Legislative Updates

Employers Obligations Under State Consumer Data Protection Acts


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

State Consumer Data Protection Acts, Employers' Obligations, Data Protection Compliance

In light of the California Consumer Privacy Act (CCPA) passed in 2018, many states have either enhanced their privacy legislation or drafted new legislation related to consumer data protection. While some of these bills become laws, others were not as successful. 

At the time being, apart from the CCPA, the most comprehensive data privacy laws are the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and Virginia’s Consumer Data Protection Act (VCDPA). Lastly, the Utah legislature recently passed the Utah Consumer Privacy Act (UCPA).

Comprehensive Consumer Data Protection Laws

Among the current state privacy laws, only the CCPA is currently in effect. The CPA, CPRA, and VCDPA will take effect in 2023. All these laws impose new obligations on employers and provide residents of these states with new rights regarding the collection and use of their personal information. 

CCPA, CPRA, CPA, and VCDPA have several provisions in common, such as the right to access and delete personal information and to opt-out of the sale of personal information, among others. Other provisions require commercial websites or online services to post a privacy policy that describes the types of personal information collected, what information is shared with third parties, and how consumers can request changes to certain information.

California Consumer Privacy Act

CCPA applies to California residents and allows them the right to request a business to disclose the categories and specific pieces of personal information collected as well as the source of that information and the business purpose for collecting the information. This law provides that consumers may request a business to delete personal information collected from them. It also provides that consumers have the right to opt out of a business’s sale of their personal information, while they may not discriminate against consumers who choose to do so.

California Consumer Privacy Rights Act 

CPRA expands the consumer data protection laws and permits consumers to: 

  • prevent businesses from sharing personal information;
  • correct inaccurate personal information; and 
  • limit businesses’ use of sensitive personal information, such as precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information. 

One of the major changes introduced by CPRA is the California Privacy Protection Agency, established to additionally enforce and implement consumer data protection laws and impose fines. CPRA also changes the criteria for which businesses must comply with laws, prohibits businesses’ retention of personal information for longer than reasonably necessary, and triples the maximum penalties for violations concerning consumers under age 16. 

Get an overview of similarities and differences between CCPA, CPRA, and GDPR to prepare for additional obligations and maintain compliance.

Colorado Privacy Act

CPA addresses consumers’ rights to privacy, and companies’ responsibility to protect personal data, and authorizes the Attorney General and district attorneys to take enforcement action for violations. It also defines various terms related to covered businesses, consumers, and data, including defining the term controller as the person or group of people who determine how data is used and processed. CPA will take effect on July 1, 2023.

Virginia’s Consumer Data Protection Act

CDPA expands consumer rights to access, correct, delete, and obtain a copy of personal data provided to or collected by a company, and to opt out of the processing of the personal data for purposes of targeted advertising, sale, or profiling of the personal data. The law outlines responsibilities and privacy protection standards for data controllers and processors and applies to businesses that conduct business in Virginia, or produce products or services that target Virginia residents, and 

  • during a calendar year, control or process personal data of at least 100,000 consumers, or
  • control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

CDPA does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. It provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort. The effective date for CDPA is January 1, 2023. 

Another State with Consumer Data Protection Laws

On February 25, the Utah Senate passed the Utah Consumer Privacy Act (UCPA), and on March 2, it was passed by the Utah House. If the Governor signs the bill into law, Utah will become the fourth state to pass consumer privacy legislation.

In many ways, the UCPA is parallel to CCPA, but with broader exemptions. The UCPA applies to all data controllers or processors who conduct business in Utah or produce a product or service targeted toward consumers residing in Utah with annual revenue of $25,000,000 or more and either:

  • control or process personal data of 100,000 or more consumers annually; or
  • derive over 50% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.

UCPA defines data sales as an exchange of personal data for monetary consideration only. This implies that the exchange of personal data for other valuable considerations does not constitute a sale. UCPA also does not consider disclosures of personal information to third parties a sale if the purpose is consistent with the consumer’s reasonable expectations. It provides Utah consumers with the right to data portability, and the right to opt-out of certain processing, as well as the right to opt-out of the sale of personal data. The bill does not allow consumers to opt out of profiling and does not require consumer consent before processing sensitive data. Instead, it states that controllers must notify consumers of sensitive data processing and allow them the opportunity to opt out.

UCPA grants enforcement authority to the Utah Attorney General but does not provide a private right of action. It also gives potential violators a chance to cure potential violations before enforcement can take place. If the governor signs the bill into law, it will go into effect as of December 31, 2023. 

Developments in the Other States

When it comes to state consumer data protection acts, employers should note that other states are ready to join California, Colorado, Virginia, and Utah. Proposals in Indiana, Iowa, Massachusetts, Ohio, and Wisconsin among others are moving through state legislatures. Taking this into consideration, it seems that even more attention will be given to privacy and data security in 2022.

While federal legislation that would establish a fair and workable national privacy framework in the United States is still missing, employers should take the necessary steps to ensure proper classification of personal data, deletion of unnecessary data, protection of all collected personal data, and continuous monitoring of stored data. Integrating proper software solutions can help employers prepare for the existing and new state consumer data protection acts, protect their organizations from potential penalties, and make minimal impact on their operations and bottom line.

Rely on advanced and easy-to-use technology to ensure compliance with data protection laws while preventing investigations and financially crippling fines.
The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.