5 States of Consumer Privacy

In two years, 5 states passed consumer privacy acts, which in “law” time (especially with a pandemic), is fast. Beginning with California’s Privacy Rights Act, the last two years saw other four more states, namely Virginia, Colorado, Connecticut, and Utah, follow suit, passing comparable legislation aimed at protecting consumer privacy.

In 2020, California passed its California Privacy Rights Act (“CPRA”), which protects seven different rights for its resident consumers: (1) their right to delete personal information; (2) their right to correct personal information; (3) their right to know what personal information is being collected and ability to access that information; (4) their right to know if that information is sold or shared; (5) their right to opt out of the sale or distribution of information; (6) their right to limit the use and disclosure of Sensitive Personal Information; and (7) their right to be protected against retaliation by any data controller.

With slightly varying language, the data privacy laws enacted by Virginia, Colorado, Connecticut, and Utah protect the same rights that the first five and the seventh provisions of the CPRA protect. The key difference resides in California’s definition of Sensitive Personal Information, which is CPRA’s sixth right of privacy. The CPRA’s Sensitive Personal Information category includes an individual’s social security number, driver’s license number, state identification card information, passport number, any credit or debit card information, race and ethnic origin, any record of philosophical beliefs, union membership, email and test message contents, genetic data, biometric information, sexual orientation or related details, and any information concerning a consumer’s health.

The other four states use the term “Sensitive Data” uniformly (as opposed to “Sensitive Personal Information”), which seems to be intentional. The “Sensitive Data” definitions are slightly less comprehensive, labeling data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, immigration status, processing of genetic or biometric data, personal data collected from a known child, and precise geolocation data as “Sensitive;” omitting political and professional memberships, private messages, and philosophical beliefs.

The rights of citizens subject to privacy violations are also unique in California. California is the only state allowing a private right to action to its citizens, even if in in a limited scope. The CPRA allows persons to seek relief for leaks of certain information, setting a minimum of $100.00 and maximum of $750.00 per incident, or actual damages, whatever is greater. A person may also petition for injunctive or declaratory relief.

Citizens in Virginia, Colorado, Connecticut, and Utah cannot file private lawsuits under their privacy rights laws. Rather, those states vest enforcement solely with their attorney general’s offices. Connecticut subjects willful violators to civil penalties at $500.00 per violation, capped at $500,000.00 per single event, whereas Colorado places a maximum $20,000.00 penalty per violation for engaging in a “deceptive trade practice.” Similarly, privacy violations in Virginia carry a potential $7,500.00 fine per violation if the violation is not cured within 30 days.

California (in addition to its private right of action), Virginia, and Utah’s pre-set penalties per violation are deposited into a fund created by the State’s respective acts to fund future enforcement of consumer privacy rights. California, consistent with its own patterns, distinguishes its administrative violation penalties (enforced by its attorney general) between $2,500.00 for negligent violations and $7,500.00 for intentional violations (unless the injured party was a known minor, at which fines increase).

Instead of creating new penalties, Connecticut and Colorado treat violations of their privacy laws as just another type of a preexisting, statutorily prohibited behavior. Connecticut categorizes any violation of these new laws as an unfair trade practice, which carries penalties of up to $5,000.00 for willful violations and $25,000.00 for violation of a previously issued restraining order.

The CPRA, as well as Colorado and Connecticut’s privacy rights act begin enforcement on July 1, 2023, for violations that occur on or after that date. Virginia's privacy rights act becomes enforceable on January 1, 2023, and Utah’s act becomes effective December 31, 2023.