In our seventh episode, Jennifer Urban and Samuel Goldstick sit down to discuss the newest states with data privacy laws that went into effect on July 1, 2023: Colorado and Connecticut. How do these compare to existing regulations such as the California Privacy Rights Act and Virginia Consumer Data Protection Act? Which tenets will have the most impact? And what can organizations not in compliance do to meet these new requirements?
- State Data Breach Notification Laws Guide (Updated Quarterly)
- Colorado Attorney General Releases Proposed Privacy Rules and Begins Holding Stakeholder Meetings
- Connecticut Poised to Become Fifth State to Enact Comprehensive Consumer Data Privacy Law
The below episode transcript has been edited for clarity
Welcome to Foley’s Innovative Tech Insights podcast. My name is Jennifer Urban and I’m a partner at Foley & Lardner. I’m also co-chair of the Cybersecurity and Data Privacy area of focus within the Innovative Technology sector and vice chair of our Technology Transactions, Cybersecurity, and Privacy group. I’m joined here today by Samuel Goldstick, who’s a senior counsel in our Chicago office. We wanted to talk about some of the new requirements under Colorado and Connecticut’s privacy laws because they just came into effect on July 1st.
One of the most common questions we get from clients is “What do we do now to comply with Colorado and Connecticut?” Sam and I will talk through some of the high-level differences to help you adapt your new program.
So one of the first things we’re going to get into is “Do I have to comply with Colorado and Connecticut’s privacy law?” As many of you know, California’s CPRA has a very broad applicability threshold that’s really based on revenues. The difference between Colorado and Connecticut is that you need to process at least either 100,000+ consumers information in a calendar year or 25,000+ and derive revenue related to the sale of data. In other words, even though you have to comply with California law, you may not need to comply with Colorado or Connecticut.
One of the other major differences is that Colorado applies to nonprofits. So many nonprofits out there have not had to comply with California or Virginia but now need to comply with Colorado.
Another main difference is that the CPRA, as many of you know, applies broadly not only to consumer information but also to employee and B2B contact information. The good news is that Colorado and Connecticut do not apply to employee and B2B contact information.
There are also many different exceptions for certain types of entities or data. We’re not going to go through all of them. One of the interesting ones is that there is an entity-level exemption for financial institutions under Colorado and Connecticut.
So that’s a high-level overview. Our best recommendation is to revisit whether or not your organization needs to comply with Colorado and Connecticut before diving into and amending your program to comply with their requirements.
So, we’re going to start out with one of the most common questions we get and I’m going to direct this to Sam. So Sam, the big question always is “Do we need to update our privacy notice to comply with these new Colorado and Connecticut requirements?”
So I’ll start with Connecticut. Connecticut’s privacy notice requirements are far less prescriptive than in California and Colorado and generally include disclosures that are already required under the CPRA with one caveat. Companies that are subject to Connecticut’s law and process personal data for targeted advertising purposes, they need to describe how Connecticut residents can exercise their right to opt-out of targeted advertising.
Targeted advertising is similar to the concept of sharing under California’s law but has broader applicability. So companies are going to want to examine whether or not their practices are considered targeted advertising, and if so, they would want to speak to that in their privacy notice. Beyond that, there’s not much of a change between those two laws.
Colorado, unlike California’s law, requires companies to map each category of personal data that they collect to their specific use of that data. So in other words, companies have to specify in the privacy notices the express purpose for which each category of personal data is used, and strangely enough, as prescriptive as California is, that level of specificity isn’t required in California’s privacy notice requirements.
So, Jen, yet another common question that clients ask us all the time is “How is sensitive data treated under Colorado and Connecticut’s law”, and “How do they compare to sensitive personal information under the CPRA?”
Great question Sam. Under the CPRA we have this new concept of sensitive information. That’s important because under the CPRA you have to provide consumers the opt-out right to not process sensitive data, and so this caused a lot of companies to go through and question the data we are collecting. Is it sensitive? Do we have to offer these different opt-out rights?
California has a very broad definition of what is considered to be sensitive data. There’s good and bad news under Colorado and Connecticut. You know the definition of sensitive information is more limited. It doesn’t include things such as a driver’s license number, a Social Security number, a passport, or financial account information. Arguably, Colorado and Connecticut do not cover health information as broadly as California does. There are some other nuances between the definition and so that’s the good news. First of all, you have to think, what data are we collecting that would even be sensitive under California, Colorado, or Connecticut?
But the major difference between Colorado and Connecticut is that rather than doing an opt-out to limit the use of sensitive data like you do in California, you have to get consumers to opt-in. There are prescriptive consent requirements, in particular under Colorado. What this really means is clients, as I mentioned in the beginning, are really thinking through “Do we need to collect this type of data?” Not only do we have to figure out whether we need opt-out rights or opt-in consent for collecting sensitive information, but also the general data minimization concepts that are in these laws. Do we really need to collect this information? How long should we retain it?
Then furthermore, even beyond the privacy requirements is “Should we be collecting things like Social Security numbers or financial account numbers? What if we have a data breach or an incident?” That type of data certainly heightens the risk for an organization to continue to maintain and collect. So it’s very important to consider what types of sensitive information you’re collecting and if you are giving the right opt-in or opt-out rights to consumers to process their data.
Before we move on to other sections, and we’re not going to go through all of the differences between consumer rights and data subject rights, we’re just going to hit some of them on a high level. Sam already mentioned that Colorado and Connecticut really have a broader definition of targeted advertising. They could also apply to internal uses rather than just disclosures to third parties. If you’re doing any type of targeted advertising, it’s worth taking a look at those definitions to see if it would affect any of your internal uses. There still is an opt-out right, but again, just look at how Colorado and Connecticut defined targeted advertising. Also, with regard to profiling, a concept that is not been solidified yet under the CPRA, we’re waiting for those regulations. Colorado, for example, has very prescriptive requirements around profiling. So in the event that you would are considering doing any sort of profiling, we recommend looking at Colorado’s requirements while we’re waiting for the CPRA regulations to come out.
Some other high-level things are that a lot of organizations are trying to figure out is what is going to be done about global privacy controls, opt-out preference signals, and universal opt-out mechanisms. I would say the good news now for Colorado and Connecticut is we’ve got some time. I mean, Colorado is set. You don’t have to have something in place until next year [July 1, 2024] and Connecticut is even farther out in January 2025.
We work with a lot of clients trying to figure out how are we going to honor these global privacy controls and hopefully we’ll get more guidance about universal opt-out mechanisms that are specifically approved. But the good news is we do have some time under Colorado and Connecticut.
Moving over to some more interesting questions we commonly get from clients. Sam, can you talk about financial incentive programs and how is that going to change (or not) for a client that has a financial incentive program pursuant to California law? How is that going to apply now under Colorado and Connecticut?
Good question, Jen. I would say that if you are a company subject to Connecticut’s law with a financial incentive program already covered by CPRA, no further changes would need to be made because Connecticut does not specifically regulate or have any specific requirements governing financial incentive for loyalty programs.
However, Colorado does. As does California. They both regulate personal information that’s used for loyalty programs but go about it in different ways, and I just want to take a couple moments to explain some of these distinctions.
With regard to the scope, California appears to have a broader view in terms of the types of activities that are regulated. It generally sweeps in any circumstance in which a consumer provides a business with personal information in order to receive a discount or other type of benefit, which is extremely broad.
Colorado’s requirements are more targeted at traditional loyalty or rewards programs, in which consumers can sign up to receive points or discounts, or other benefits on an ongoing basis when they make qualifying purchases.
So the scope in California is broader, meaning that in Colorado if you have a loyalty program that’s under Colorado law, it would be swept under the rug for California. Something to note is that there’s very little overlap between the notice requirements for financial incentives and loyalty programs under California and Colorado law. Due to the differences in just these disclosure requirements, businesses that are subject to both laws in California and Colorado will need to decide whether to create separate loyalty notices for California or Colorado or combine them into a single expanded notice directed to consumers in both states.
Really, the bottom line is that you have to look at what you’re doing under your program. Unfortunately, the devil in the details there to see how you need to expand it, based on the new requirements.
Exactly. I would say one other distinction is that California requires businesses to obtain opt-in consent from consumers before they enroll in the financial incentive program, and that consent or the opt-in requirement doesn’t carry over in Colorado. To the extent that sensitive data is not being collected by a business in connection with enrolling someone into their loyalty program, all that would be needed is that the consumer’s participation. Colorado is voluntary.
So another question is with regard to data protection assessments. When do we need to do these? What are the requirements? Similar to what we mentioned before with the CPRA, we don’t have regulations out yet. For Colorado and Connecticut, what are some things that we should consider regarding data protection assessments?
Great question. Data protection assessments in those states center on, or are triggered, when companies are engaging in “higher-risk” processing activities. These can include things such as processing sensitive data or engaging and selling targeted advertising. However, unlike California which is yet to enact regulations, Colorado and Connecticut require such assessments to include extensive content. A non-exhaustive list of some of this content includes things such as the technologies or processors that are used, the operational details behind the processing activity at issue, the types of risks to the rights of consumers, and what measures and safeguards are in place to protect consumers. For companies that are also required to comply with the GDPR, it is strongly recommended to also look at the guidance that was issued by the European Data Protection Board for data protection impact assessments, as it sets forth really good details in terms of what is expected in those types of assessments. That being said, they are not the exact same types of assessments that are carried out in Colorado and Connecticut.
That’s a very good point about looking to GDPR and some of the guidance there because these concepts have now been fully fleshed out. I think that’s a very useful resource for companies.
So, what if we’re not in compliance with these laws yet? If we’re not ready for this new effective date, do organizations have the ability to cure? How does that work under these new regulations?
That’s a very good question that we’ve been asked a lot, and it’s worth noting that the CPRA in California eliminated the 30-day cure period that was originally provided for under the CCPA. So there is no cure period in California, which could indicate higher enforcement risk in that state as opposed to others that do have a cure period, such as in Connecticut and Colorado, which has a 60-day window. But it’s worth noting that that flexibility to cure in those two states sunsets at the end of 2024.
That’s really helpful. We get a lot of questions from clients about enforcement such as “What are we going to see?” Unfortunately, as these are all relatively new laws, whether it’s California, Virginia, Colorado, or Connecticut, it is a wait-and-see enforcement atmosphere. I mean, we obviously follow the CPRA enforcement actions very closely. We’ll have to see what is yet to come under Colorado and Connecticut. However, due to the fact that enforcement is still somewhat in flux, in particular around these new laws, we help clients every day by trying to assess what aspects of these laws should really hit home. Obviously, anything that is public-facing (like a privacy notice, opt-out or opt-in rights, etc.) needs to be focused on.
But our team is happy to help any anyone out there with these questions, how to prioritize your efforts to comply with these new privacy compliance requirements, and how to adapt your program.
Foley & Lardner’s Innovative Technology Insights podcast focuses on the wide-ranging innovations shaping today’s business, regulatory, and scientific landscape. With guest speakers who work in a diverse set of fields, from artificial intelligence to genomics, our discussions examine not only on the legal implications of these changes but also on the impact they will have on our daily lives.