It is becoming increasingly difficult for businesses to keep up with the growing patchwork of privacy laws. A fifth state is added to the list of those with comprehensive privacy laws, Virginia passed multiple amendments to its privacy law, and states increasingly enacted workplace-specific privacy legislation.
Connecticut becomes Fifth State with Comprehensive Privacy Law
On May 10, 2022, Connecticut became the fifth state with comprehensive privacy legislation after Governor Ned Lamont signed the bill into law. This law provides Connecticut residents with certain rights over their data and requires businesses to allow consumers to opt out of certain types of processing, among other obligations. Connecticut’s law, which is being called the Connecticut Data Privacy Act (“CTDPA”) goes into effect on July 1, 2023, and applies to businesses that:
- Conduct business in Connecticut or produce products or services targeted to Connecticut residents; and, during the preceding calendar year, either:
- Controlled or processed the personal data of at least 100,000 Connecticut residents; or
- Controlled or processed the personal data of at least 25,000 Connecticut residents and derived over 25% of their gross revenue from the “sale” of personal data.
The CTDPA adopts a broad definition of “sale” that mirrors the definition found in California, Colorado, and Virginia.
Similar to Virginia, Colorado, and Utah, Connecticut has included broad exceptions for government entities, non-profits, entities subject to GLBA and HIPAA, and employee and business-to-business data. Under the CTDPA, Connecticut residents will have the right to:
- Know whether an entity is processing their personal data;
- Request deletion of their personal data;
- Correct inaccuracies in their personal data;
- Request their personal data in a portable and usable format; and
- Opt-out of the use of targeted advertising, selling of their data, and automated profiling decisions.
Virginia Amends Consumer Data Protection Act
On April 11, 2022, Governor Glenn Youngkin signed three amendments to the Virginia Consumer Data Protection Act (“VCDPA”), which is set to become effective on January 1, 2023. The amendments (1) add a new exemption to the VCDPA’s right to delete, (2) eliminate the Consumer Privacy Fund, and (3) redefine “nonprofit.” Prior to the first amendment, businesses were required to delete all data upon receiving a request to delete, whereas now, the businesses may retain data about a consumer obtained from a third-party in order to ensure the data remains deleted. The second two amendments are small tweaks to change which state fund receives recovered penalties and modifying the definition of “nonprofit” to include political organizations.
The first amendment allows a data controller to comply with a consumer’s request to delete data the data controller obtained from sources other than the consumer by either: (1) retaining a record of the deletion request and the minimum data necessary to ensure the consumer’s personal data remains deleted and not using such retained data for any other purpose; or (2) opting the consumer out of the processing of such personal data for any purpose except for those exempted purposes.
The next amendment eliminates the Consumer Privacy Fund and directs all penalties, expenses, and attorney fees to be paid to the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.
The last amendment modifies the definition of “nonprofit organization” to add any political organization that is tax-exempt under section 501(c)(3) of the Internal Revenue Code. Non-profits are exempt from VCDPA obligations.
Workplace Privacy Gains Momentum Coast-to-Coast
States have increasingly focused on bolstering privacy rights for employees. New York Senate Bill S2628, which came into effect on May 7, 2022, requires employers who monitor their employee’s phone, e-mail, or internet access or usage to provide prior written notice about such monitoring. These obligations apply to all private employers with a place of business in New York, regardless of size. Notice must be provided in writing, in an electronic record, and acknowledged by each employee either in writing or electronically. The NY Attorney General may seek penalties of up to $500 for the first offense, $1,000 for the second offense, and $3,000 for the third and any subsequent offenses.
Similarly, New Jersey’s Assembly Bill 3950, effective as of April 18, 2022, prohibits private employers from knowingly using a tracking device in a vehicle used by an employee without providing written notice to the employee. So long as the employer provides written notice, employee consent is not required. Employers that violate this law can be penalized up to $1,000 for the first violation and up to $2,500 for each subsequent violation, which is collectible by the Commissioner of Labor and Workforce Development.
California may be poised to follow suit and is considering bolstered workplace privacy protections. Assembly Bill 1651 (commonly known as the “Workplace Technology Accountability Act”) would regulate employers’ use of employee data, including biometric information, health, and medical information, and personally identifiable information. If passed, employees would have a right to access and correct their personal data controlled by their employer. This bill comes as the California Legislature also considered two bills to extend or make permanent the employee data exception to the California Consumer Privacy Act.
The new wave of workplace privacy laws suggests that more states may look to expand employee privacy protections, and businesses could face new restrictions on the collection and use of certain information generated by employees.