TheCorporateCounsel.net

July 9, 2021

As State Privacy Laws Multiply, Outline of 10 Key Differences

Back in March, I blogged about Virginia being the second state in the US to enact a comprehensive data privacy law. Colorado became the third state to enact a comprehensive data privacy law as Colorado’s Governor signed the law this week. Laws in California, Virginia and now Colorado are scheduled to take effect in 2023 and those who work with compliance programs will want to ensure the programs address nuances of each of these laws.

To help understand what those nuances are, this Hogan Lovells memo outlines 10 key differences across the three privacy laws. Among differences outlined in the memo are provisions relating to exemptions for certain entities and certain types of data, consumer opt-out rights and signals, contracting requirements, sensitive data requirements, appeals for rights requests, regulator enforcement and cure periods. Here’s an excerpt about privacy law provisions relating to data protection assessments:

California (CPRA)

– Does not currently have any requirements for data protection assessments.

– However, there is a provision in the rulemaking section that calls for the issuance of regulations requiring risk assessments for processing activities that present significant risk to consumers’ privacy or security. Therefore, this requirement may be added before the law takes effect.

Virginia (VCDPA)

– Requires controllers to conduct data protection assessments for a range of activities, including: targeted advertising, sales of personal data, the processing of personal data for profiling that creates certain risks for consumers, the processing of sensitive data, and any other activities that present a heightened risk of harm to consumers.

Colorado (CPA)

– Requires controllers to conduct data protection assessments for a range of activities, including: targeted advertising, sales of personal data, the processing of personal data for profiling that creates certain risks for consumers, and the processing of sensitive data.

The memo provides a reminder that a thorough understanding of the similarities and differences between the three laws will be necessary to design an efficient and effective compliance program prior to 2023. Without any comprehensive federal privacy law, we’ll likely see additional states adopt privacy legislation this year. It’s hard to say which state may be next although this Cleary memo says to keep your eyes on Washington and New York, which may both pass privacy legislation sometime this year.

– Lynn Jokela