to date – ringing in the new year at the very end of 2023.  It is likely that the exercise of preparing for compliance with other state privacy laws will lay most of the groundwork for Utah’s statutory requirements.

Connecticut (7/1/2023) (and Colorado (7/1/2023)

Connecticut’s Data Privacy Act largely parallels the Colorado Privacy Act – that is its closest analogue.  While the Colorado Privacy Act was covered in our last webinar, it arrived on the scene a bit too late to be included in our prior article.

• Both laws apply to companies that “conduct business” in state and generally require either controlling or processing the personal data of 100,000 or more consumers (Connecticut expressly exempts data for the completion of a purchase transaction from this threshold), or, if revenue is received from the sale of data, a lower threshold of 25,000 (Connecticut requires that at least 25% of gross revenue must be from the sale of data for this lowered threshold to apply).
• Both laws cover data collected “concerning” or “obtained about” a consumer (not simply the pool of data collected from a consumer), although Connecticut has a carve-out for personal information lawfully made available through widely-distributed media.
• Both require a controller to set up an internal appeal process when a consumer’s attempt to exercise a privacy right is denied.  Each requires a data protection assessment for all processing activities that present a heightened risk of harm to consumers, such as for purposes of targeted advertising, selling data, or processing sensitive data.
• Opt-in consent is required for processing sensitive data or data concerning minors.  Connecticut extends that requirement to any children under the age of 16, whereas Colorado only requires parent consent for children under 13.  Both states contemplate that user-selected universal opt-out signals will be recognized in the future.
• Colorado and Connecticut increase the expected authority of data controllers over their processors (service providers), noting that controllers have the right to object to subcontractors (Colorado specifically permits “audits and inspections” by the controller as does Virginia; Connecticut somewhat more softly contemplates “assessments”).  As is now a ubiquitous feature of state consumer privacy laws, there must be an agreement between data controller and data processor, setting out instructions for processing, the purpose of such processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.  Increasingly, parties that share personal information in the context of a business relationship will have to scrutinize the contractual arrangements between them to ensure that any individuals handling the data will be subject to appropriate confidentiality requirements and that there is a clear understanding on all sides of respective duties regarding the data both during and after data processing.

Still to Come…

Colorado and California have rolled out draft privacy regulations to implement their statutes, with California now on its second version.  However, with both states still in the drafting stage, and Virginia, Utah, and Connecticut still to unveil their own privacy regulations, we can continue to expect additional guidance to be doled out well into 2023.  Nonetheless, and despite the state of flux, the California Attorney General’s office has been actively enforcing privacy rights through the California Consumer Privacy Act, the predecessor to the California Privacy Rights Act.  As such, this topic warrants a close eye and efforts to comply, even as what it means to comply continues to shift.

Brann & Isaacson is a boutique law firm that represents large and small online and multichannel companies, printers, commercial mail producers, and IT service providers located across the country.  The firm advises companies of all sizes, including many in the Internet Retailer’s Top 500 Guide.

The points of contact at Brann & Isaacson are: Martin I. Eisenstein, [email protected]; David Swetnam-Burland, [email protected]; Stacy O. Stitham, [email protected]; and Jamie Szal, [email protected].  They can also be reached by phone at (207) 786-3566.

Download the Mailers Hub Services BrochureLearn more about the solutions we have for you.

If you're on this page, it's likely because you have challenges to find solutions for or a question to answer. Fortunately, you've come to the right place. Click below to download our 2023 Services brochure to learn just how much we have to offer. Leave your name and email if you'd like us to stay in touch. 

First Name *

Last Name *

Email Address *

Company0 / 200

Submit Form

Please do not fill in this field.

Download Brochure

The brochure is a PDF that will open in a new browser window. Download, read, share, and let us know if you have questions.