Laws that protect consumer data privacy are becoming more widespread across the United States. As states continue to pass their own versions of these laws, there is also an initiative to control this at the federal level, like the comprehensive protections afforded under the European Union’s General Data Protection Regulation (GDPR).
Four states have passed extensive data privacy legislation that has some similarities in the protections that are covered, but they also contain some differences. The common elements among them include:
A brief summary of these individual state laws is noted below in the chronological order of their effective dates.
NOTE: This is intended to provide a general overview and should not be relied upon or construed as legal advice. Please refer to the linked legislation and consult with your legal team for compliance guidance.
Most companies are familiar with the California Consumer Privacy Act (CCPA), which was passed in 2018 and became effective in 2020, and employers should be preparing for the provisions under California Consumer Privacy Rights Act (CPRA) that expand these laws and pertains to employment-related data. The CPRA will be effective January 1, 2023.
Data Sharing - Perhaps most notably, the CPRA adds a new term: “sharing of personal information,” which it clearly defines as making this information available for advertising purposes based on consumer profiling and targeting. It does not relate to the disclosure of information to service providers and contractors for business purposes.
Sensitive Personal Information – This new category introduced by the CPRA includes nine additional categories of data and restricts the use of SPI for limited business purposes. SPI includes race, ethnicity, religion; sexual orientation; genetic data; precise geolocation data; private communications; and specified health information.
This state’s Consumer Data Protection Act (CDPA) also goes into effect on January 1, 2023. This law is similar to the CPRA and GDPR and prevents the sale of personal information while also protecting six privacy rights for Virginia consumers, including the right to access; right to rectification (or correction); right to deletion; right to data portability; right to object to data processing; and the right to be free from discrimination. At this time, Virginia’s law does exempt fourteen types of data, including both employer data and protected health information (PHI) covered under HIPAA, among others.
The Colorado Privacy Act (CPA) closely follows the California and Virginia laws and some adaptations from the GDPR. The CPA provides consumers the right to access, correct, and delete personal data and the right to opt out of the sale, as well as the collection and use of personal data. Like Virginia, the CPA does not apply to individuals in an employment or commercial context at this time. This law goes into effect on July 1, 2023.
Under Connecticut’s data privacy law, consumers are provided with five main rights, including the right to access; right to correct; right to delete; right to data probability; and the right to opt out. Specific employee and job applicant data are exempt under Connecticut’s law as it is currently written. The effective date is July 1, 2023.
The Utah Consumer Privacy Act is the last of these five state laws to be implemented next year, with an effective date of December 31, 2023, although we should anticipate more states to enact similar privacy laws. Utah’s CPA has a lot in common with these fellow state laws but is considered to be slightly less heavy-handed and only applies to information about consumers and not to employee or B2B (Business to Business) information.
Cadient can facilitate changes and support our clients in making necessary updates to address privacy laws.
Cadient added a Data Privacy Disclosure and Acknowledgement in 2020 with a link to our privacy policy that summarizes categories of personal information collected and notes the applicant’s rights relative to their data.
Keep these privacy laws on your radar and monitor for updates since they are constantly evolving, and additional states are expected to pass similar legislation. Be aware that there are other state privacy laws that impact employers’ activities and additional types of information, such as laws regulating the use of biometric identifiers, telephone marketing, and electronic monitoring of internet activity, location, and e-mail communications.
For more information, refer to these individual state laws and always consult with your legal team for guidance.
Want to learn more about common compliance issues and legislation? Start here: Compliance Resources