California, Colorado, and Virginia have enacted comprehensive laws governing consumer privacy. These laws will be effective in 2023. This update outlines certain key content that may be required under these laws in website privacy notices, with an emphasis on new requirements not part of existing laws. Thus, these requirements may require revisions or updates to existing notices.
Privacy notices should reflect rights available under each states’ law. These include the following:
- Virginia’s Consumer Data Protection Act (CDPA) gives consumers a right to know whether a controller is processing the consumer’s personal data, right to access personal data processed by the controller, right to correct, right to delete, right to data portability, and right to opt out of targeted advertising, the sale of personal data or profiling having legal or significant effects (such as ability to obtain loans, housing, education, health care, or the like). The business must also provide a right of appeal with respect to the exercise of other rights. If the appeal is denied, Virginia controllers must provide the consumer with an online mechanism to contact the Virginia Attorney General, and Colorado controllers are required to inform consumers of their right to contact the Colorado Attorney General about the results of the appeal.
- Colorado’s CPA (CPA) gives consumers the right to access, right to delete, right to data portability, and the right to opt out of targeted advertising, the sale of personal data, or profiling via a universal opt-out mechanism. In addition, an appeal process must be “conspicuously available” and easily usable by consumers.
- California’s Privacy Rights Act (CPRA) gives consumers a right to know what personal information is being collected, right to access personal information, right to know what personal information is sold or shared and to whom, right to correct, right to delete, right to data portability, right to opt out of the sale of information, right to opt out of “sharing” of personal information, and the right to limit use and disclosure of sensitive personal information. (“Sharing” is a defined term in the law that appears aimed at limiting online behavioral advertising. “Sensitive” personal information includes information such as SSN, financial account, precise geolocation data, racial and ethnic orientation, labor union affiliation, and genetic, biometric, and health data.)
Expand disclosures about the collection and sharing of information.
- Virginia controllers are required to provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes (1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including appeal of a controller’s decision; (4) categories of personal data shared with third parties; and (5) categories of third parties with whom the controller shares personal data. We have emphasized (4) and (5) in this list as potentially requiring expanded detail in comparison to the current notice.
- Businesses subject to the Colorado law must similarly indicate (1) the categories of personal data collected or processed, (2) the purpose for processing such categories of personal data, (3) how consumer may exercise rights, including appeal, (4) the categories of personal data shared with third parties, if any, and (5) the categories of third parties, if any, with whom the controller shared personal data.
As one potential approach for meeting these requirements, the business might consider including a chart within its website privacy notice that breaks down required information for each category of personal data.
Identify retention period for data sharing. Under California’s law, businesses must identify their retention period for the categories of data they collect.
Consider presenting an additional heightened form of initial notice separate from the main website privacy notice. Under Colorado’s law, “clear and conspicuous” notice is required regarding sale of personal data or data processing for targeted advertising. Under California’s law, an initial notice provided “at or before the point of collection” must indicate the categories of sensitive information collected, the purpose for such collection, and whether such information is sold or shared. Such initial notice must also indicate retention periods for each category of information collected and indicate relevant opt-out rights to the consumer.
Regulatory guidance interpreting these requirements is pending and we note that there are no established commercial practices with respect to these new requirements. However, possibly, the business may want to consider providing a short form notice presented when an individual first accesses the website with relevant disclosures and/or linking to more complete disclosures in a longer notice.
Include ‘Deidentified Data’ Commitments Under Virginia Law. Virginia’s law requires business to provide a ‘public commitment’ regarding the use of deidentified data. As part of such commitment, the business must publicly commit not to re-identify such data.
If you have any questions about this legal update please contact the Cybersecurity and Privacy group or the authors Michael Young and Nick Schmidt.