Lawyer Monthly - August 2021 Edition

38 WWW.LAWYER-MONTHLY.COM | AUG 2021 THE STATE OF THE STATES’ CONSUMER PRIVACY LAWS give consumers an accessible, clear, and meaningful privacy notice that includes a laundry list of required disclosures, such as the categories of personal data collected or processed and by whom; the reasons these categories of personal data are processed; Instructions on how consumers can exercise their data rights; the personal data that is shared, with whom, and why; These consumer rights require enterprises to set up one (CO and VA) or two (CA) methods for making consumer requests, and duties to respond to such requests and implement processes to do so fairly, without charge or discrimination, and on a timely basis, which is usually 45 days at the most. Some States, such as Colorado, also require the business to have an internal appeal process for requests they refuse to process. Also, a Consumer’s exercise of these rights cannot face obstacles such as added fees, new account creation, or discrimination in pricing or service in the future. Data Duties Countervailing consumers’ data rights are controllers and processors duties. Broadly speaking, these duties include: • Duty of Transparency (Privacy Notice) • Data Minimisation and Purpose Specification • Duty of Notice and Provide Opt-Out Methods • Duty of Care to Safeguard Personal Information • Duty to Avoid Discrimination Annual Reviews of Privacy Policies and Data Protection Assessments In addition to having the means to respond to consumer requests, businesses controlling personal information must also and conspicuous notices about its “sale.” On 1 January, 2023 (the effective date for CO, VA, and the California Privacy Rights Act (“CPRA”)), enterprises must conduct and document annual “data protection assessments” to measure whether their data processing activities create a “heightened risk of harm” to consumers. Data Security Each of CA, CO, and VA’s regulations impose a reasonable data security requirement for enterprises to establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. In CA, under the CPRA, annual cybersecurity audits will also soon be required. Enforcement Without a private right of action (only available in California on a limited basis), these laws are to be enforced by each States’ Attorneys General statutorily empowered to write regulations and impose civil penalties. Said penalties are: $2,500 per violation ($7,500 for intentional or willful violations) in CA; $20,000 per violation in CO, and $7,500 per violation in VA. The Future of Data Privacy Laws As CA, CO, and VA’s consumer privacy laws illustrate, legislators view privacy as an individual fundamental right and an essential element of personal freedom worthy of protection. With over 15 other States considering similar legislative protections for their citizens, it is obvious that privacy laws will soon dominate business enterprise use of personal information. That said, the current US approach stands in stark contrast to GDPR, produces an expensive compliance matrix for all enterprises seeking to be good data stewards, creates an unlevel playing field for enterprises that can afford compliance and those that cannot, and differentiates residents with fundamental privacy rights and those without them. With 10 or more other States considering similar legislative protections for their citizens, it is obvious that privacy laws will soon dominant enterprise use of personal information.