On January 1, 2023, a couple of new privacy regulations came into effect in the United States. Let’s go over what these laws are and what they mean for you in practice.
CCPA and CPRA
The California Privacy Rights Act (CPRA) was approved by voters in 2020 but the provisions that revise the CCPA became operative on Jan. 1, 2023. It’s safe to consider the CPRA as an amendment to the existing California Consumer Privacy Act (CCPA) So, what is amended?
First, the CPRA extends the CCPA’s “Do Not Sell My Personal Information” to include sharing personal information. Let’s define all of the terms.
What is “personal information”?
The CCPA broadly defined it as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CPRA newly defines a subset of personal information deemed “sensitive” which requires heightened protections.
Sensitive personal information includes:
- Social security, driver’s license, state ID card, or passport number
- Account log-in, financial account, debit card, or credit card number with accompanying passwords, credentials, or security codes
- Precise geolocation
- Racial/ethnic origin
- Religious/philosophical beliefs
- Union membership
- Mail, email, or text message content unless intended for business purposes
- Genetic data
What does “sharing” mean?
The CPRA defines sharing as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration, including cross-context behavioral advertising.
What must businesses do?
Businesses must update their “Do Not Sell” opt-out links to also include sharing, so it can encompass “Do Not Sell/Share.”
- Post a “Do Not Sell or Share My Personal Information” link on the homepage and any other page that collects personal information.
- Offer a minimum of two opt-out request methods such as:
- User-enabled privacy controls (such as a link/banner)
- Dedicated email address
- Toll-free phone number
- Form submittable by mail or in-person
- Notify consumers that they have the right to opt out of the sale or sharing of their personal information and give them the option to do so.
- Respect opt-out decisions for a minimum of one year before asking them again to opt-in.
- Keep detailed consent and opt-out records, so that you can honor consumer rights.
- Implement reasonable security procedures and practices to protect personal information
And, we wouldn’t be doing our job if we don’t also remind you to confirm you have opted them out!
Dark Patterns Defined
We’ve been talking and writing about dark patterns of design and how to avoid getting fined for them, so it was interesting to note that the CPRA added a definition of what it considers dark patterns:
“A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.”
CPRA states that agreements obtained through the use of dark patterns does not constitute consent.
The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021 and came into effect on January 1, 2023, making Virginia the second state in the U.S. to enact consumer privacy legislation.
The VCDPA applies to any business that collects, uses, or shares the personal data of Virginia residents, regardless of where the business is located. However, it only applies if your business controls or processes (i) the personal data of at least 100,000 consumers in a calendar year OR (ii) the personal data of at least 25,000 consumers if you make over 50% of your gross revenue from the sale of that data. So, there is no threshold based solely on annual gross revenue.
The VCDPA describes consumers as residents “acting only in an individual or household context,” excluding B2B interactions and employees. It also does not delineate recordkeeping requirements, other than documenting data protection assessments, so if a business is already processing consumer access requests in line with GDPR or CCPA, that should also cover requests from Virginia residents.
Virginia residents are not allowed to sue directly for violations of the law as only the state attorney general can enforce them. Damages can reach up to $7500 per violation. However, there is a 30-day window for companies to communicate with the attorney general once they have received allegations of noncompliance, so they can attempt to fix the issues before fines are handed out.
For more information on VCDPA, see Bloomberg’s analysis on some of its ambiguities. Stay tuned as we cover other upcoming state laws as they come online.
To see how your website stacks up against privacy regulations, try a 1000-page scan on us.