USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
Thus far, only the laws of California, Colorado, Florida and New Jersey authorise rulemaking to implement their privacy laws. While most state laws expressly exempt enti - ties covered by sector-specific privacy laws (eg, financial institutions regulated under the GLBA), the CCPA provides exemptions that exempt the information, rather than the entities, governed by sector-specific statutes. The CCPA has a limited private right of action for certain data breaches, whereas none of the other state privacy laws has a private right of action. These other state laws, with a few exceptions, provide the same rights to consumers and impose the same obligations on controllers, though each has its own unique provisions, as described below. Colorado The Colorado Privacy Act (CPA) uses as a jurisdictional threshold the amount of consum - ers’ personal data processed annually (at least 100,000 or more, or 25,000 if the controller derives revenue or consumers receive a dis - count, from the sale of personal data). Colorado controllers include non-profit entities. The CPA requires controllers to perform a data protection assessment for processing personal information that may cause a heightened risk of harm, such as targeted advertising. Colorado controllers must have an appeals process for consumers who object to how their requests are handled. Connecticut The Connecticut Data Privacy Act (CTDPA), as amended, has applicability thresholds like the CPA. The CTDPA does not apply to non-profits, however. The CTDPA prohibits targeted adver -
tising to, and the sale of personal data of, con - sumers who the controller has actual knowledge of or wilfully disregards as being 18 years’ old without consent (parental consent is required for children under 13). Virginia The Virginia Consumer Data Protection Act (VCDPA) is like the CPA, but does not apply to non-profits. The VCDPA also gives controllers a right to cure non-compliance before enforce - ment. Utah The Utah Consumer Privacy Act (UCPA) applies to businesses that both: • have annual revenues of USD25 million; and • either annually process the personal informa - tion of 100,000 or more Utah consumers or derive more than 50% of their revenue from the sale of their personal data, or annu - ally process the personal data of more than 25,000 Utah consumers. Also, the UCPA: • does not require data protection assess - ments; • does not provide a right to opt out of profil - ing; and • gives consumers the right to opt out of sensi - tive data processing rather than requiring controllers to obtain their opt-in consent for such processing. Iowa The Iowa Consumer Data Protection Act (IACD - PA) defines a “sale” as an exchange of personal data with a third party for monetary considera - tion only, and, like the Utah law, it gives consum -
527 CHAMBERS.COM
Powered by FlippingBook