Colorado passed its Colorado Privacy Act (CPA) in June, bringing a familiar but distinct new privacy regime to the growing patchwork of privacy legislation across the United States.
The CPA will take effect on July 1, 2023, and prudent businesses are already expending resources on compliance to ensure that they are not in violation of the law when that effective date arrives.
Although hopeful that much of the compliance undertaken for the sake of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act of 2020 (CPRA) will be helpful, the legal distinctions between the two statutes nevertheless pose a compliance hurdle for even the most sophisticated companies.
At the outset, it should be noted that much of the CPA’s language and structure is similar to that in the CCPA and in the CPRA, which voters passed in the last election. The CPA also borrows portions from Virginia’s Consumer Data Protection Act (CDPA), which makes compliance with all three of the statutes a juggle between numerous moving parts.
The CPA creates similar rights to those found in the CCPA and CPRA, including the right to access, delete and correct personal data. In addition, citizens can opt out of the processing of personal information for specific purposes and have been granted a right to data portability. The CPA does benefit from the fact that it does not include a private right of action and can be enforced only by the attorney general. This foresight is important to prevent privacy law from eroding into a contest between predatory personal injury lawyers.
Additionally, the CPA has the foresight to define “consumer” so that it explicitly excludes individuals acting as a job applicant, as a beneficiary of someone acting in the employment context, or in the employment context itself. This comes from the wise recognition that these privacy statutes are designed for consumers and therefore are ill-equipped to deal with the nuances of privacy in the employment context.
Employee data under the CPRA is exempt only until 2023 and will be a significant issue for the California Legislature to resolve regarding how employee data should be handled
But notable distinctions do exist, and these distinctions will create operational, compliance, and judicial differences that will make it challenging for businesses to do business across state lines.
For example, one of the most important definitions in the Colorado statute is the definition of “personal data,” which differs from the definition of “personal information” in California. This distinction is important because unlike the CCPA and CPRA, the CPA definition does not include specific categories of information regulated as personal information.
Colorado legislators instead opted to align themselves with Virginia’s statute to make the term as broad as possible, applying to information that is linked or reasonably linkable to an identified or identifiable individual.
Thus, a business complying with California’s privacy laws cannot rely on basic principles of privacy to ensure compliance across states, but must take a surgical approach to ensuring its compliance processes do not conflict on a state-by-state basis.
Federal Fix Elusive
As far as a federal fix to this growing patchwork of differing privacy laws, there does not seem to be one in sight. Certainly, a federal law that occupies this space would preempt state legislatures from making these decisions on a state-by-state basis, and businesses and consumers alike would benefit from consistency across the board.
However, aside from the Uniform Law Commission’s purely academic foray into drafting model legislation, which is notably not inclusive of all viewpoints, there really does not appear to be a federal effort to harmonize privacy law in the United States or update the privacy legislation that has existed since before the dawn of the internet.
Until that happens, businesses will be left playing catch-up with the whims of state legislators, which vary from region to region.