This blog was provided by Gallagher Affinity, a premier sponsor of the PICPA.

By James Vinocur, JD

Society’s growing reliance on the internet to conduct business, shop, play, and even educate has resulted in heaps of personal data existing in the online hands of others. In turn, online service providers have monetized this personal data. Until very recently, there were absolutely no regulations about how businesses could collect, store, and sell personal information, with or without permission. Domestically, this began to change in 2020 when California passed its California Consumer Protection Act (CCPA). In 2021, Virginia and Colorado enacted their own consumer data privacy laws. Dozens of other states have since introduced similar bills in their own legislatures. So, what does it mean for businesses that are not located in one of those these states with enhanced privacy legislation?

It is important to note what these laws require and to whom they apply:

• The CCPA applies to any entity that does business in California (more on this below) and either has gross revenue in excess of $25 million, commercially transacts the personal information of 50,000 or more individuals, or earns more than half its annual revenue from selling personal information.
• The Colorado Privacy Act (which goes into effect on July 1, 2023) applies to businesses that conduct business in Colorado, collect and store data on more than 100,000 individuals, or earn money from the data they’ve collected on more than 25,000 individuals.
• The Virginia Consumer Data Protection Act (VCDPA), which goes into effect on Jan. 1, 2023, applies to entities that conduct business in Virginia or targets Virginia consumers and also either controls or processes the data of at least 100,000 consumers or controls or processes data of at least 25,000 consumers while deriving over 50% of its yearly gross revenue from the sale of such data.

Broadly speaking, the laws apply to the collection of personal information such as names, email addresses, addresses, or other identifiers, and require businesses to notify its consumers that they’re collecting this kind of data and allow them to opt out of the use of such data.

The opt-out provision of the three laws is a crucial component. This mechanism allows consumers to opt out of the collection and sale of their information, albeit to different degrees. For instance, the California law only allows consumers to opt out of the sale of their information; the Virginia protection allows users to opt out of the use of their data for targeted advertising and its sale. Colorado only allows consumers to opt out of the use of their data for targeted advertising and sale, but not collection. Practically speaking, websites impacted by these laws will typically include an opt-out link on the front page of their website, alongside privacy notices that provide greater detail about the collection and sale of consumer’s data, the purpose of the collection of this data, and how users can exercise their rights. Violations of these regulations can lead to private rights of action in California and Colorado, and civil enforcement by each of the respective state attorneys general.

It is important to note that the California, Virginia, and Colorado laws can, in fact, apply to businesses located outside of those states (as long as they meet one of the threshold requirements described above), including CPA firms in Pennsylvania if they provide services to customers located in one of those states and/or advertise their services online to consumers in those states. Practically speaking, any firm that meets one of the threshold requirements and operates a website that can be accessed from one of these states should comply with the regulations. Thus, even in the absence of a local state law, these privacy bills have nationwide impact.

A comprehensive privacy bill akin to the CCPA was introduced in Pennsylvania in the spring of 2021. Known as the Consumer Data Privacy Act (CDPA), this bill would apply to any entity conducting business in Pennsylvania that collects consumers’ information and meets one of the following thresholds:

• Exceeds yearly gross revenue of $10 million
• Buys, sells, or shares the data of 50,000 or more consumers annually
• Earns more than half of its annual revenue from the sale of this information

Pennsylvania’s CDPA would also impose a requirement on businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” much like the WISPs discussed in a previous CPA Now blog post. Like California and Colorado, Pennsylvania would provide consumers with a private right of action in addition to allowing for civil enforcement by the state attorney general. Experts and commentators in the field have frequently called for federal privacy legislation instead of this growing patchwork of differing state regulations, but those bills have consistently stalled in Congress thus far.

James Vinocur, JD, is a partner at Goldberg Segalla in New York City, where he specializes in data privacy and cybersecurity issues. Prior to joining Goldberg Segalla, he served as deputy chief of the cybercrimes bureau of the Manhattan District Attorney’s Office. He can be reached at jvinocur@goldbergsegalla.com.

Get more information on cyber insurance plans offered by PICPA premier sponsor Gallagher Affinity.

Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.