The last time we talked in-depth about U.S. data privacy regulations was this past June, about a month before Colorado signed its own data privacy act into law. Passage of the Colorado Privacy Act brings the number of state laws governing how businesses can collect and use consumers’ personal information to four. OK, so, four laws, four states, right? No. There are four laws pharma marketers need to keep in mind but only three states in play — California, Colorado, and Virginia.
Before we break down the biggest takeaways and offer tips on moving toward compliance, it’s important to note that while there are many overlapping areas within each state law, there are also differences – some of which are not included in this post. Please consult with your legal team to ensure your brand is fully compliant if it markets to consumers in any of the states discussed below. OK, let’s get up to speed.
Four Laws, Three States … Wait, What?
The California Consumer Privacy Act (CCPA) was signed into law in June 2018; it went into effect in January 2020. The California Privacy Rights Act (CPRA) was a ballot measure approved by California voters in November 2020. It amends and expands the CCPA and will go into full effect on January 1, 2023. In March of this year, Virginia passed its own privacy law, the Virginia Consumer Data Protection Act, or the CDPA — it also goes into effect January 1, 2023. Finally, on July 7, 2021, Colorado joined the privacy protection arena with its Colorado Privacy Act; the CPA goes into effect on July 1, 2023.
Each state law provides consumers with rights regarding the collection, storage, and sale of their personal data.
|Know, access, and confirm||CDPA, CPA|
|Know and access||CCPA|
|Know if data is sold||CCPA|
|Right to delete||CDPA, CPA|
|Right to delete, subject to certain exceptions||CCPA, CPRA|
|Right to correct||CPRA, CDPA, CPA|
|Limit use & disclosure||CPRA|
|Data portability||CCPA, CPRA|
|Data portability up to 2x/year||CDPA, CPA|
|Opt out of sale||CCPA, CPRA, CDPA, CPA|
|Opt out of sharing for cross-context behavioral advertising||CPRA|
|Opt out of use of automated decision making||CPRA|
Thresholds for Applicability
The CCPA and CPRA apply to any company doing business in California that meets at least one of the following criteria:
- More than $25MM in gross annual revenue
- Buy, hold, sell, or share personal information of 50K consumers, and/or households or devices
- Derive at least 50% of revenue from selling consumers’ personal information
The CPA applies to businesses that:
- Collect and store data on more than 100K individuals, or
- Derive revenue or receive a discount on the price of goods or services from sale of personal data and processes or that control personal data of 25K or more consumers
The CDPA applies to companies that:
- Control or process the personal data of at least 100K consumers during a calendar year, or
- Control or process the personal data of at least 25K consumers and derive at least 50% of its gross revenue from the sale of personal data.
Penalties for Noncompliance
Each state has its own financial penalty, but there is some overlap. Both of California’s privacy protection laws — CCPA and CPRA — allow for a penalty of up to $2,500 per unintentional violation, but they get tougher on intentional violations, fining businesses up to $7,500 per violation when a business knowingly ignores the law or learns that it’s in violation and doesn’t bring itself into compliance. Virginia’s CDPA takes a tougher stance at the outset, with up $7,500 for each violation, regardless of whether a business knows or doesn’t know it’s noncompliant. Finally, Colorado’s CPA gives the state attorney general the right to fine businesses up to $20K per violation.
Obligations on the Part of Businesses
Businesses that collect, store, and/or sell of their customers’ personal data are required to either display a privacy notice on their consumer-facing content or provide one when asked. Laws vary with respect to what’s called “time to cure,” i.e., to remedy any requests from consumers. In California and Virginia, businesses have 30 days to cure; in Colorado, time to cure is 60 days.
More Laws on the Way
Experts agree that this is just the tip of the iceberg when it comes to laws like those discussed above. If you’ve been waiting to see how it all plays out, don’t. Our initial advice on California’s first privacy law still applies; first steps include:
- Consulting with your legal team to determine the applicability of each law (and to the extent whether any exemptions apply) and to develop a prioritized action-item list based on your organization’s biggest risks.
- Creating an inventory (also known as a data map) of your data and auditing your privacy practices to determine how your company (and your partners at agencies, clients, and vendors) collect, use, disclose, sell, or share personal information.
- Reviewing agreements with your partners, clients, and vendors to determine whether any provisions need to be added to address state requirements.
- Implementing the necessary technology and process changes necessary to comply with the CCPA in terms of verifying and accommodating consumer requests and storing and managing data. And, after implementing the changes, testing them and proving them in action.
- Updating privacy policies and notices.
- Creating an internal training plan, if appropriate.
As concerns over data security and privacy grow, it’s likely that other states, regions, and nations will follow and create or expand their privacy protections. Intouch will continue to monitor this issue. This legislation is still a moving target: amendments are pending, and guidelines are yet to be released. However, many actions can and should still be begun immediately to prepare wisely for this and other privacy issues. Ensuring regulatory compliance is paramount in our industry on many fronts, from manufacturing to marketing — and data privacy is no different. Reach out to your Intouch team today to help make sure your brand is covered.