The United States continues to suffer from the absence of a federal data privacy and breach law.  Congress has tried for years to broker a deal here but has never been able to overcome strong lobbying forces — whether its high-tech, trial lawyers, law enforcement or other gadflies, the public continues to suffer.

Instead, global businesses face a real mess, tracking data privacy laws state-by-state, with the most stringent state’s becoming the de facto standard. 

California is usually a standard-bearer in this equation. California is poised to become the 4th largest economy in the world, surpassing Germany.  So, what California does, has a real impact on the US economy and in the global economy.

California first enacted in 2018 the California Consumer Privacy Act (“CCPA”).  California citizens wanted more regulation of data privacy.  So, in November 2020, they passed Proposition 24, The California Privacy Rights Act (“CPRA”), which created a new California Privacy Protection Agency (“CPPA”) and authorized the CPPA and 62 state district attorneys to enforce the law. 

The CPRA became effective as of January 1, 2023; however, this date was extended so that the Agency could issue required regulations.  The CPPA  issued 12 of 15 sets of required regulations. Business groups filed challenges to the new law and these final regulations will now be enforceable March 29, 2024.  The CPPA still has to issue regulations covering three areas: cybersecurity audits, risk assessments and automated decision-making regulations, which will not be enforceable until one year after they are issued. The reviewing court made it clear that the CCPA’s original regulations tied to the 2018 law are still enforceable until the superseding CPRA regulations are released.

Assuming you can follow this regulatory and legal morass, it is worth reviewing the new data privacy regime.  Many commentators have suggested that California’s data privacy laws and regulations are resembling the EU’s GDPR regime.

The new California law replaces the CCPA definition of a “covered business” to include any business that: (1)  had $25 million in annual gross revenues as of January 1 in the preceding calendar year; or (2) buys, sells or share the personal information of 100,000 California consumers or households; or (3) derives 50 percent or more of its revenues from selling or sharing personal information. 

The CPRA includes a number of important revisions to existing requirements: (1) eliminates the CCPA exception for employee personal information and B2B personal information; (2) revises general purpose limitation for collection of data so that it is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed;” (3) expands the definition of “sensitive personal information” to match the GDPA definition; (4) adding a new consumer right to correct inaccurate personal information; (5) revised vendor flow down requirements; and (6) adding duty to implement reasonable security precautions and practices “appropriate to the nature of the personal information.”

The Privacy Agency intends to implement regulations governing annual cybersecurity audits.  In March 2023, the CCPA issued regulations requiring companies to file each year a data security and privacy risk assessment. 

Data Privacy Outside of California

California is not the only data privacy actor in the state law arena.  Virginia, Colorado, Utah, Iowa and Connecticut have new data privacy laws that have gone into effect, and more are on the way in 2024 — Montana, Tennessee and Texas. While these laws are similar, each has their own spin on specific issues. To avoid this mess and line-drawing across the map, many companies are just applying the most stringent set of laws and regulations for “peace of mind.”

Connecticut, Colorado and Virginia require companies to conduct impact assessments, similar to the GDPR requirement. All the state laws provide the consumer rights of data access, correction, portability and deletion.  All the states cited above require companies to execute third-party contracts to process personal data and protect that information with reasonable data security measures.