March Proves an Exciting Month for Data Privacy
After the year led with the effective dates for the California Consumer Privacy Act and the Virginia Consumer Data Protection Act, the first quarter of 2023 has continued to bring a number of data privacy updates and developments to usher in the spring season. We expect to see ongoing developments as the year progresses, as more states come online with their data privacy regimes and, as of March 31, 2023, at least 18 bills are still active in various state legislative chambers.
Just last week, Iowa's governor approved Senate File 262, an Act relating to consumer data protection, becoming the sixth state to enter the growing patchwork of states that have implemented comprehensive data privacy legislation. The Iowa legislation will come into force January 1, 2025, giving businesses time to adhere. Notably, however, (and thankfully, for many) the law does not appear to introduce any new substantive obligations, as it follows the same general framework as Virginia, Colorado, Connecticut, and Utah with respect to its obligations.
Following the same standards of several of its predecessors, Iowa’s law is applicable to entities doing business in Iowa that control or process the personal data of 100,000 or more Iowa consumers or, if the entity derives at least 50% of its gross revenue from the sale of that data, the threshold drops to only 25,000 Iowa consumers. Iowa has also agreed with Virginia, Colorado, Connecticut, and Utah that these numbers should be limited to individuals acting in a personal or household capacity, and it shares with these other states a fairly common list of excluded businesses (i.e., non-profits, institutions of higher education, financial institutions, and those subject to and in compliance with HIPAA and its regulations, etc.) and data types (i.e., protected health information under HIPAA, health records, and personal data regulated by and used in accordance with the Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Act (COPPA), the federal Driver’s Privacy Protection Act, the federal Fair Credit Reporting Act, or the federal Farm Credit Act, etc.).
In fact, businesses may find they have an easier time complying with the edicts of the Iowa legislature. The Iowa law does not mandate some of the privacy best practices that many of the other states have espoused, such as data minimization practices and risk assessments. Furthermore, the list of consumer rights is more limited than many other states – most notably excluding a right to request correction or rectification – and processing of sensitive personal information simply requires a notice and the ability to opt-out (as opposed to any opt-in obligation). Iowa has also been more generous in their timelines to respond to data subject requests, which is a standard 90 days that can be extended for an additional 45 days for “good cause,” and a full 60 days to respond to a consumer appeal.
Finally, there is no private right of action. The Attorney General has the sole enforcement authority, but prior to initiating any action, the Attorney General has to provide 90 days’ written notice to the business identifying the specific violation. If the violation is cured and the business provides a statement to the Attorney General to that affect (along with a statement that no further violations will occur), then no action may be initiated. Of course, if a business has continued violations or breaches the express statement made to the Attorney General, the cure period will no longer apply.
Also last week, on March 29th, the California Privacy Protection Agency (“CPPA”) announced that the Office of Administrative Law officially approved the CPPA’s draft regulations implementing the California Privacy Rights Act and its amendments to the California Consumer Privacy Act. The implemented regulations are the culmination of the newly-formed CPPA’s first rulemaking activity, reflecting those regulations that were issued in draft form in November of 2022. The rules in draft form are online, and will be processed and issued in clean form, but according to the announcement, the regulations are effective immediately.
On March 15th, the Colorado Attorney General’s office finalized its Colorado Privacy Act Rules, 4 CCR 904-3. Both the Colorado Privacy Act (“CPA”) and its Rules come into force July 1, 2023.
The Rules spell out in more detail the expectations of the disclosures and processes of data controllers and their processors, including those for notices and data subject rights. Of particular note, those following the CPA may recall that it particularly required controllers to follow a user-selected universal opt-out mechanism for targeted advertising that was to be promulgated by the Rules. (See § 6-1-1306 (1)(a)(IV)). The CPA Rules have about 5 pages of detail and explanation regarding the rules and expectations for universal opt-out mechanisms, which to date is the most succinct and detailed state regulatory regime on universal opt-out mechanisms. (See Part 5.) In addition, the CPA Rules go into more detail on requirements for consumer consents (Part 7) and consumer profiling (Part 9) than has been seen from any of the states thus far.
It remains to be seen whether these regulations prove to be instructive on where regulators are going generally on these issues, but nonetheless may serve as helpful guidance even if you are not subject to the CPA.
Last but not least, at the end of February, the European Data Protection Board (“EDPB”) released its opinion (Opinion 5/2023) on the draft adequacy decision on the EU-US Data Privacy Framework (“DPF”), which was released December 13, 2022. While the opinion is not binding, it does generally speak favorably of the Data Privacy Framework proposed, while pointing at a number of things the EDPB didn’t like, such as (1) permitted exemptions to the compliance with the principles in the DPF, (2) lack of key definitions and overall complexity of the DPF which makes it difficult to follow, and (3) lack of overarching safeguards for automated decision-making and profiling, along with the ever-present EU concern regarding the U.S. “public authorities” ability to access and use data.
Ultimately, the EDPB notes that the principles and the redress avenues in the DPF are “essentially unchanged” from those under the prior Privacy Shield and many of those concerns remain valid. The conversations for the EU-US Data Privacy Framework continue, and your Quarles team will continue to monitor for updates.
For guidance and advice on implementing changes to your data privacy programs in light of these changing laws, please contact any member of the Quarles & Brady Data Privacy & Security Team, your Quarles attorney or:
- Heather Buchta: (602) 229 5228 / email@example.com
- Meghan O’Connor: (414) 277-5423 / firstname.lastname@example.org
- Kiana Baharloo: (312) 715-2738 / email@example.com
- Ashleigh Giovannini: (414) 277-3049 / firstname.lastname@example.org
- Ami Zaveri: (602) 229-5242 / email@example.com