What Are State Consumer Data Privacy Laws and What Do You Need to Know as a Business Owner?

10 minute read. This article gives a high-level overview of the 5 state data privacy laws as they stand today and action items for business owners to stay compliant.

‍

To protect consumer privacy, California, among other U.S. states and the European Union, has introduced legislation that defines how companies can gather, use, store, and manage customer data. It doesn’t matter where you operate–these regulations apply to your business if your customers reside in any one of the states discussed below. If you fail to comply with these privacy laws, you may face expensive financial penalties and possible damage to your brand reputation. But there are solutions that simplify compliance.
‍

In this article, we provide information that can help business owners successfully navigate this complex topic:

1. California Privacy Rights Act
2. Colorado Privacy Act
3. Connecticut Data Privacy Act
4. Virginia Consumer Data Protection Act
5. Utah Consumer Privacy Act
6. Challenge of handling consumer requests
7. Penalties of failing to comply
8. Solutions for satisfying consumer data privacy laws

Protecting Consumer Privacy

Data privacy legislation defines the rights that consumers, also known as data subjects, have to review, access, delete, manage, and update their data. Five states have passed consumer data privacy legislation, and another six, Massachusetts, Michigan, New Jersey, North Carolina, Ohio, and Pennsylvania, are actively considering legislation. Current state legislation includes the:
‍

California Privacy Rights Act

The California Privacy Rights Act (CPRA), taking effect in January 2023, expands the California Consumer Privacy Act (CCPA) of 2020. Under CPRA, consumers, as well as employees and business contacts, have the right to:

1. Be informed about the personal data held by a company
2. Access their personal data
3. Delete their personal data
4. Correct their personal data
5. Opt-out of the sale and sharing of personal data
6. Limit the disclosure of sensitive data

The CPRA applies to firms that:

• Make more than $25 million in annual gross revenue in any state.
• Hold data for more than 100,000 consumers, households, or devices.
• Earn at least half their yearly income from selling or exchanging personal information about customers.

Colorado Privacy Act

Companies that do business in Colorado have until July 1, 2023 to comply with the Colorado Privacy Act (CPA). The CPA imposes obligations on companies to protect the privacy of consumers’ personal data, defined as information that is linked or reasonably linkable to an identified or identifiable individual. Similar to the CPRA, the CPA grants consumers five key privacy rights, including the right to:

1. Opt out of any processing for purposes of targeted advertising, sale to third parties, or profiling
2. Access personal data
3. Correct personal data inaccuracies
4. Request that businesses delete their personal data
5. Obtain a portable copy of their personal data.

The CPA applies to any legal entity that conducts business in Colorado or produces or delivers “commercial products or services that are intentionally targeted to the residents of Colorado,” and that satisfies one or both of the following thresholds:

• Controls or processes the personal data of 100,000 or more Colorado residents in a year or
• Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more consumers.

Unlike the CPRA, the Colorado statute does not impose a revenue threshold, so the CPA may apply to smaller, regional businesses.

Connecticut Data Privacy Act

The Connecticut Data Privacy Act employs the same general framework as privacy laws in Virginia and Colorado. Similar to the CPA, the Connecticut Data Privacy Act (CDPA) takes effect on July 1, 2023. The law explicitly excludes individuals “acting in a commercial or employment context” from protection.

The law defines a “consumer” as a Connecticut resident, providing them with rights similar to those enumerated in the CPRA and CPA, including the right to:

1. Access their personal data
2. Correct their personal data
3. Delete their personal data
4. Data portability
5. Opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data, or profiling.

The CDPA applies to entities that conduct business in Connecticut or provide products or services to Connecticut residents and that during the preceding calendar year, either:

• Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions or
• Controlled or processed the personal data of at least 25,000 consumers and derived over 25 percent of their gross revenue from the sale of personal data.

Virginia Consumer Data Protection Act

Passed on March 2, 2021, the Virginia Consumer Data Protection Act (VCDPA) applies to entities that conduct business in Virginia or provide products or services that target Virginia residents and that either:

• Control or process the personal data of at least 100,000 consumers during a calendar year
  or
• Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.

The law defines a consumer as "a natural person who is a resident of the Commonwealth acting only in an individual or household context." It explicitly omits persons who are "acting in a commercial or employment context." The VCDPA provides consumers with six rights, including the right to:

1. Access, confirming if a controller is processing the consumer's personal data.
2. Correct inaccuracies in personal data.
3. Delete personal data provided by or obtained about the consumer.
4. Obtain a copy of the consumer's personal data.
5. Opt out of the processing of personal data.
6. Appeal a business's denial to act within a reasonable time.

The law mandates that a business that receives an authenticated request must comply, irrespective of the hardships or impracticable nature of the request language.

Utah Consumer Privacy Act

Taking effect on December 31, 2023, the Utah Consumer Privacy Act (UCPA) provides consumers with broad protection and rights concerning the collection, use, processing, sharing, and sale of their personal information. Businesses that fail to comply with the UCPA may be subject to significant fines and penalties.

The UCPA applies to controllers or processors that

• Do business in Utah or provide a product or service to Utah residents.
• Have annual revenue of $25 million or more, and either:

• Control or process personal data of 100,000 or more consumers during a calendar year or
• Derive over 50 percent of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.

The UCPA grants consumers the right to:

1. Confirm whether a controller is processing the consumer's personal data.
2. Access the consumer’s personal data.
3. Delete the personal data that was provided to the controller.
4. Obtain a portable copy of the personal data.
5. Opt out of the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data.

The Challenge of Handling Consumer Requests

To comply with state data privacy laws like CPRA, businesses will have to manage and track consumers’ requests to opt-out, review, access, delete, and obtain their data.

Companies that share personal data for contextual advertising will likely see a doubling of the number of data subject requests (DSR) because of CPRA and other state laws. These requests will increase the cost of ensuring consumer privacy for organizations. Consumer opt-outs, also known as “do not sell” (DNS) requests, nearly doubled between 2020 and 2021. In 2021, 63 percent of all data requests received were DNS.

Companies that share personal data for advertising purposes will likely experience an increase in the number of privacy requests they receive. Gartner estimates that processing a single request costs $1,500. Some estimates project that DNSs could cost a company over $200,000 per year. The cost of processing DSRs jumped from $192,000 per one million identities to roughly $400,000 per one million identities between 2020 and 2021. Businesses–especially those that rely on targeted ads–will need to determine how the law applies to them, and they’ll need even tighter control and insight into their data processes.

Failing to Comply with State Data Privacy Laws

In a business world heavily influenced by social media, reputation and brand are everything. Beyond potentially damaging their brand reputation, businesses that fail to comply with state privacy laws risk incurring financial penalties.

In California, a business may face the following penalties if it fails to protect consumers’ rights to data privacy:

1. $2,500 for violations.
2. $7,500 for intentional violations.
3. $100 – $750 in damages in civil court.
4. $7,500 fine if a minor’s privacy rights are violated.

Under the Connecticut Unfair Trade Practices Act, a violation of the law is considered an unfair trade practice with civil penalties up to $5,000 per willful violation. The attorney general may also seek to impose equitable remedies pursuant to the CUTPA, including restitution, disgorgement, and injunctive relief.

In Virginia, the attorney general’s office can fine businesses up to $7,500 per violation.

In Utah, the Office of the Attorney General can recover actual damages to the consumer in an amount not to exceed $7,500 per violation.

Satisfying Consumer Data Privacy Laws

To cost-effectively ensure they are complying with privacy regulations, business owners and leaders need a system for tracking consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, business owners risk costly penalties and damage to their reputations.

To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that consumers can use to initiate their data request.
2. Consumer authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with latest changes to data privacy laws across the U.S.

For help with your data privacy compliance challenges, get started for free with PrivacyCare.

‍