Rights And Obligations: New Consumer Privacy Laws Impact Businesses
The passing of consumer privacy laws by state legislatures, which establish new consumer privacy rights and new business obligations for companies in the United States, will be a major focus for the foreseeable future. No segment of the consumer facing economy will be able to ignore the fundamental shift occurring in the United States concerning the regulation of consumers’ personal data and the newly created rights such regulations will afford the consumer. Finally, these regulations will impose significant obligations upon the business that may require additional investment in people, processes, or technologies to maintain compliance, including an increased level of engagement and oversight over the management of a consumer’s personal information.
The self-storage industry, among many others, will need to prepare for these changes and consider how to re-structure their day-to-day operations and consumer engagement strategies to include marketing, communication, and contracting practices to comply with the coming changes in the law. The way in which consumer information is collected, used, and managed will be transformative, and a failure to pivot considering this change could have disastrous consequences from a legal and economic perspective for businesses that can’t adapt or ignore this fundamental shift.
U.S Privacy Legislation
As of October 2022, five states (California, Colorado, Connecticut, Virginia, and Utah) have privacy legislation signed into law. There are active bills moving through the various committees in their respective legislative chambers of origin pending in Michigan, New Jersey, Ohio, and Pennsylvania. Twenty-three other states have bills that are currently inactive but were introduced during one or more legislative sessions in the last year. A common thread among all proposed bills is the blending of consumer rights along with specific obligations on the part of the businesses to accommodate these consumer rights. Additionally, each piece of legislation includes enforcement powers and exposure to civil penalties and, in some cases where a private right of action exists, civil litigation and an award of potential damages.
The below is intended to provide a short background primer for businesses and to share the general definitions of these consumer rights and business obligations contained in a majority of the proposed legislation across the country. In addition, for each of these new rights and business obligations, this article examines the likely impact on business operations and provides context to enable discussion and internal decision-making in consideration of this paradigmatic shift in consumer engagement and compliance obligation on the part of affected businesses. Of course, one must review the language of the individual laws for the nuances and specific requirements, penalties, and enforcement mechanisms contained in the statute. This provides an introductory overview and some basic concepts to encourage business to carefully consider how to approach the existing and pending legislation. The article concludes with a brief overview and timeline of privacy legislation coming into effect in 2023 in California, Colorado, Connecticut, Virginia, and Utah.
General Overview of Consumer Rights
Right of access – The right of access is the right of a consumer to access from a business the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared, or some combination of similar information. This right of access enables a consumer to have access to any information collected by the business or shared with a third party.
The granting of such rights to consumer will require a business to quickly identify what categories of consumer data have been collected and with whom such data has been shared. Some legislation provides a timeframe by which a business must respond to any such request or allow an extension of time for the business to provide such data depending on the complexity of the consumer request. This means a business will need to have carefully mapped each step of data collection and storage within its operation to later be able to identify where such data resides within the business to sufficiently answer an access request. Moreover, a business will be required to maintain full transparency with respect to data that is shared or transferred to a third party. The right of access implicates every business partner in the data supply chain, including third-party vendors in some cases. Failure to fully account for each element of the data supply chain could make it impossible for a business to comply with a consumer’s right to access their data from a third party. Failure to negotiate such rights on the part of the supplying business under the governing contract between a business and its third-party vendor could also complicate a business’ ability to provide consumers with a right to access under any applicable law.
Right of rectification – The right of rectification is the right for a consumer to request that incorrect or outdated personal information be corrected but not deleted. The ability of a business to comply with a request for data rectification requires an equally robust “internal data identification protocol.” A business will have to quickly identify the requesting party and make corrections to any incorrect data upon request. The right of rectification creates a de facto data management obligation on the part of the business that previously has not been codified into law. By providing a right of rectification to the consumer, the law has imposed a “sanitization” requirement on the information retained by businesses on their consumers. The requirement ensures that consumers are properly identified within a business’ database. The overall impact of the imposition of such a requirement is to ensure that records are up to date and retained in a manner that cannot lead to misidentification or data compromise occurring as a result of “bad” data.
Right of deletion – The right of deletion is the right for a consumer to request deletion of personal information about the consumer under certain conditions. Certain conditions may include the ability of a business to verify identification through an authentication process of the consumer prior to enabling deletion. This right typically may not be contingent on requiring a consumer to create a new account or signing up for new services. The operational impact may include additional resources to ensure an authentication process is adopted to correctly validate deletion requests. Additionally, a business would need to ensure any such deletion could be reflected throughout the enterprise, so information is truly deleted, and residual data is not maintained inadvertently due to incomplete deletion within a business’ data infrastructure.
Right of restriction/Right to opt-out of sales – The right of restriction is the right for a consumer to restrict a business’ ability to process personal information about the consumer. The right to opt-out of sales is the right for a consumer to opt out of the sale of personal information about the consumer to third parties. The right against automated decision-making is the right to impose a restriction against a business making unauthorized decisions about a consumer based solely on an automated process without human input. For example, a consumer may notify a business by explicitly “opting out” of such inclusion that it does not wish to participate in targeted web advertising or the sale of the consumer’s personal information to third parties. The ability of a consumer to narrow or outright restrict the way in which a business may use the consumer’s personal information will require businesses in certain cases to tailor data handling to accommodate such opt-outs. This could involve creating mechanisms to segregate data to accommodate variable use cases. For example, website cookies that enable targeted advertisements to be served to consumers who visit a business website would need to be adjusted to accommodate for such consumer choices. Moreover, businesses that seek to sell consumer information would be required to remove individual consumers that choose to opt out of the sale process. As a result, a business would need well-developed internal data control mechanisms to ensure any such data was properly excluded from sale. The need to segregate data populations to accommodate mandated opt-out rights on the part of consumers has not been widely adopted to date, and businesses will need to evaluate how to best honor such requests and ensure that their business operations are equipped to comply with such requests while maintaining operations.
Right of portability – The right of portability is the right for a consumer to request personal information about the consumer be disclosed in a common file format. This right would allow a consumer to obtain from a business all of the information the business currently retains on the individual consumer. More importantly, the right requires a business to produce the data in an electronic format that would allow the information to be accessible and readily available for the consumer to use or technically transmit to another business of the consumer’s choosing without hinderance. This right in some cases is restricted to a limited number of requests during any calendar year.
Proposed Business Obligations
Opt-in default (requirement age) – The Opt-in default age requirement is a restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information. This age limitation varies under proposed legislation from the age of 16 to 13. For businesses collecting data from individuals under the age of 16 or targeting a demographic consisting of individuals within this age range, a reconsideration of the current business model may require review, examination, and potential modification if restrictions on such data would have a material adverse effect on the operation or profitability. Moreover, a business maybe required to review and update notice requirements and consent mechanism to ensure individuals within any proposed age limit are aware of and can successfully exercise their rights.
Notice/transparency requirement – This is an obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs. New transparency requirements and consumer rights will require businesses to update the current version of their privacy policies. Moreover, for businesses utilizing webpage tracking devices such as cookies to track consumer website behavior and serve marketing advertisements, new disclosures will be required in order to comply with notice and transparency requirements. Finally, businesses will want to update consumer consent mechanisms to ensure such privacy notices, in cases where consent is sought or required, are properly provided in a demonstrable format to prove notice was given to the consumer or consent was provided by the consumer. Business may require revised consumer facing language at the point of data collection and at the point of a consumer’s unique webpage visit to ensure such notice and transparency requirements are met.
Risk assessments – This is an obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures. For example, under Colorado’s law, The Colorado Privacy Act, which is set to be effective July 1, 2023, requires a business owner that processes personal data of the consumer that presents a “high risk of harm” to conduct and document a data protection assessment of each of its processing activities that involve data acquired on or after July 1, 2023. Processing that presents a heightened risk of harm includes: (a) processing personal data for the purposes of targeted advertising or profiling if the profiling raises a reasonably foreseeable risk of (i) unfair or deceptive treatment of or unlawful disparate impact on consumers; (ii) financial or physical injury to consumers; (iii) physical or other intrusion upon the solitude or seclusion or the private affairs or concerns or consumers if the intrusion would be offensive to a reasonable person; or (iv) any other substantial injury to consumers (b) selling personal data and (c) processing sensitive data. The results of the risk assessment are to be made available to the Colorado Attorney General upon request and may be evaluated for compliance purposes. Note: Under Colorado law, the request does not waive the attorney client privilege or work product protection that may exist with respect to the assessment. For this reason, businesses should consider conducting such risk assessments under the attorney client privilege.
Prohibition on discrimination (exercising rights) – This right includes a prohibition against a business treating a consumer who exercises a consumer right differently than a consumer who does not exercise a right. For example, requiring a consumer to obtain a new service or penalizing a consumer for exercising such rights would be prohibited. The prohibition against disparate treatment is intended to avoid a business setting up artificial barriers that would discourage the exercise of privacy rights.
Purpose/processing limitation – This right prohibits the collection and processing of personal information except for a specific purpose. The effect is to restrict mass data collection for which there is no specific or designated purposes. The operational impact for businesses will be to ensure they can adequately account for and explain the scope of data collection and a corresponding purpose underpinning such data collection. This would require a business to develop a clear and comprehensive data management program for purposes of explaining the use of various elements of personal data collection and demonstrating, if required, the defensibility of such a program when it comes to the purpose of personal data collected from consumers.
The California Consumer Privacy Act passed in 2018 and became effective Jan. 1, 2020. Proposition 24 was a ballot initiative that became the California Privacy Rights Act of 2020, which will be operative in Jan. 1, 2023, and will expand California’s existing privacy legislation to incorporate a right of access, rectification, deletion, restriction of sensitive data, data portability, right to opt out of sales, right against automated decision-making, and a privacy right of action for certain violations. Business obligations will include an opt-in default requirement for data collection for children under the age of 16, notice and transparency requirements, a risk assessment, prohibitions on discrimination for exercising rights, and a purpose and processing limitation. Any business, service provider, contractor, or other person who violates California Privacy Rights Act shall be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation and each violation involving the personal information of minor consumers, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The court may consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of the civil penalty.
The Colorado legislation is referred to as the Colorado Privacy Act. It is effective July 1, 2023. The privacy legislation incorporates a right of access, rectification, deletion, restriction of personal data, data portability, right to opt out of sales, and right against automated decision-making. Business obligations will include an opt-in default requirement for data collection for children under the age of 13, notice and transparency requirements, a risk assessment, prohibitions on discrimination for exercising rights, and a purpose and processing limitation. The attorney general and district attorneys have authority to enforce this legislation and may bring a civil action against the business in the name of the State of Colorado imposed financial penalties to compensate victims or to make whole as a result of business having committed an unfair or deceptive trade practice by violation of the Colorado Privacy Act.
The Connecticut legislation is referred to as the Connecticut Data Privacy Act. It is effective July 1, 2023. The legislation incorporates a right of access, rectification, deletion, restriction of personal data, data portability, right to opt out of sales, and a right against automated decision-making. Business obligations will include an opt-in default requirement for data collection for children under the age of 16, notice and transparency requirements, a risk assessment, prohibitions on discrimination for exercising rights, and a purpose and processing limitation. Under the act, and with certain exceptions, the attorney general has exclusive authority to enforce the act’s provisions. The act establishes a grace period, Dec. 31, 2024, during which the attorney general must give violators an opportunity to cure any violations. Beginning Jan. 1, 2025, the act gives the attorney general discretion over whether to provide an opportunity to correct an alleged violation. The act specifies that none of its provisions should be construed as providing the basis for, or be subject to, a private right of action for violations under the act or any other law. Under the act, any violation of the act’s requirements is a CUTPA violation and is enforced solely by the attorney general, but CUTPA’s private right of action and class action provisions do not apply to the violation.
The Virginia legislation is referred to as the Virginia Consumer Data Privacy Act. It is effective Jan. 1, 2023. The legislation incorporates a right of access, rectification, deletion, restriction of personal data, data portability, right to opt out of sales, and a right against automated decision-making. Business obligations will include an opt-in default requirement for data collection for children under the age of 13, notice and transparency requirements, a risk assessment, prohibitions on discrimination for exercising rights, and a purpose and processing limitation. The attorney general shall have exclusive authority to enforce the provisions of this law. Prior to initiating any action under the law, the attorney general shall provide 30 days’ written notice identifying the specific provisions of this law the attorney general alleges have been or are being violated. If within the 30-day period the violation is cured and the business provides the attorney general an express written statement that the alleged violations have been cured and that no further violations shall occur, no action shall be initiated. A continued violation following the cure period, or if a business breaches an express written statement provided to the attorney general, the attorney general may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of this chapter and civil penalties of up to $7,500 for each violation under this chapter. All civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund. The attorney general may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, in any action initiated under the law.
The Utah legislation is referred to as the Utah Consumer Privacy Act. It is effective Dec. 31, 2023. The Utah legislation contains a right of access, right of deletion, right to restriction of personal data, the right to portability, and the right to opt out of sales. Business obligations will include an opt-in default requirement for data collection for children under the age of 13, notice and transparency requirements, and prohibitions on discrimination for exercising rights. The attorney general shall have exclusive authority to enforce the provisions of this law. Prior to initiating any action under the law, the attorney general shall provide 30 days’ written notice identifying the specific provisions of this law the attorney general alleges have been or are being violated. If within the 30-day period the violation is cured and the business provides the attorney general an express written statement that the alleged violations have been cured and that no further violations shall occur, no action shall be initiated. A continued violation following the cure period, or if a business breaches an express written statement provided to the attorney general, the attorney general may initiate an action in the name of the Commonwealth and may seek an injunction to restrain any violations of this chapter and civil penalties of up to $7,500 for each violation under this chapter. All civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into a Consumer Privacy Account established under Utah law.
David Katz serves as counselor and advisor to the C-Suite and general counsel for both public and private companies. He previously served as senior legal counsel in the corporate law department advising a Fortune 1,000 publicly traded company in Atlanta, as a Baltimore City prosecutor, and as a judge advocate in the United States Army Reserve. He speaks and writes on matters relating to technology, privacy, and data security