State Consumer Privacy Laws
Minimizing privacy risks and defending against related legal actions.
The regulatory framework for U.S. data protection laws is constantly changing.
The California Consumer Privacy Act (CCPA) first introduced a host of privacy rights for California consumers and created robust obligations for many businesses that collect personal information about California consumers. Since then, more than a dozen other states have passed their own comprehensive privacy laws, some with significant variations that complicate compliance for businesses. Meanwhile, momentum in state legislatures to pass more privacy laws continues to grow.
Perkins Coie’s Privacy & Security lawyers have deep experience helping clients comply with privacy laws around the world and are positioned to help businesses understand the implications of comprehensive state consumer privacy laws. We help our clients take stock of their current data practices, including assisting with the creation of data maps or data inventory systems to identify the personal information their businesses collect and how such information is used, stored, shared, secured, retained, and destroyed. We also counsel clients on all aspects of state privacy law compliance, including privacy policy updates, user interface adjustments, possible amendments to vendor contracts, and much more. Our team interprets and tracks regulatory guidance, rulemaking activity, litigation, and enforcement actions that will continue to shape legal requirements. We work with clients to minimize risk and defend clients in privacy-related enforcement actions and private litigation.
How we help clients
- Counseling clients on all aspects of state privacy law compliance.
- Creation of data maps or data inventory systems.
- Privacy policy updates, user interface adjustments, possible amendments to vendor contracts.
- Minimizing risk and defending clients in privacy-related enforcement actions and private litigation.
What You Should Know
What Entities Are Subject to the State Consumer Privacy Laws?
The comprehensive state consumer privacy laws generally apply to companies that do business in a specific state or target their products and services to residents of that state. Most laws also apply only to businesses that meet certain thresholds for annual revenue, volume of consumers, and/or revenue from the sale of personal information.
Perkins Coie’s Privacy & Security lawyers have deep experience helping clients comply with privacy laws around the world and are positioned to help businesses understand the implications of comprehensive state consumer privacy laws. We help our clients take stock of their current data practices, including assisting with the creation of data maps or data inventory systems to identify the personal information their businesses collect and how such information is used, stored, shared, secured, retained, and destroyed. We also counsel clients on all aspects of state privacy law compliance, including privacy policy updates, user interface adjustments, possible amendments to vendor contracts, and much more. Our team interprets and tracks regulatory guidance, rulemaking activity, litigation, and enforcement actions that will continue to shape legal requirements. We work with clients to minimize risk and defend clients in privacy-related enforcement actions and private litigation.
Who Has Rights Under the State Consumer Privacy Laws?
While the laws have important differences in definitions and exemptions, they generally protect the personal information of “consumers,” which is broadly defined as any natural person who is a resident of the specific state. Although most states exclude individuals acting in a B2B or employment context, the CCPA protects employees and B2B contacts in addition to general consumers.
The laws require greater transparency in data practices and give consumers more control over their personal information. In general, “personal information” broadly includes any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. It includes obvious identifiers, such as names, addresses, and email addresses, but it also covers categories of information not typically considered to be personal information in the United States, such as web browsing information and inferences drawn from other information to create a consumer profile.
What Rights Do the Laws Provide to Consumers?
The consumer rights afforded under the laws generally include the following:
- Access. Consumers have a right to know about and access the specific pieces of personal information collected about them by the business.
- Correction. Consumers have a right to correct inaccurate or incomplete personal information maintained by the business.
- Deletion. Consumers have a right to request deletion of their personal information.
- Portability. Consumers have a right to receive their personal information in a portable format.
- Use restrictions (opt-out rights). Certain laws require implementing opt-out mechanisms for certain processing activities by the business (e.g., for selling, targeted advertising, automated decision-making and profiling for particular purposes, processing sensitive personal information, etc.).
- Use restrictions (opt-in rights/consent). Certain laws require businesses to obtain opt-in consent for certain activities or certain types of consumers (e.g., for processing sensitive personal information and collecting personal information from children).
- Right to nondiscrimination. Consumers have the right to not be treated differently based on whether they have submitted a rights request (e.g., by being charged a higher price, denied services, or given a different level or quality of goods or services). Companies that offer loyalty or similar programs are subject to onerous obligations.
There are limitations and exemptions to these rights, and the existence and scope of each consumer right varies by state.
What Obligations Do the Laws Impose on Businesses?
The comprehensive state privacy laws impose various obligations on businesses, including:
- Providing privacy policies and notices with specific information.
- Obtaining consent for certain types of collection and processing.
- Verification, timing, appeals, and other requirements for responding to consumer requests.
- Recognition of universal opt-out signals as a means to opt out of sales and targeted advertising.
- Risk assessments for certain types of processing.
- Limits to disclosure or use of sensitive data.
- Special requirements for children’s data.
- Data security requirements.
- Requirements for agreements with service providers.
Who Can Enforce the Laws and What Are the Penalties for Claimed Violations?
Most states give the state attorney general the authority to enforce their state’s privacy law. The CCPA also gives the California Privacy Protection Agency enforcement authority. Some statutes give businesses a specified period of time to cure alleged violations, and some state cure provisions expire. So far, only the CCPA allows for a private right of action, but it is limited to breaches of certain types of personal information. Most states have specified penalties, which range from $2,500 per violation up to $20,000 per violation.
When Will Businesses Need To Comply?
The CCPA and several other state consumer privacy laws are currently in effect, with more state laws set to become operative over the course of the next few years. If you haven’t already, we recommend assessing the threshold requirements for each state law to determine whether your business will need to comply.