Although the United States is at the forefront when it comes to innovation and technology, the same cannot be said when it comes to privacy and data protection, since state statutes focus solely on the commercialization of personal data from individuals. Due to its form of government, the US allows States to decide on the rules for the protection of personal data.
The most famous statute in force is undoubtedly the California Consumer Privacy Act (CCPA), which specifically regulates the commercialization of personal data from consumer citizens and residents of the State of California.
However, the CCPA is far from establishing a robust regulation, such as the GDPR, which has 6 legal bases, or the Brazilian GDPR, which has 10 legal bases. Legal basis, for the sole purpose of understanding, means conditions which regulations impose to the controller (the party processing personal data) so that they can process personal data from an individual, such as the individual's consent, a legal obligation, or the legitimate interest by the controller, among others. On the other hand, the question of law enforceability, especially in Brazil, has proved to be a problem due to the amount of subterfuge and resources provided by law.
Indeed, the CCPA has no statutory bases. It merely ensures certain rights to the data subject, such as (i) know what personal data is being collected about them, (ii) know whether their personal data is sold or disclosed and to whom, (iii) say no to the sale of personal data, (iv) access their personal data, (v) request a business to delete any personal information about a consumer collected from that consumer, and (vi) not be discriminated against for exercising their privacy rights.
However, there were news from Uncle Sam in 2021. The States of Virginia and Colorado have enacted privacy acts, which will be discussed below.
1.1. VIRGINIA – CONSUMER DATA PROTECTION ACT
The Consumer Data Protection Act (CDPA) was instituted by the Virginia State Governor on March 2, 2021 and affects controllers (organizations) that (a) conduct business in Virginia or provide products or services to Virginia residents and (b1) control or process the personal data of at least 100,000 consumers during one year or (b2) control or process the personal data of at least 25,000 consumers and over 50% of business’s gross revenue derives from selling personal data. Therefore, those with even a general understanding of the data protection act in force in California (CCPA) know that this Virginia act follows the same path, despite the lack of a revenue limit imposing such obligations, such as the one in the CCPA, thus leaving large companies out of the reach of the law should they not meet the above criteria, regardless of income.
In addition, the CDPA does not include (i) a Virginia body, authority, council, agency, commission, district or agency or any Virginia political subdivision, (ii) any financial institution or data subject to the Gramm-Leach-Bliley Act, (iii) a hedged entity or business subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, (iv) non-profit organizations, and (v) higher education institutions. De-identified data or publicly available information are also not covered by the Act.
Another interesting aspect are some definitions, such as:
The controller must respond to requests by data subjects within 45 days, which the company may justifiably extend for another 45 days after notifying the consumer. Consumers are guaranteed the right of: (i) access, (ii) correction, (iii) deletion, (iv) data portability, (v) opt out, and (vi) appealing an organization.
Data collection must be limited to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed. The law mandates that controllers provide a privacy policy, which must contain: (i) the categories of personal data processed by the controller, (ii) purpose for processing personal data, (iii) how consumers may exercise their consumer rights and how to appeal a controller's decision with regard to the consumer's request, (iv) the categories of personal data that the controller shares with third parties, if any, and (v) the categories of third parties, if any, with which the controller shares personal data.
The act also determines that risk assessment must be carried out in the protection of personal data, although it does not indicate how often said assessment must take place and for how long it must be kept.
Finally, one important detail is that the Virginia's Attorney General will have exclusive authority to enforce the provisions of the Act, and there is no private right of action for allegedly aggrieved consumers. Upon being notified, the controller has 30 days to cure the violation, otherwise the Attorney General may impose civil penalties of up to US$7,500.00 for each violation.
1.2. COLORADO – COLORADO PRIVACY ACT
The Colorado Privacy Act (CPA) was enacted by the Colorado State Governor on July 8, 2021, and affects controllers that (a) controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents; and (b1) control or process the personal data of 100,000 or more consumers during a calendar year; or (b2) derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 or more consumers.
The CPA also sets forth categories of exempt data. Like the CDPA, these can be broken down into two main categories: entity-level exemptions and data-level exemptions. Entity-level exemptions are broader and, where they apply, the controllers do not need to comply with CPA obligations and rights regarding data they collect, even when the data would otherwise be included. The primary entity-level exemption under the CPA is for entities regulated by the Gramm-Leach-Bliley Act. De-identified data or publicly available information are also not covered by the Act.
Another interesting aspect are some definitions, such as:
The controller must respond to requests by data subjects within 45 days, which the company may justifiably extend for another 45 days after notifying the consumer. Consumers are guaranteed the right of: (i) access, (ii) correction, (iii) deletion, (iv) data portability, (v) opt out, and (vi) appealing an organization.
Data collection must be limited to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed. The Act mandates that controllers provide a reasonably accessible, clear, and meaningful privacy notice which must contain: (i) the categories of personal data processed by the controller or processor, (ii) purpose for processing personal data, (iii) how consumers may exercise their consumer rights and how to appeal a controller's decision with regard to the consumer's request, (iv) the categories of personal data that the controller shares with third parties, if any, and (v) the categories of third parties, if any, with which the controller shares personal data.
The Act also provides that controllers may not process activity that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities.
Finally, one important detail is that the authority to enforce the provisions of the Act fall upon both the Colorado's Attorney General and the district attorneys, and there is no private right of action for allegedly aggrieved consumers. Upon being notified, the controller has 60 days to cure the violation. This right to cure exists as a two-year sunset provision, after which controllers must respond directly to attorney general action. Interestingly, there is no strict fine guidance found explicitly in the statute. As a violation of the Act may be considered a deceptive trade practice per se, the penalties are governed by the Colorado Consumer Protection Act. Thus, a noncompliant entity may be fined up to US$20,000 per violation.