States have been leading the way in imposing privacy requirements on businesses that have traditionally not had to worry about them. In 2018, arguably the most significant privacy development ever in the United States occurred with the passage of the California Consumer Privacy Act (CCPA), which applies to broad swaths of the nation’s largest economy. The CCPA applies to any entity doing business in California that meets one of the following thresholds:
• It has annual gross revenues in excess of $25 million;
• It annually buys, receives for its commercial purposes, sells, or shares for commercial purposes personal information relating to 50,000 or more consumers, households, or devices;
• It derives 50% or more of its annual revenue from selling personal information.
Other states are catching up with California. In 2023, Colorado, Connecticut, Virginia, and Utah all have similar laws coming into effect:
• The Virginia Consumer Data Protection Act, Va. Code Ann. §§ 59.1-571 et seq., will be effective January 1, 2023.
• The Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301 et seq., will be effective July 1, 2023.
• The Connecticut Data Privacy Act, Conn. Gen. Stat. Ann. § P.A. 22-15 et seq., will be effective July 1, 2023.
• The Utah Consumer Privacy Act, Utah Code Ann. §§ 13-61-101 et seq., will be effective December 31, 2023.
If that’s not enough, at the federal level, the Federal Trade Commission, the Consumer Financial Protection Bureau, and even Congress are now eager to get in on the fun. The FTC and CFPB and contemplating rulemakings on privacy, and with the negotiations around the American Data Privacy and Protection Act, Congress appears to be getting closer to a consensus on what future comprehensive privacy legislation may look like. The specifics have yet to take shape, but we expect that soon these rulemaking and legislative efforts will significantly change the legal landscape of privacy, again. And as the various regulators’ enforcement actions under these new laws develop, we are going to learn yet more about how regulators view your responsibilities.