There has been a flurry of state privacy activity in the past week, with Colorado becoming the latest state to finalize sweeping data privacy rules and Iowa on the precipice of becoming the sixth state to enact comprehensive privacy legislation. Read this article to learn more about how the new Colorado rules go beyond existing California and Virginia laws, as well as how Iowa stacks up against the five other existing state laws.
COLORADO ATTORNEY GENERAL FINALIZES CPA REGULATIONS
On March 15, 2023, the Colorado Attorney General’s Office filed the final Colorado Privacy Act rules (together with the underlying Colorado Privacy Act, the Colorado Rules) for publication in the Colorado Register, which will take effect on July 1, 2023. Although the Colorado Rules largely mirror California and Virginia requirements, numerous new obligations go beyond existing law that will require companies to update their compliance programs, including:
- Additional requirements for deletion requests: Controllers who deny requests to delete must describe the types of data collected from third parties that the company did not delete (this requirement does not apply to data collected directly from the individual).
- Flow down all data subject rights to processors: Controllers must flow down all data subject requests that controllers honor to processors, including requests to opt out of targeted advertising and sales of personal data. The California and Virginia rules, by contrast, only require flowing down certain requests in limited circumstances.
- Honor more specific opt-out technologies: California and Colorado both require controllers to honor opt-out preference signals, but Colorado will go further and publish a specific list of universal opt-out mechanisms by January 1, 2024, which will be updated over time. Controllers must honor the specified signals within six months of publication.
- Detailed privacy notice requirements: Controllers must specify in their privacy notices the express purpose for which each category of personal data is used. Privacy notices must also specify which data subject rights are available to Colorado residents.
- Granular data protection assessment requirements: Like California and Virginia, the Colorado Rules require controllers to conduct “data protection assessments” when engaging in “higher risk” processing activities, such as processing sensitive data or engaging in selling/targeted advertising. However, unlike California (which has yet to enact regulations) and Virginia (which has limited details), the Colorado Rules require such assessments to include extensive content, including:
- The nature and operational elements of the processing activity
- The sources of personal data
- The technology or processors to be used
- The names and categories of the personal data recipients
- Operational details about the processing
- The core purposes of the processing activity
- The sources and nature of risks to the rights of consumers
- Measures and safeguards in place to protect consumers
- A description of how the benefits of processing outweigh the identified risks.
The Colorado Rules also provide detailed examples showing how to analyze each factor.
- Detailed consent requirements: The Colorado Rules impose heightened consent requirements, such as when processing sensitive data and making inferences about sensitive characteristics using non-sensitive data. Although consent to process sensitive data is currently required in Virginia, the Colorado Rules add additional granularity and guidance on obtaining such consent.
- Applicability to nonprofits: Unlike all the other state privacy laws, the Colorado Rules apply to nonprofits that engage in “commercial activity.”
IOWA POISED TO BECOME SIXTH STATE TO ENACT A CONSUMER PRIVACY LAW
Also on March 15, 2023, Iowa’s legislature unanimously passed Senate File 262 (S.F. 262), making it the sixth US state consumer privacy law once the governor signs the bill into law. The bill closely resembles the Utah Privacy Act, which followed the model set by Virginia, Colorado and Connecticut while loosening or omitting several key provisions. Similar to jurisdictional triggers in other states (except California), the Iowa law would apply to businesses that control or process personal data on 100,000 Iowan consumers or derive 50% of revenue from selling the data of more than 25,000 Iowan consumers. The law contains similar notice, access, deletion, contracting and enforcement provisions as the laws in these other states. However, like Utah’s law, the Iowa bill:
- Imposes a right to opt out, not opt in, for the processing of “sensitive data”
- Omits any right to “correct” inaccurate information or to opt out of certain automated “profiling.”
The bill, which will take effect January 1, 2025, if enacted, should not create significant new compliance hurdles for most businesses beyond what is already required under existing US state privacy laws. Businesses should nevertheless ensure they closely review the impending Iowa law and incorporate it into their existing privacy programs.
This year has been off to a busy start with new laws taking effect in California and Virginia, California and Colorado finalizing regulations (both of which will require businesses to materially update their compliance programs) and Iowa jumping into the fray. We can expect to see the US state privacy landscape continue to grow increasingly complex as other states introduce new privacy legislation and move this momentum forward. Companies looking for help navigating these complex rules and practical, risk-based compliance recommendations should reach out to one of the authors of this article or your regular McDermott contact.