Preamble. The utilization of presently existing technology, otherwise referred to as “Technology,” enables businesses to procure email addresses of website visitors who choose not to disclose such information to the website proprietor. This summary will address select legal considerations associated with the usage of said Technology.

CAN-SPAM Law
Email Harvesting. The CAN-SPAM Law invalidates email harvesting, which is essentially the automated collection of email addresses from a website that contains a notice indicating the website operator’s intention not to give, trade, or transfer email addresses maintained by the site to enable others to email to the address.

Therefore, the Technology, if obtaining email addresses from a website that disallows email harvesting, must not accumulate or furnish contact details to its Technology users.

Opt-Out – Not Opt-In. While certain worldwide territories (such as the European Union and Canada) need an affirmative opt-in procedure for distributing promotional or commercial emails, the United States has been an opt-out jurisdiction since the enactment of the CAN-SPAM Law. As such, marketing emails may be dispatched to recipients before they have opted out of receiving emails from the sender.

Subsequently, the Technology user may send emails to email addresses obtained through the Technology, provided the recipient has not already opted-out of receiving promotional emails from the Technology user / sender.
Incorporating an unsubscribe link or any alternative opt-out mechanism in all promotional emails should be a priority for the sender of marketing emails procured using the Technology, and all opt-outs should be acted upon in a timely manner.
Other compliance strategies for CAN-SPAM include the following:

Do not use false or misleading header information. Your “From,” “To,” and “Reply-To” data, in addition to routing information – such as the email address and originating domain name – must be truthful and reveal the person or company that initiated the message.

Avoid utilizing misleading subject lines as they should truly represent the message’s contents.
Identify your message as an advertisement, though the law permits flexibility in how you accomplish this. Disclosure must be clear and readily identifiable.

Your physical postal address must be included in the message. This can be achieved by using your current street address, a post office box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving agency authorized by Postal Service regulations.

Maintain vigilance over anyone acting on your behalf. The law explicitly states that even when hiring another firm to administer your email marketing, you cannot relinquish your legal obligation to adhere to the law. Both the corporation whose merchandise is being advertised in the message and the company disseminating the message may be held legally liable.

OPT-OUT AND COMPLYING WITH THE CAN-SPAM ACT

Disclaimer. This summary is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship. If you have questions about complying with the CAN-SPAM Act you should contact your legal counsel.

Introduction. The CAN-SPAM Act of 2003 establishes the necessary criteria for companies to adhere to while disseminating commercial emails. For the provided law, commercial emails are defined as the ones that primarily promote a commercial product/service or advertisement, including the content presented on a website. Among the various emails, a “transactional or relationship message” email that updates customers within an existing business relationship or facilitates an agreed-upon transaction may not contain false or misleading routing data and is otherwise exempt from most sections of the Act. Exceeding the law’s limit may incur the company criminal liability and civil penalties. B2B emails and Consumer emails are both equally subject to the Act.

Commercial Emails v. Transactional or Relationship Emails. The CAN-SPAM Act includes different requirements and regulations for “commercial” and “transactional or relationship” emails. If the email’s primary objective is advertising or promoting a commercial good/service (including the contents of a website operating for commercial purposes), these emails qualify under the category of “commercial.” In contrast, the messages used to facilitate a commercial transaction that a recipient has agreed upon or to provide any information regarding previously purchased services or products, such as warranty or recall information or account balances, come under the classification of “transactional or relationship.” The majority of the requirements and prohibitions apply specifically to commercial messages, but both transactional/relationship and commercial emails should not contain misleading or false routing information.

Prior Consent / Opt-In Not Required. Opt-Out Mechanisms and Procedures. The CAN-SPAM Act states that commercial emails may be sent without requiring prior express opt-in or consent. However, businesses must refrain from sending marketing emails to recipients who have opted-out or unsubscribed from receiving commercial emails previously.
Opt-Out Rather than Opt-In. Unlike certain non-US jurisdictions, such as Canada and the European Union, that necessitate opt-in to send promotional or commercial emails, the US bears the opt-out system since the CAN-SPAM Act’s inception. As a result, businesses can dispatch marketing emails to the recipients unless they have opted-out of receiving such communications from the sender.

Section 7704(a)(3) of the Act mandates all marketing messages to include an opt-out or unsubscribe mechanism.

(3) Including a Return Address or Similar Function in Commercial Electronic Mail

(A) It is unlawful for any individual to send a commercial electronic message to a protected computer without including a functional return electronic mail address or another suitable Internet-based mechanism that is clearly and prominently presented. The following criteria must be met:
(i) The recipient can utilize the method listed in the message to submit a reply electronic mail message or another form of Internet-based communication requesting to stop receiving commercial electronic mail messages from the sender at the electronic mail address where the message was delivered.
(ii) The mechanism should remain possible of obtaining such messages or communications within no less than thirty days after the primary message’s transmission.

Section 7704(a)(4) of the Act states the opt out requirements:

(4) Prohibition of transmission of commercial electronic mail after objection

(A) IN GENERAL, if a recipient makes a request using a mechanism provided pursuant to paragraph (3) not to receive some or any commercial electronic mail messages from such sender, then it is unlawful:
(i) for the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message that falls within the scope of the request;
(ii) for any person acting on behalf of the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message with actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that such message falls within the scope of the request;
(iii) for any person acting on behalf of the sender to assist in initiating the transmission to the recipient, through the provision or selection of addresses to which the message will be sent, of a commercial electronic mail message with actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that such message would violate clause (i) or (ii); or
(iv) for the sender, or any other person who knows that the recipient, has made such a request, to sell, lease, exchange, or otherwise transfer or release the electronic mail address of the recipient (including through any transaction or other transfer involving mailing lists bearing the electronic mail address of the recipient) for any purpose other than compliance with this Act or other provision of law.
_______

Thus, the Act does not contain any requirements or reference to opting-in to receive marketing email messages. As the Federal Trade Commission has stated in public guidance[2],

Here are the main CAN-SPAM requirements you need to know:

1. Avoid using fraudulent or mistaken header information. Ensure that the “From,” “To,” “Reply-To,” and routing details, along with the originating domain name and email address, are correct and correctly identify the person or company that initiated the email.
2. Avoid using misleading subject lines. Make sure that the email’s subject line accurately portrays the content of the email.
3. Identify the email as an advertisement. You have a lot of versatility in how you do this, but you must clearly and prominently disclose that your email is an advertisement.
4. Let recipients know where you’re situated. Your email must provide your genuine physical mailing address. This could be your current street address, a post office box registered with the U.S. Postal Service, or a private mailbox registered with a commercial mail receiving business established under Postal Service standards.
5. Let recipients know how to unsubscribe from future emails. Your email must include a clear and prominent description of how recipients may opt-out from future emails. Create the message in a manner that’s easy for an average person to recognize, read, and comprehend. The use of different types, colors, and placement can help with clarity. You should provide a return email address or another user-friendly, web-based method for users to convey their preferences to you. You may generate a menu that allows recipients to unsubscribe from specific types of messages, but there should be an option to cease the delivery of all commercial emails from you. Ensure that your spam filter does not block these opt-out notices.
6. Promptly adhere to opt-out requests. Any opt-out mechanism that you provide must be able to handle opt-out requests within a minimum of 30 days after transmitting your message. You must follow a recipient’s opt-out request within ten business days. You cannot impose a fee, mandate that the recipient submit any personally identifiable information aside from an email address, or require the recipient to take any measures other than responding through email or visiting a single website page in internet site as a prerequisite for abiding by an opt-out request. Once individuals inform you that they do not want to receive further emails from you, you may not sell or transfer their email addresses, even by way of a mailing list. The only exception is transferring the addresses to a company you have enlisted to assist you with complying with the CAN-SPAM Act.
7. Monitor the actions of others upon your instruction. The legislation clearly states that even if you employ another company to manage your email marketing, you cannot relinquish your legal responsibility to adhere to the law. The company, whose product was marketed in the message, and the company that transmitted the email message, can both be held legally accountable.

As required by the Act, the FTC recently reviewed the law and accepted public comments in order to determine whether the law was still appropriate as written. 

On February 12, 2019, the FTC confirmed:
(B) The Act does not require that recipients affirmatively consent or opt-in to receiving commercial emails. Rather, each email must contain a clear and conspicuous notice the recipient can opt-out of receiving more commercial email from the sender.
(C) Commercial emails must contain a return email address or another Internet-based response mechanism that allows the recipient to indicate it does not want future email messages to that email address. It is permissible to create a “menu” of choices to allow a recipient to opt-out of certain types of messages, but the email must include the option to end any and all commercial messages from the sender.
(D) The return email address / opt-out mechanism must be able to process opt-out requests for at least thirty (30) days after the commercial email is sent. When a sender receives an opt-out request, the sender must honor and stop sending email to the requestor’s email address no later than ten (10) business days after receipt of the request. A sender cannot help another entity send email to that address, or have another entity send email on the sender’s behalf to that address. It is also a violation of the Act to sell or transfer the email addresses of people who choose not to receive commercial email, even in the form of a mailing list, unless the sender transfers the addresses so another entity can comply with the law.
(E) The sender cannot require a recipient to pay a fee, provide information other than the person’s email address and opt-out preferences, or take steps other than sending a reply email or visiting a single Web page, as a condition of receiving or honoring opt-out requests.
Identification of Commercial Email as an Advertisement. Commercial emails must be clearly and conspicuously identified as an advertisement or solicitation. The email should state at the beginning of the message (there does not have to be ADV or similar identification in the subject line) that it is an advertisement from the sender, and generally describe the products or services being advertised. If the recipient previously provided consent to receive commercial emails from the sender (e.g., through an opt-in process), then the email does not have to be conspicuously identified as an advertisement.

Message Routing / Header Information Cannot Contain False or Misleading Information.

The “From,” “To,” and routing information on a commercial email 

– including the originating domain name and email address 
– must be accurate and identify the person who initiated the email.
As noted above, this applies to commercial as well as transactional / relationship emails.

Subject Lines May Not Be Deceptive.
The subject line should be clear, truthful and accurate, and cannot be misleading to the recipient about the content or subject matter of the message.
Identification of Postal Address.A commercial email must include the sender’s valid physical postal address, which can be a post office box or private mailbox.

Multiple Senders / Advertisers.
In the event two or more advertisers desire to send an email including content on behalf of each advertiser (e.g., a joint-marketing arrangement), the advertisers must designate one of them as the sender that must honor opt-out requests and satisfy the other statutory obligations. Then sender must be the only person identified in the “from” line of the email and must comply with all requirements under the Act. Even though there is one sender, all other advertisers are still responsible for compliance under the Act. Accordingly, each advertiser should carefully review and assess the compliance of the joint email, investigate the reputation of the sender, and take appropriate steps to ensure the sender’s compliance with the Act, including the all opt-out requests.

No Sexually-Explicit Material.
The email should not include sexually-explicit material. The Act provides additional requirements for labeling, disclaimers and presentation of emails with sexually-explicit content.

No Harvesting or Automatic Email Generation.
Senders should not use automated means to gather or “harvest” email addresses from third party web sites with terms that or randomly generating possible email addresses.

______________________________________

CALIFORNIA PRIVACY LAWS

California Privacy Rights Act (CPRA) amending the California Consumer Privacy Act (CCPA)

The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the CCPA to the CPRA. The CPRA includes additional privacy protections for consumers as discussed below.

Opt-Out of Personal Information Sharing for Targeted Advertising.
The CPRA extends the consumer’s right to opt-out of sales to include opting-out of the sharing of personal information for targeted advertising, also known as “cross-contextual behavioral advertising.” This applies to both shared information with and without any cost. The CPRA has an opt-out requirement for the sales or sharing of personal information, with the exception of children under the age of 16. Children aged 13-16 must provide opt-in consent for the sale of their personal information. Owners of websites that collect, use, sell, or share personal information of children under 13 must obtain verifiable parental opt-in consent.

The CPRA does not explicitly prohibit the sharing of personal information. However, if a company shares personal information for targeted advertising, it must inform the consumer and provide them with at least two ways to opt-out of the sharing of personal information for targeted advertising. One of the methods must be an interactive webform for opt-out requests. If Technology is used to obtain email addresses and send emails to them, it is considered sharing under the CPRA and requires notice and the ability to opt-out.

There are only a few exceptions where sharing personal information does not trigger the opt-out requirements. This includes instances such as a Technology user specifying intentional disclosure of personal information to one or more third parties.

If the Technology user allows the Technology provider or any other third party to use personal information outside of providing services to the Technology user, they must comply with the notice and opt-out requirements under the CPRA regarding the sharing of personal information for targeted advertising.

CPRA Notice. A primary responsibility of the CPRA is the requirement to offer a privacy policy or notice and a “Do Not Share or Sell My Personal Information” option to website visitors as per the CPRA requirements. The many notice demands mandated by the CPRA are beyond the scope of this summary. In general, with respect to the Technology, a notice must be given to website visitors when the website owner collects personal information that identifies them or can reasonably be used to identify them, the reasons for collecting, selling, or sharing personal information, and the groups of third parties that receive the personal information.

On the homepage of the website, Technology-users should provide a visible and easily accessible link titled “Do Not Share or Sell My Personal Information” that allows users to opt-out of the sharing of a visitor’s personal information. In the CPRA privacy notice, Technology-users should describe as follows, among other things, that the website owner utilizes tracking technology to gather identifiable information about visitors, such as an email address or hashed email address. They should also describe how they use the information and share it with third parties, such as the Technology provider to identify the email addresses of visitors. Specifics may differ depending on the website’s nature and particular Technology employed.

Vendor Agreements. Under the CPRA, depending on the business arrangement type between the parties, specific language is required in the business agreements.

Sale of Personal Information. Although the CPRA does not explicitly ban the sale of personal information, the newly defined term “sharing” widely encompasses targeted advertising. The implication of the distinct definition of sharing indicates that such activities may no longer qualify as sales under the CPRA.

Opt-out of Profiling and Automated Decision Making. The CPRA does not elaborate on this subject. However, the CPRA grants the Attorney General or the newly created governing body, the California Privacy Protection Agency, the power to create additional regulations governing access and opt-out rights regarding automated decision-making technology, including profiling.

The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the law. Frequently asked questions relating to the CPRA are discussed below.

Who is covered by the CPRA?
The CPRA applies to for-profit entities that collect and sell consumer personal information, with a few exceptions discussed below. To trigger the application of the law, a company must meet one or more of the following conditions:

Have more than $25 million in yearly revenue (not restricted to income generated in or from California);
Annually shares, buys, or sells personal information of 100,000 or more California consumers or households; or
Earns more than half of its annual income by selling or sharing consumers’ personal data.

The CPRA has only two entity exemptions:

Non-profit organizations and
Healthcare providers and insurers already governed by HIPAA.

Limited exemptions are available for the following types of information and businesses:
Banks and financial companies covered by Gramm-Leach-Bliley and
Credit reporting agencies, such as Equifax and TransUnion, governed by the Fair Credit Reporting Act.

What if we don’t operate or have any bases in California?
If you gather personal data from California residents while they are in California, you are likely conducting business in California. Therefore, the CPRA would apply to you if your company meets any of the applicability conditions mentioned earlier.

What constitutes “personal information” according to the CPRA?
The CPRA defines personal information broadly, encompassing information that can identify, relate to, describe, associate with, or be reasonably associated with, or linked directly or indirectly to a particular consumer or household. However, the CPRA’s private right of action provision regarding data breaches adopts a narrower interpretation of personal information (discussed below).

Additionally, the law features a non-exhaustive enumeration of categories of personal information, including:

Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or related identifiers;
Personal information classified in other California statutes like signature, physical characteristics or description, telephone number, state ID number, education, employment, employment history;
Characteristics of protected classifications under California or federal law;
Commercial information, including records of personal property, products, or services purchased, obtained, or evaluated, or other purchasing or consuming histories or inclinations;
Biometric information;
Internet or other electronic network activity data, including browsing history, search history, and data regarding a consumer’s engagement with an internet website, application, or advertisement;
Geolocation information;
Audio, electronic, visual, thermal, olfactory, or similar data;
Professional or employment-related information; and
Education information, defined as non-public PII as defined in the Family Educational Rights and Privacy Act (FERPA).

The definition also covers inferences derived from personal information used to create a profile about a consumer.

Would the CPRA be applicable to protected health information governed by HIPAA and other health-related data?
PHI regulated by HIPAA or medical information according to California’s Medical Information Act (CMIA) are not considered personal information. Additionally, the CPRA offers an exemption to an organization that “maintains patient information in the same manner” as PHI under HIPAA. Therefore, PHI or medical data under the CMIA could potentially be excluded.

Would the CPRA be applicable to personnel information of employees (or independent contractors)?
Employee (including independent contractor) data falls outside most CPRA provisions until January 1, 2023. Nonetheless, employers are required to provide employees with a brief privacy notice explaining the type of personal data gathered, its purposes, and a general description of whom it is revealed to (e.g., service providers).

What are the consumer rights under the CPRA?
The new consumer rights provided by the CPRA are similar to the ones established by the EU’s General Data Protection Regulation. The CPRA offers California residents the right to request that a business:

Reveal the types and specific pieces of personal information it has collected.
Disclose the categories of origin from which personal information is obtained.
Reveal the purpose for collecting, selling, or sharing personal information.
Reveal the categories of third parties with which personal information is shared.
Access, retrieve, correct, or delete personal data collected from a consumer, subject to specific exceptions.
Abstain from utilizing automated decision-making and profiling to profile a consumer’s personal qualities and predict their performance at work, financial situation, health, preferences, interests, reliability, behavior, location, or movements.
Refrain from “selling” or “sharing” consumer personal data if the consumer opts-out (the “do not sell or share my personal information” opt-out).
Restrict the usage of sensitive personal information, which includes personal data that discloses a consumer’s social security number or other government-issued ID number, their account log-in or financial information with any necessary security credentials, their “precise” location (within 1850 feet), their health, sex life, or sexual orientation, their racial or ethnic origin, religious or philosophical beliefs, or union membership, their genetic data, and the contents of their mail, email, or text message (unless specifically intended for the company).

Is it necessary to update our privacy policies, and if yes, what should it entail?
Most likely, if the law applies to you. The CPRA introduced several new required disclosures that need to be included in a privacy policy or notice. In addition to the information mandated by existing California laws or provided under California’s “Shine the Light” law, online privacy policies must contain:

Details about the consumer’s rights under the CPRA:
A summary of the personal information categories collected by the business over the last 12 months.
The commercial and business intent for which personal information is gathered.
The personal information kinds sold or disclosed for business purposes in the previous 12 months.
The whys and with whom personal information is shared.

If the company sells or shares personal information, a link to a web-based opt-out option for “Do Not Sell or Share My Personal Information.”
An explanation of any financial incentives for supplying data or not exercising rights (e.g., if a company provides a 15% discount to customers who provide their email address for marketing purposes, this incentive must be stated in the privacy policy).

Regarding the “do not sell” opt-out, what entails “selling” personal data?
According to the CPRA, “selling” personal information is broadly defined and includes “selling, renting, disclosing, disseminating, making accessible, transferring, or otherwise communicating orally, in writing, or by electronic or other means” a customer’s personal information to another business or third party “for monetary or other valuable consideration.”

With this broad description, it suggests that even if payment is not directly made for the data, a “sale” may have occurred if personal information is given as part of a greater corporate affiliation. As a result of this comprehensive definition, it is feasible that a “sale” might have occurred even if no direct payment was made for the data, assuming personal information was provided as part of a more extensive business connection. Furthermore, “selling” personal information could also refer to a website’s act of sharing such data with third-party ad networks through cookies.

What actions would NOT be classified as a “sale” of personal information?
The legislation provides a non-exhaustive collection of instances that would not be viewed as a sale of personal information:

– When a consumer voluntarily discloses personal information to a third party or directs the business to do so intentionally. An “intentional” interaction occurs when the consumer intends to communicate with the third party via specific deliberate measures; hovering over or closing a piece of content would not qualify as a “deliberate action
– When a business shares a consumer identifier to notify a third party of a consumer’s opt-out decision.
– When personal information is shared with a third party for a “business purpose” (as explained below), and the business provides notification of such sharing and the opt-out right (as described below), and the third party does not further collect, sell or use the personal information, except as required for performing the business purpose.

– When the personal information is an asset that is part of a merger, acquisition, bankruptcy, or another transaction in which a third party takes over all or part of the business, as long as the business complies with the CPRA’s disclosures regarding the information gathered or sold. If the acquirer plans to modify how the personal information will be used or disclosed in a materially misaligned manner with the promises made at the time of collection, it must inform the consumer beforehand of the new practices and incorporate “prominent and robust” notice so that the consumer can choose to opt-out. It should be noted that the CPRA also cautions businesses that material and retroactive privacy policy shifts must not breach California’s Unfair Competition Law—a declaration seemingly designed to address businesses that wish to make substantial changes to privacy policy before a potential agreement.

Regarding the “do not share” opt-out, what entails the “sharing” of personal information for “cross-context behavioral information?”
Under the CPRA, “sharing” of personal information encompasses a broad definition, including “sharing, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”

“Cross-context behavioral advertising” refers to directing advertisements towards a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, separate-branded websites, applications, or services other than the business, separate-branded website, application, or service with which the consumer intentionally interacts.

This new definition of “sharing” implies that the disclosure of personal information (including unique identifiers in cookies) for targeted advertising purposes, with or without compensation, will be subject to a consumer’s right to opt-out of such a disclosure.

What actions would NOT be classified as “sharing” personal information?
The CPRA provides a few limited exemptions from “sharing” personal information, including:

– When a consumer voluntarily discloses personal information to a third party or intentionally interacts with one or more third parties. An “intentional” interaction occurs when the consumer intends to communicate with the third party via specific deliberate measures; hovering over or closing a piece of content would not qualify as a “deliberate action.”
– When a business shares a consumer identifier to inform a third party of a consumer’s opt-out decision.
– When the personal information is an asset that is part of a merger, acquisition, bankruptcy, or another transaction in which a third party takes over all or part of the business, as long as the business complies with the CPRA’s disclosure requirements regarding the information collected or shared (discussed above).
If the acquirer intends to modify how the personal information will be used or shared in a materially misaligned manner with the promises made at the time of collection, it must inform the consumer beforehand of the new practices and incorporate “prominent and robust” notice so that the consumer can choose to opt-out. It should be noted that the CPRA also cautions businesses that material and retroactive privacy policy shifts must not breach California’s Unfair Competition Law—a declaration seemingly designed to address businesses that wish to make substantial changes to privacy policy before a potential agreement.

_____________________________________

COLORADO PRIVACY LAWS

Colorado Privacy Act (“CPA”)

On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law. The law is likely subject to significant changes both before and after it goes into effect on July 1, 2023.

The CPA applies to businesses that intentionally target Colorado consumers and that collect and store data on at least 100,000 consumers or earn revenue from selling data of at least 25,000 consumers. Notably absent is any revenue threshold.

Here are the main takeaways from the text:

– The CPRA excludes certain types of personal data, including information related to employment records, job applications, data governed by specific federal or state laws like GLBA, and data available in public records.
– Consumers gain five important rights under CPRA. These rights include the right of access, right to opt out, right to correct, right to delete, and right to data portability. Consumers also have the right to appeal.
– Businesses are subject to new obligations like a duty of transparency, duty to avoid secondary use, duty of data minimization, duty of care regarding data security, and a duty to obtain consent before processing a consumer’s sensitive data.
– The enforcement of CPRA is under the attorney general and district attorneys. There is no private right of action.
– The law will be implemented on July 1, 2023.
– The Governor of Colorado has made an amendment request to the legislature, which may significantly change the obligations and requirements of the CPRA.

Applicability and Exemptions

The CPA, as it currently stands, pertains to any business (a “controller”) that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado,” and satisfies either one or both of these conditions:

– The controller processes or oversees the personal data of at least 100,000 Colorado customers annually, which is higher than the CCPA’s threshold but identical to the Virginia CDPA. It is the same threshold as the CPRA recently enacted in California.
– The controller processes or oversees the personal data of at least 25,000 Colorado customers annually and profits or receives price reduction incentives on the sale of personal data. The CPA uses an expansive interpretation of “sale” as the “exchange of personal data for monetary or other valuable consideration by a controller to a third party.” Unlike the CCPA and the Virginia CDPA, the CPA does not have a percentage threshold, and any revenue or discount obtained from the sale of personal data may be sufficient, even if it is modest. Assuming this threshold withstands any changes, the application of this threshold is likely to be a contentious subject of litigation once the law becomes effective.

At present, the CPA is only applicable to information regarding consumers, defined as Colorado residents acting solely in an individual or household context. It does not extend to information about individuals operating in a commercial or employment context (including as a job applicant, or as a beneficiary of another individual acting in the employment context). In contrast, employment and business-to-business information subject to California’s CPRA once the temporary exemptions for these types of data expire on January 1, 2023, unless the temporary exemptions are extended or another law is enacted to account for this data.

The law pertains to a controller’s processing of “personal data,” which means “information that is connected or reasonably linked to an identified or identifiable individual,” as defined by this law. Nonetheless, the definition explicitly excludes de-identified information or information that is publicly available. “Publicly available information” is a more comprehensive exclusion than that found in laws such as the CPRA. It comprises not only information lawfully made accessible from government records, but also information that the controller has a logical basis to assume that the consumer has lawfully made available to the general public. This probably covers information uploaded to social media, but it is uncertain whether data posted on social media to a limited audience will be regarded as publicly available.

Consumer Rights
The CPA provides Colorado consumers with the following rights regarding their personal data:

The CPA grants consumers several key rights, including:

– Right of access: Consumers can verify whether a business is processing their personal data and access such data.
– Right to opt out: Consumers have the option to opt out of having their personal data processed for targeted advertising, the sale of personal data, or profiling that may have significant repercussions for them.
– Right to correction: Consumers can have inaccuracies in their personal data corrected. However, the nature and aims of the processing of the consumer’s personal data should be taken into account.
– Right to deletion: Consumers can have their personal data deleted.
– Right to data portability: Consumers can obtain their personal data in a portable format two times per year. The data should be in a readily usable format, allowing consumers to transfer their data to another entity without encountering any impediments, to the extent technologically feasible.
– Right to appeal: Businesses must respond to consumer requests under the CPA within 45 days of receipt, which can be extended by an additional 45 days if necessary. If the business decides against taking action on the consumer’s request, the consumer must be informed about the appeal process, which should be easy to use and readily available.

The CPA sets forth several additional obligations that controllers must comply with, in addition to ensuring that consumers can exercise their rights. These obligations include:

– Transparency: Controllers must provide consumers with a clear, easily accessible, and informative privacy notice that contains information such as (a) the categories of personal data that the business collects or processes, (b) the reasons for processing the personal data, (c) a description of the consumer rights explained above, including how consumers can exercise them, (d) the categories of personal data shared with third parties, and (e) the categories of third parties that receive the personal data.
– Data Minimization: Controllers must limit the collection of personal data to that which is reasonably necessary for the intended purpose of data processing.
– Purpose Limitation: Controllers must unambiguously disclose the explicit purposes for which personal data is collected and processed. Before using personal data for purposes other than those already disclosed, controllers must first obtain the consumer’s consent.
– Duty of Care: Controllers must take reasonable measures to protect personal data against unauthorized access during storage and use. The data security measures must be commensurate with the nature of the business and the amount and type of data processed.
– Non-discrimination: Controllers are not allowed to process personal data in a manner that violates federal or state laws prohibiting unlawful discrimination against consumers.
– Consent for Processing Sensitive Data: Controllers must first obtain consent prior to processing a consumer’s sensitive data. If the business intends to process sensitive data of a minor, it must first obtain consent from the minor’s parent or legal guardian. Sensitive data includes personal information that reveals an individual’s race or ethnicity, religious beliefs, a mental or physical health condition or diagnosis, or information about their sexual orientation or sex life.

The CPA imposes a few additional obligations on controllers, as follows:

– Sales of Personal Data: Controllers must inform consumers clearly and conspicuously about any sale of personal information or processing of personal data for targeted advertising, and must give them a chance to opt-out of such activities.
– Data Protection Assessments for High-Risk Processing: Controllers must carry out and document a data protection assessment if their processing activities are likely to pose a greater risk of harm to consumers. Such activities may include processing sensitive data, selling personal data, and engaging in targeted advertising or profiling that presents certain foreseeable risks.
Processors, who process personal data on behalf of controllers, also have obligations under the CPA. They must comply with the controller’s instructions and assist the controller in fulfilling its obligations under the CPA, such as responding to consumer requests, maintaining security, and providing necessary information for data protection assessments. Controllers and processors must sign a written agreement with terms and conditions similar to those of the GDPR, which:

– States the purpose, duration, and types of personal data processing;
– Imposes a duty of confidentiality on all processing personnel;
– Prohibits the processor from using any subprocessors without a similar contract, and makes the processor responsible for any subprocessors;
– Clearly specifies the allocation of responsibility for security measures;
– Requires the processor to either delete or return the personal data, unless retention is mandated by law;
– Permits the controller or a third-party auditor to carry out reasonable audits and inspections, and with the controller’s approval, allows the processor to engage an independent auditor to assess its policies and security measures against an appropriate control standard or framework; and
– Obliges the processor to provide all necessary data to the controller to demonstrate compliance.

_________________________________________________

VIRGINIA PRIVACY LAWS

Virginia’s governor signed the Consumer Data Protection Act (CDPA) into law on March 2, 2021. The CDPA incorporates certain features of both the newly-enacted California Privacy Rights Act (CPRA), which amends the California Consumer Protection Act of 2018 (CCPA), and the European General Data Protection Regulation (GDPR). Even businesses that comply with the CCPA and/or GDPR will have to make some adjustments to adhere to the nuances of the CDPA as it introduces certain distinctions between the CDPA and those laws.

The CDPA grants consumers extensive rights to access, modify, erase, and opt-out of specific processing of their personal data, prohibits discrimination, and lets them appeal a business’s denial of a consumer right. Sensitive data necessitates opt-in consent. The CDPA comes into effect on January 1, 2023. Controllers and Processors, as explained below, will need to make changes to their procedures, policies, and operations to meet CDPA’s new criteria. There is no private right of action, but the CDPA allows statutory penalties after a 30-day remediation period.

Scope of the CDPA:

The CDPA describes personal information extensively as “any information that is linkable to an identifiable or identified person.” Consumers have narrower definitions under the CDPA than under the CCPA. A consumer is defined as an individual who is a Virginia resident “operating only in an individual or household context” and “does not include a natural person conducting business or employment dealings.” This means that data obtained in a “business-to-business” (B2B) atmosphere and personnel information are not subject to CDPA.

Thresholds:

Like the CCPA, the CDPA applies only to businesses that meet certain specifications (the “Controller”). The CDPA applies only to firms that:

Control or process the personal data of 100,000 or more consumers; or
Control or process the personal data of 25,000 or more consumers and obtain more than 50% of their revenue from selling personal data.

Since CDPA’s definition of ‘consumer’ is restricted to Virginia residents, and there is no broad revenue trigger like the CCPA (which obliges businesses with an annual revenue of over $25 million to comply), the CDPA has a considerably more narrow scope than the CCPA. This means that fewer smaller and mid-size businesses may be impacted by the CDPA. Nevertheless, specific sectors that rely on selling personal information will be subject to the CDPA, regardless of the organization’s size.

Excluded Organizations:

The CDPA does not apply to certain entities, including governmental organizations, non-profits, entities subject to the Health Insurance Portability and Accountability Act (HIPAA) (such as covered entities and business associates), financial entities subject to the Gramm-Leach-Bliley Act (GLBA), and higher education institutions.

Excluded Information:

The CDPA, like other privacy regulations, omits certain information, including employee data, as well as data subject to the GLBA, HIPAA, Family Educational Rights and Privacy Act, and the Fair Credit Reporting Act.

Definition of “Sale”:

Both the CDPA and CCPA clarify what constitutes data selling and necessitate that consumers be given the option to opt-out. The CDPA interprets a sale much more narrowly than the CCPA. The CDPA maintains that a sale only occurs when money is exchanged for data. In contrast, the CCPA considers any transmission of data in exchange for “any valuable consideration” as a sale. Consequently, the CDPA treats considerably fewer data exchanges as sales than the CCPA.

The CDPA entitles consumers to the following rights:

Right to Access and Obtain Personal Data: Consumers have the freedom to access and obtain a copy of their personal data in a portable format that is readily usable, to the extent technically feasible.

Right to Correct: Consumers are authorized to rectify discrepancies in their personal data.

Right to Delete: Consumers may request the deletion of any personal data collected about them.

Right to Opt-Out of Sales, Profiling and Targeted Advertising: Consumers have the right to opt-out of the sale of their personal data, profiling that results in legal or equivalent significant consequences, and the processing of their data for targeted advertising.

Right to Non-Discrimination: Controllers may not discriminate against customers who exercise their rights under the CDPA, such as denying services or goods, charging different rates, or providing various levels of quality for services and goods.

Right to Appeal: Customers have the liberty to appeal a decision by the entity that rejects their request for a customer’s rights or refuses to take appropriate action.

Opt-In Rights to Processing of Sensitive Data: Controllers may not process specified sensitive data unless the client has explicitly opted-in to the processing. Additionally, Controllers treating data from a child known to be under 13 years of age must comply with the Children’s Online Privacy Protection Act (COPPA), including its verifiable parental consent requirements. Sensitive data refers to data revealing racial or ethnic origin, beliefs of religion, diagnosis of mental or physical health, sexual orientation, citizenship or immigration status, genetic or biometric data, precise data of geolocation, and data of a child known to be under 13 years of age.

The CDPA introduces new requirements for Controllers:

Data Minimization: Controllers must curtail the collection of personal data to what is essential, relevant, and reasonably required for the disclosed purposes of data processing.

Use Limitations: Processing of personal information must be necessary and compatible with the disclosed purpose known to the consumer.

Employ Reasonable Security: Controllers must establish and sustain sensible administrative, technical, and physical security measures appropriate for the personal data’s volume and nature.

Notice of Sales and Targeted Advertising: Controllers must openly and clearly disclose the sale of personal data and targeted advertising. Even though the CDPA does not specify how Controllers can comply with this regulation, a working group will provide recommendations and guidelines that may offer additional guidance.

Privacy Notice: Controllers will need to be substantially more transparent about their collection and use of personal information by offering notice to consumers (in their privacy policies) about their new rights under the CDPA.

Data Processing Agreements: Controllers will be required to establish contracts that govern the Processor’s (as discussed below) processing and utilization of personal data, which includes entering into specific terms.

Mandatory Data Protection Assessments: Controllers must perform data protection assessments for some personal data processed after the CDPA’s effective date, January 1, 2023. Be aware that this includes data collected before this date but processed on or later than January 1, 2023. Assessments are required for the following processing activities:

Under the CDPA, the subsequent Processor requirements are as follows:

• Processing of personal data for targeted advertising
• Processing of personal data for specific profiling that has a foreseeable risk of any discrimination, financial, physical or reputational injury, intrusion on private life, or other significant harm to a consumer
• Sales of personal data
• Processing of sensitive data
• Processing of personal data that poses a higher risk of substantial harm to consumers

The CDPA demands a Processor to follow the Controller’s instructions and assist the Controller with their CDPA requirements in case of processing data on behalf of the Controller.

Enforcement:

Contrary to the CCPA, the CDPA forbids private cause of action for any violation, and businesses are allotted a 30-day cure period for correction. If the Controller or Processor has failed to cure the breach within the assigned time, the Virginia Attorney General may impose a civil penalty of up to $7,500 per violation and recover reasonable expenses for investigation and prosecution.