Lawyer Monthly - August 2021 Edition

37 AUG 2021 | WWW.LAWYER-MONTHLY.COM THE STATE OF THE STATES’ CONSUMER PRIVACY LAWS Act (COPPA) concerning children’s online privacy; and the 1999 Gramm-Leach-Bliley Act (GLBA) governing personal information as used by financial institutions. To date, however, there is no comprehensive federal data privacy or protection law. The European Union (EU) led the world in 2018 with its General Data Protection regulation 2016/679 (“GDPR”), setting up a legal privacy framework for all 27 EU nations and countries in the European Economic Area (“EEA”). GDPR is now being modelled by some US States, such as California, Colorado, and to a lesser degree, Virginia; the first three US States to enact comprehensive personal data protection legislation. This article is meant to describe these laws’ statutory constructs in broad terms and examine differences, commonalities, and the protection gaps these laws create for US consumers and the confusion they place on business compliance efforts. Jurisdictional Thresholds The enacted States’ data privacy and protection laws (CA, CO, VA) all set a two- tiered jurisdictional threshold model for assessing applicability of these laws. In the first instance, the laws apply to all businesses that collect, process, or store personal information of each States’ residents. eCommerce has transformed consumer data into a core asset of all enterprises; big, small or in between. Obviously, this applicability standard makes such laws’ applicability very broad. However, to lessen the burdens on small business, the laws become more tailored and set screening mechanisms by judging enterprises by annual worldwide gross revenues ($25 million in CA, no revenue thresholds in CO or VA); or by volume of personal information (50,000 records in CA (as counted by residential consumers, households, or devices) and 100,000 records in CO and VA); or by a percentage of worldwide annual revenue derived from selling residents’ personal information (50% in CA, at least 25,000 records for CO residents, and 50% in VA involving at least 25,000 VA residents). Exclusions or Exceptions Generally, these States’ consumer privacy laws grant exclusions for personal data already protected by HIPAA, HITECH, GLBA, etc. and exempts certain categories of personal information such as public records and aggregated or deidentified personal data. Key Definitions The enacted US States’ data protection laws all include key definitions and assign meanings to the backbone words and terms of consumer data protection legislation. These always include: “Consumer”, being the residents of the enacting State; “Covered Entity” or similar scoping term that sets the thresholds for the law’s reach; “Personal Data” or sometimes “Personal Information” which is generally described as information that is linked or reasonably linkable to an identified individual, and “Sensitive Personal Information” which adds special protections for categories of personal information such as biometric and genetic data, racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation and, sometimes, citizenship status. Each definitional difference matters because enterprises seeking to comply must first know each consumer’s home state and then also assess whether their data is included within such definitions. Consumer Rights and Request Response These laws give their residents certain rights to control their personal information, including: • Right of Access or Right to Know • Right to Correction • Right to Deletion • Right to Data Portability • Right to Opt-Out of Sale • Right to Opt-Out of Targeted Advertising • Beginning January, 2023 in CA, and July, 2023 in CO, and VA