It’s a great time to be a privacy attorney. On October 17, 2022, the California Privacy Protection Agency (CPPA) released the next draft of the regulations under the California Privacy Rights Act of 2020 (CPRA) as well as a document explaining the proposed modifications. Two days of public hearings were recently held on October 21-22, 2022. Given the rather extensive proposed changes, it seems unlikely that these will be the final regulations. The current draft of the regulations is 72 pages long. Most of the CPRA provisions become effective as of January 1, 2023. While CPRA enforcement does not begin until July 1, 2023, and then on a prospective basis, there is enough of a difference between the California Consumer Privacy Act of 2018, as amended (CCPA) and the CPRA (which amends the CCPA) to warrant the review of current processes, operations, and policies. In addition, the 30-day cure period available under the CCPA disappears under the CPRA. In short, there is some work to do, collectively. In the meantime, and until June 30, 2023, the CCPA (including the existing regulations) is still enforceable. Deep breath.
That Was Then
When I co-taught Comparative Privacy Law at a San Francisco Bay Area law school in Spring 2020, the landscape seemed much simpler. On the European side, we had the General Data Protection Regulation (GDPR), some opinions (guidance) from the European Data Protection Board (EPDB) and many more from its predecessor, the Article 29 Working Party, and an ocean of case law. The Weltimmo decision (C-230/14) was and remains one of my favorites. Not only does it shed light on the concept of an establishment in a given country (Hungary), but it also teaches readers that many problems can be avoided by simply being responsive to, and not upsetting, customers. On the US side, in terms of general state privacy laws during that time period, it was the CCPA.
This is Now
When I co-taught the course in Spring 2022, I focused on the US side and in particular the CCPA, CPRA, the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA). Each state in the union has its own data breach notification law. We touched on these generally. We reviewed FTC settlements. We touched on federal privacy laws, which are predominantly sectoral. On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed, our nation’s fourth general state privacy law. As an instructor, I could not resist presenting this new law to my students, whose heads were likely still spinning from the other privacy laws that I was teaching. To my credit, I had the good sense to not include the UCPA on the final exam, which featured, of course, consumers in California, Colorado, and Virginia. Public Act No. 22-15, entitled An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), was signed by the governor of Connecticut on May 10, 2022. Luckily for my students, the semester was over, and a future cohort of students would need to show proficiency in understanding the metes and bounds of this new law.
Is a comprehensive federal privacy law in sight? Maybe. H.R. 8152 (American Data Privacy and Protection Act or ADPPA) was introduced on June 21, 2022, referred to the House Committee on Energy and Commerce, and voted to be advanced to the full House of Representatives on a 53-2 basis. Since then, it appears to have stalled. In the current draft, the CPPA would have the authority to enforce the ADPPA. Further, Section 1798.150 of the CPRA (private right of action for data breaches) would not be preempted.
In the meantime, the VCDPA becomes effective on January 1, 2023, the CPA and CTDPA become effective on July 1, 2023, and the UCPA becomes effective on December 31, 2023. Holistically, and structurally, there are quite a few similarities between the VCDPA, CPA, UCPA, and CTDPA, with the VCDPA as the progenitor, although one should be careful not to assume that if one complies with one, one will comply with the others. For example, all four use GDPR concepts and terms like data controller (equivalent to a business under the CCPA/CPRA), data processor (equivalent to a service provider under the CCPA/CPRA), and so on. As intimated, important differences exist among these. For example, the UCPA applies to controllers and processors with at least $25 million in annual revenue and that either (a) control or process the personal data of at least 100,000 consumers or (b) derive over 50% of their revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. In contrast, VCDPA applies the second part of the test, but not the first; there is no $25 million annual revenue threshold. Further, while both the VCDPA and the UCPA define sensitive personal data (SPD), UCPA requires notice and the right to opt out, while VCDPA requires consent. VCDPA requires a data protection assessment for high-risk processing. UCPA does not. The VCDPA gives the consumer the right to correct inaccuracies. The UCPA does not. Notably, it was not until the CPRA that California consumers were given this right. Both are unfunded, initially, with funding to come from enforcement actions. Under the UCPA, once the balance in the “Consumer Privacy Account” exceeds $4 million, the balance is transferred to the general fund. Neither has a private right of action, with enforcement authority vested solely in each state’s Attorney General.
What to do?
Detailed charts (and re-reading each a few times) help. More helpful, however, would be to view these laws holistically, preferably in the context of a comprehensive privacy compliance program. Certainly, companies having to comply with the GDPR were better positioned to comply with the CCPA, and companies having to comply with the CCPA will be better positioned to comply with the CPRA and the VCDPA, CPA, CTDPA, and UCPA. Each subsequent compliance project becomes a gap analysis followed by an implementation phase. To that end, the focus should be on compliance building blocks, generally required or helpful for compliance with any modern data privacy law. These include records of processing activities (ROPAs), procedures for managing data subject requests (DSRs), procedures for managing data incidents, data processing agreements with suppliers, a process to vet suppliers for information security robustness and issues, a process to conduct data privacy impact assessments (DPIAs), internal policies, external notices, training, and so on. Once the basic processes and documents are in place, then adjustments happen, in accordance with a crisp project plan covering objectives and detailing individual tasks to accomplish these. The process is iterative, and, theoretically, less painful for each new general privacy law, until there is a comprehensive general federal privacy law, of course. Good luck!