Disclaimer. This summary is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all issues and requirements relating to the topics discussed. If you have any questions about any of these issues you should contact your legal counsel.
Introduction. Using existing technology (referred to herein as a “Technology”), companies are able to obtain email addresses of visitors to websites who have not and do not disclose their email address to the website owner. This Summary discusses some of the legal issues relating to use of this technology.
Topics covered here include:
CAN-SPAM
California Privacy Laws
Colorado Privacy Laws
Virginia Privacy Laws
CAN-SPAM
- Email Harvesting. CAN-SPAM prohibits email harvesting which is generally defined as obtaining email addresses from a website using an automated means when the website as a notice stating that the operator of the website will not give, sell or otherwise transfer email addresses maintained by the website for the purposes of allowing others to send emails to the address.
- Thus, the Technology should not collect or provide email addresses to users of the Technology if those email addresses were acquired from a website that prohibits email address harvesting.
- Opt-Out – Not Opt-In. While some jurisdictions outside of the United States (e.g. the European Union and Canada) require an affirmative opt-in in order to send marketing or commercial emails, the US has been, since the passage of CAN-SPAM, an opt-out jurisdiction. This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.
- Accordingly, a user of the Technology can send emails to email addresses acquired through the Technology provided that the recipient has not previously opted-out to receiving marketing emails from the Technology user / sender.
- The sender of marketing emails acquired using the Technology should include an unsubscribe link or other opt-out mechanism in all marketing emails and promptly honor all opt-outs.
- Other CAN-SPAM compliance tips include:
- Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
- Tell recipients where you are located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
OPT-OUT AND COMPLYING WITH THE CAN-SPAM ACT
Chanley Howell
Foley & Lardner, LLP
Disclaimer. This summary is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. If you have questions about complying with the CAN-SPAM Act you should contact your legal counsel.
- Introduction. The CAN-SPAM Act of 2003 establishes requirements for companies that send commercial emails. The law covers email whose primary purpose is advertising or promoting a commercial product or service. This includes content on a Website. A “transactional or relationship message” – an email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship – may not contain false or misleading routing information, but otherwise is exempt from most provisions of the Act. Violations of the Act can result in civil fines and criminal liability. The Act applies to consumer and business recipients and makes no exceptions for business-to-business emails.
- Commercial Emails v. Transactional or Relationship Emails. The requirements of the CAN-SPAM Act differ based on whether the email is (1) a “commercial” email or (2) a “transactional or relationship email.” An email is “commercial” if the primary purpose of the email is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose). A “transactional or relationship” email facilitates a commercial transaction (e.g., purchase of products or services) that the recipient has previously entered into, or to provide information relating to a product or service already purchased by the recipient from the sender, such as warranty or recall information or account balances. Most requirements and prohibitions of the Act apply only to commercial messages, but the Act does prohibit both commercial and transactional / relationship messages from containing false or misleading routing information (e.g., the source, destination, originating email address, “from” line, etc.).
- Prior Consent / Opt-In Not Required. Opt-Out Mechanisms and Procedures. Prior express consent or opt-in consent is not required in order to send commercial emails. Commercial emails may not, however, be sent to recipients who have opted-out or unsubscribed from receiving commercial emails from the sender.
- Opt-Out Rather than Opt-In. While some jurisdictions outside of the United States (e.g. the European Union and Canada) require opt-in an order to send marketing or commercial emails, the US has been an opt-out jurisdiction since the passage of CAN- This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.
Section 7704(a)(3)[1] of the Act requires that marketing messages contain an opt-out or unsubscribe mechanism:
* * *
(3) Inclusion of return address or comparable mechanism in commercial electronic mail
- (A) In general, it is unlawful for any person to initiate the transmission to a protected computer of a commercial electronic mail message that does not contain a functioning return electronic mail address or other Internet-based mechanism, clearly and conspicuously displayed, that—
- (i) a recipient may use to submit, in a manner specified in the message, a reply electronic mail message or other form of Internet-based communication requesting not to receive future commercial electronic mail messages from that sender at the electronic mail address where the message was received; and
- (ii) remains capable of receiving such messages or communications for no less than 30 days after the transmission of the original message.
- * * *
Section 7704(a)(4) of the Act states the opt out requirements:
* * *
(4) Prohibition of transmission of commercial electronic mail after objection
- (A) IN GENERAL, if a recipient makes a request using a mechanism provided pursuant to paragraph (3) not to receive some or any commercial electronic mail messages from such sender, then it is unlawful:
- (i) for the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message that falls within the scope of the request;
- (ii) for any person acting on behalf of the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message with actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that such message falls within the scope of the request;
- (iii) for any person acting on behalf of the sender to assist in initiating the transmission to the recipient, through the provision or selection of addresses to which the message will be sent, of a commercial electronic mail message with actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that such message would violate clause (i) or (ii); or
- (iv) for the sender, or any other person who knows that the recipient, has made such a request, to sell, lease, exchange, or otherwise transfer or release the electronic mail address of the recipient (including through any transaction or other transfer involving mailing lists bearing the electronic mail address of the recipient) for any purpose other than compliance with this Act or other provision of law.
- * * *
- Thus, the Act does not contain any requirements or reference to opting-in to receive marketing email messages. As the Federal Trade Commission has stated in public guidance[2],
- * * *
- Here’s a rundown of CAN-SPAM’s main requirements:
- Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
- Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
- Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
- Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
* * *
- As required by the Act, the FTC recently reviewed the law and accepted public comments in order to determine whether the law was still appropriate as written. On February 12, 2019, the FTC confirmed:
- (B) The Act does not require that recipients affirmatively consent or opt-in to receiving commercial emails. Rather, each email must contain a clear and conspicuous notice the recipient can opt-out of receiving more commercial email from the sender.
- (C) Commercial emails must contain a return email address or another Internet-based response mechanism that allows the recipient to indicate it does not want future email messages to that email address. It is permissible to create a “menu” of choices to allow a recipient to opt-out of certain types of messages, but the email must include the option to end any and all commercial messages from the sender.
- (D) The return email address / opt-out mechanism must be able to process opt-out requests for at least thirty (30) days after the commercial email is sent. When a sender receives an opt-out request, the sender must honor and stop sending email to the requestor’s email address no later than ten (10) business days after receipt of the request. A sender cannot help another entity send email to that address, or have another entity send email on the sender’s behalf to that address. It is also a violation of the Act to sell or transfer the email addresses of people who choose not to receive commercial email, even in the form of a mailing list, unless the sender transfers the addresses so another entity can comply with the law.
- (E) The sender cannot require a recipient to pay a fee, provide information other than the person’s email address and opt-out preferences, or take steps other than sending a reply email or visiting a single Web page, as a condition of receiving or honoring opt-out requests.
- Identification of Commercial Email as an Advertisement. Commercial emails must be clearly and conspicuously identified as an advertisement or solicitation. The email should state at the beginning of the message (there does not have to be ADV or similar identification in the subject line) that it is an advertisement from the sender, and generally describe the products or services being advertised. If the recipient previously provided consent to receive commercial emails from the sender (e.g., through an opt-in process), then the email does not have to be conspicuously identified as an advertisement.
- Message Routing / Header Information Cannot Contain False or Misleading Information.The “From,” “To,” and routing information on a commercial email – including the originating domain name and email address – must be accurate and identify the person who initiated the email. As noted above, this applies to commercial as well as transactional / relationship emails.
- Subject Lines May Not Be Deceptive.The subject line should be clear, truthful and accurate, and cannot be misleading to the recipient about the content or subject matter of the message.
- Identification of Postal Address.A commercial email must include the sender’s valid physical postal address, which can be a post office box or private mailbox.
- Multiple Senders / Advertisers.In the event two or more advertisers desire to send an email including content on behalf of each advertiser (e.g., a joint-marketing arrangement), the advertisers must designate one of them as the sender that must honor opt-out requests and satisfy the other statutory obligations. Then sender must be the only person identified in the “from” line of the email and must comply with all requirements under the Act. Even though there is one sender, all other advertisers are still responsible for compliance under the Act. Accordingly, each advertiser should carefully review and assess the compliance of the joint email, investigate the reputation of the sender, and take appropriate steps to ensure the sender’s compliance with the Act, including the all opt-out requests.
- No Sexually-Explicit Material.The email should not include sexually-explicit material. The Act provides additional requirements for labeling, disclaimers and presentation of emails with sexually-explicit content.
- No Harvesting or Automatic Email Generation.Senders should not use automated means to gather or “harvest” email addresses from third party web sites with terms that or randomly generating possible email addresses.
[1] 15 USC § 7704(a)(3)
[2] https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business
CALIFORNIA PRIVACY LAWS
California Privacy Rights Act (CPRA) amending the California Consumer Privacy Act (CCPA)
Disclaimer. These Summaries and FAQs regarding the California Privacy Rights Act (CPRA), amending and renaming the California Consumer Privacy Act (CCPA) are intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CPRA. If you have questions about complying with the CPRA, you should contact your legal counsel.
The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the CCPA to the CPRA. The CPRA includes additional privacy protections for consumers as discussed below.
- Opt-Out of Sharing for Targeted Advertising. The CPRA extends a consumers right to opt-out of sales to include a right to opt-out of the sharing of the consumer’s personal information for targeted advertising (defined as “cross-contextual behavioral advertising”), whether such sharing is made with or without consideration. The CPRA contains an opt-out requirement for the sharing or sales of personal information, with the exception of the sharing or sales of personal information relating to children under the age of 16. (Children aged 13 to 16 must provide opt-in consent for the sale of their personal information. Website owners collecting, using, selling, or sharing personal information relating to children under the age of 13 must obtain verifiable parental opt-in consent to do so.).
- The CPRA does not outright prohibit the sharing of personal information. Rather, if a company shares personal information for targeted advertising the company must provide notice of this to the consumer and give the consumer at least 2 methods for opting-out of the sharing of personal information for targeted advertising, one of which must be an interactive webform to opt-out requests. Use of the Technology to acquire email addresses and send emails to those addresses is sharing under the CPRA, which would require notice and the ability to opt-out of such sharing.
- There are few exclusions from a “sharing” of personal information triggering the opt-out requirements, including when a Technology user directs the Technology provider to intentionally disclose personal information with one or more third parties.
- If the Technology user desires to permit the Technology provider or any other third party to use the personal information for their own purposes outside of providing services to the Technology user, the Technology user should comply with the notice and opt-out requirements under the CPRA relating to the sharing of personal information for targeted advertising.
- CPRA Notice. One of the primary requirements of the CPRA is the obligation to provide a “Do Not Sell or Share My Personal Information” and a privacy notice or privacy policy to website visitors complying with the requirements of the CPRA. All of the various notice requirements required under the CPRA are outside the scope of this summary. With respect to the Technology, generally speaking the CPRA requires notice to website visitors if personal information that identifies or can be reasonably used to identify them is collected by the website owner, the purposes for collecting, selling, or sharing the personal information, and the categories of third parties to whom the personal information is disclosed.
- On its website homepage, a user of the Technology should provide a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” that enables a user to opt-out of the sharing of a visitor’s personal information.
- In its CPRA privacy notice, a user of the Technology should disclose and describe that, among other things, the website owner uses tracking technology to collect identifiable information about visitors (e.g., an email address or hashed email address), how it uses the information and that it shares the information with third parties (e.g., with the Technology provider to identify email addresses of visitors). Details will vary depending on the nature of the website and particular Technology used.
- Vendor Agreements. Under the CPRA, specific language is required in business agreements depending on the nature of the business arrangement between the parties.
- Sale of Personal Information. While the CPRA does not outright prohibit the sale of personal information, the newly defined term “sharing” broadly encompasses targeted advertising. The implication of the separate definition of sharing, suggests that such activities be may no longer considered sales under the CPRA.
- Opt-out of Profiling and Automated Decision Making. While not detailed in the CPRA, the CPRA vests the Attorney General or a soon to be formed governing body, the California Privacy Protection Agency, with the authority to further establish rules governing access and opt-out rights with respect to automated decision-making technology, including profiling.
FREQUENTLY ASKED QUESTIONS REGARDING THE CALIFORNIA CONSUMER PRIVACY ACT
Chanley Howell
Foley & Lardner, LLP
Updated: March 18, 2021
Disclaimer. These FAQs regarding the California Privacy Rights Act (CPRA), amending and renaming the California Consumer Privacy Act (CCPA) are intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CPRA. If you have questions about complying with the CPRA, you should contact your legal counsel.
The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the law. Frequently asked questions relating to the CPRA are discussed below.
- Who does the CPRA apply to?
The CPRA applies to any business— a for-profit legal entity — that collects and sells consumer “personal information”, with a few exemptions discussed below. The law sets a floor in terms of revenue and the number of consumer records being processed for the CPRA to kick in. A company has to meet one or more of the following for the CPRA to apply:
- Have $25 million or more in annual revenue (not limited to revenue generated in or from California); or
- Annually buys, sells or shares personal information of 100,000 or more California consumers or households; or
- Earn more than half of its annual revenue selling or sharing consumers’ personal data.
There are few entity exemptions under the CPRA, limited only to:
- Non-profit entities and
- Health providers and insurers already under HIPAA
- There are more limited exemptions for the following types of information, for the following businesses: Banks and financial companies covered by Gramm-Leach-Bliley and
- Credit reporting agencies (Equifax, TransUnion, etc.) that are under the Fair Credit Reporting Act
- What if we are not located and have no facilities in California?
If you collect personal information from residents of the State of California while they are in California you are likely doing business in California. Thus the law would apply to you if your company satisfies any of the applicability triggers discussed above.
- What qualifies as “personal information” under the CPRA?
The CPRA defines personal information broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household. The CPRA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (discussed below).
The law identifies a non-exhaustive list of categories of personal information, including:
- Identifiers including real name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Personal information defined in other California laws, such as a signature, physical characteristics or description, telephone number, state identification card number, education, employment, employment history;
- Characteristics of protected classifications under California or federal law;
- Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric information;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information; and
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA).
The definition also pulls in inferences from personal information used to create a profile about a consumer that would reflect the person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Thus, for example, businesses that leverage artificial intelligence (AI) to help determine consumer preferences or identify preferred job candidates must look more carefully at what personal information they may maintain about their consumers (including employees) for purposes of CPRA.
Personal information does not include de-identified or aggregate consumer information.
- Does the CPRA apply to protected health information governed by HIPAA and other medical or health information?
Personal information does not include protected health information (PHI) governed by HIPAA or medical information under California’s Medical Information Act (CMIA). Additionally, the CPRA exempts an organization that “maintains patient information in the same manner” as PHI under HIPAA. Thus, to the extent the data involved includes were arguably could include any PHI or medical information under the CMIA.
- Does the CPRA apply to employee (or independent contractor personnel) information?
Employee (including independent contractor) related data is excluded from most provisions of the CPRA until January 1, 2023. Employers do, however, need to provide a brief privacy notice to employees regarding the nature of personal information collected, for what purposes, and a general description of who it is disclosed to (e.g. service providers).
- What rights do consumers have under the CPRA?
The new rights under the CPRA are similar to many contained in the EU’s General Data Protection Regulation. The CPRA gives California residents the right to request that a business:
- Disclose the categories and specific pieces of personal information it has collected.
- Disclose the categories of sources from which the personal information is collected.
- Disclose the business or commercial purpose for collecting, selling or sharing the personal information.
- Disclose the categories of third parties with which the business discloses the personal information.
- Request access to, transportation of, correction of and deletion of any personal information about the consumer that the business has collected from a consumer, subject to certain exceptions.
- Not use automated decision-making and profiling to Profiling uses automated processing to evaluate a consumer’s personal aspects and make predictions concerning the consumer’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location, or movements.
- Not “sell” (broadly defined) or “share” the consumer’s personal information if the consumer opts-out (the “do not sell or share my personal information” opt-out).
- Limit the use of sensitive personal information, which includes personal information that reveals a consumer’s social security number or other government-issued ID number, a consumer’s account log-in or financial information with any required security credentials, a consumer’s “precise” geolocation (within 1850 feet), a consumer’s health, sex life, or sexual orientation, racial or ethnic origin, religious or philosophical beliefs, or union membership, a consumer’s genetic data, and the contents of a consumer’s mail, email, text message (unless the business is the intended recipient of that communications).
- Do we need to revise our privacy policies; and if so, what should it cover?
Probably; if the law applies to you. The CPRA has added several new substantive elements to the required disclosures that must be included in a privacy notice or policy. In addition to the information that must be included under the existing California laws or provided pursuant to California’s “Shine the Light” law, online privacy policies must include:
- A description of consumers’ rights under the CPRA.
- A description of the categories of personal information collected by the business in the preceding 12 months.
- The commercial and business purposes for which the personal information is collected.
- The categories of personal information sold or disclosed for a business purpose in the preceding 12 months.
- The categories of third parties with which personal information is shared.
- If the Company sells or shares personal information, a link to a “Do Not Sell or Share My Personal Information” web-based opt-out link.
- A description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a 15% discount to individuals who provide their email address for marketing purposes, this incentive must be disclosed in the privacy policy).
- For the “do not sell” opt-out, what constitutes the “sale” of personal information?
A “sale” of personal information under the CPRA is defined broadly to include the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the personal information of a Consumer to another business or third party “for monetary or other valuable consideration.”
This broad definition suggests that if personal information is provided as part of a larger business relationship, a “sale” may have occurred even if no amounts are paid directly for the data itself. In addition, a website may be “selling” personal information by passing such information to third-party ad networks through cookies.
- What would NOT be considered a “sale” of personal information?
The law provides a non-exhaustive list of examples which would not be considered a sale of personal information:
- A Consumer uses or directs the Business to intentionally disclose personal information to a third party. An “intentional” interaction occurs when the Consumer intends to interact with the third party via one or more deliberate actions. Hovering over a piece of content or closing it does not qualify as a “deliberate action”.
- A Business shares a Consumer identifier to alert a third party of a Consumer’s opt-out decision.
- Personal information is shared with a third party to perform a “business purpose” (explained below); the Business has provided notice of this sharing and the opt-out right (as described below); and the third party does not further collect, sell or use the personal information except as necessary to perform the business purpose.
- The personal information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Business, provided the Business complies with the CPRA disclosure requirements relating to the disclosure of information collected or sold (discussed above). If the acquirer plans to alter how it will use or disclose the personal information in a manner materially inconsistent with the promises made at the time of collection, it must provide prior notice of the new practices to the Consumer and include a “prominent and robust” notice so the Consumer can opt out. Note that the CPRA also warns Businesses that material, retroactive privacy policy changes must not violate California’s Unfair Competition Law — a statement apparently designed to address Businesses that want to make significant changes to a privacy policy in light of an impending deal.
- For the “do not share” opt-out, what constitutes the “sharing” of personal information for “cross-context behavioral information”?
“Sharing” of personal information under the CPRA is defined broadly to include the “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.”
“Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal Information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts.
The new definition of “sharing” makes it clear that the disclosure of personal information (including unique identifiers in cookies) for targeted advertising with or without consideration will be subject to the rights of a consumer to opt-out of such a disclosure.
- What would NOT be considered “sharing” personal information?
The law provides limited exclusions from “sharing” under the CPRA, including:
- A Consumer uses or directs the Business to intentionally disclose personal information to a third party or intentionally interact with one or more third parties. An “intentional” interaction occurs when the Consumer intends to interact with the third party via one or more deliberate actions. Hovering over a piece of content or closing it does not qualify as a “deliberate action”.
- A Business shares a Consumer identifier to alert a third party of a Consumer’s opt-out decision.
- The personal information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Business, provided the Business complies with the CPRA disclosure requirements relating to the disclosure of information collected or shared (discussed above). If the acquirer plans to alter how it will use or share the personal information in a manner materially inconsistent with the promises made at the time of collection, it must provide prior notice of the new practices to the Consumer and include a “prominent and robust” notice so the Consumer can opt out. Note that the CPRA also warns Businesses that material, retroactive privacy policy changes must not violate California’s Unfair Competition Law — a statement apparently designed to address Businesses that want to make significant changes to a privacy policy in light of an impending deal.
COLORADO PRIVACY LAWS
Colorado Privacy Act (“CPA”)
Disclaimer. This summary regarding the Colorado Privacy Act (CPA) is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CPA. If you have questions about complying with the CPA, you should contact your legal counsel.
On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law. The law is likely subject to significant changes both before and after it goes into effect on July 1, 2023.
The CPA applies to businesses that intentionally target Colorado consumers and that collect and store data on at least 100,000 consumers or earn revenue from selling data of at least 25,000 consumers. Notably absent is any revenue threshold.
Key Takeaways:
- Certain types of data are excluded, including employment records, job applications, personal data governed by certain federal or state laws such as GLBA, and data available in public records.• Consumers gain five key rights under the CPA: right of access, right to opt out, right to correct, right to delete, and right to data portability. They also gain a right to appeal.• Businesses have multiple new obligations including a duty of transparency, duty to avoid secondary use, duty of data minimization, duty of care regarding data security, and a duty to obtain consent before processing a consumer’s sensitive data.• The CPA is enforced by the attorney general and district attorneys. There is no private right of action.• The law will take effect July 1, 2023. • The Colorado Governor has already requested that the legislature amend the CPA, which may significantly alter the law’s obligations and requirements.
Applicability and Exemptions
The CPA as currently enacted applies to any business (a “controller”) that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and meets one or both of the following thresholds:
- The controller processes or controls personal data of at least 100,000 Colorado consumers per year. While this is higher than the threshold in California under the CCPA, it is the same threshold as found in California’s new CPRA and the Virginia CDPA.
- The controller processes or controls personal data of at least 25,000 Colorado consumers per year and derives revenue or receives a discount on the price of goods or services from the sale of personal data. The CPA broadly defines a sale as the “exchange of personal data for monetary or other valuable consideration by a controller to a third party.” Unlike the CCPA and the Virginia CDPA, the CPA does not have a percentage threshold, and any revenue or discount received from the sale of personal data may be sufficient, even if it is minimalistic. If this threshold survives any amendments, the applicability of this threshold is likely to be a hot topic of litigation once the law becomes effective.
The current CPA only applies to information about consumers, which are defined as Colorado residents acting only in an individual or household context. It does not apply to information about individuals acting in a commercial or employment context (including as a job applicant, or as a beneficiary of another individual acting in the employment context). In contrast, both employment and business-to-business information will be subject to California’s CPRA once the temporary exclusions for these types of data expire on January 1, 2023, unless the temporary exclusions are extended or another law is passed to cover this information.
The law applies to a controller’s processing of “personal data,” which the law defines as “information that is linked or reasonably linkable to an identified or an identifiable individual.” However, the definition explicitly excludes de-identified information or publicly available information. “Publicly available information” is a bit broader of an exclusion than found in laws like the CPRA, and includes not only information lawfully made available from government records, but also information that the controller has a reasonable basis to believe that the consumer has lawfully made available to the general public. This likely includes information posted on social media, however it is unclear whether information posted on social media to a limited audience will be deemed to be publicly available.
- Consumer Rights
The CPA provides Colorado consumers with the following rights regarding their personal data:
- Right of access. Consumers have the right to confirm whether a business is processing their personal data and to access their personal data.
- Right to opt out. Consumers have the right to opt out of processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
- Right to correction. Consumers have the right to correct inaccuracies in their personal data. However, the nature and purposes of the processing of the consumer’s personal data must be taken into account.
- Right to deletion. Consumers have the right to delete personal data about themselves.
- Right to data portability. Consumers have the right to obtain their personal data in a portable format twice per year. This data must be in a readily usable format that allows the consumer to transmit the data to another entity without encumbrance, to the extent technically feasible.
- Right to appeal. Businesses must respond to consumer requests under the CPA within 45 days of receipt. This deadline may be extended for an additional 45 days if the consumer is notified within the initial 45-day period and the extension is reasonably necessary. If the business decides not to take action on the consumer’s request, it must inform the consumer how they can appeal the decision. The appeal process must be “conspicuously available” and easy for the consumer to use.
- Business Obligations
In addition to permitting consumers to exercise their rights, the CPA imposes multiple new affirmative duties on controllers.
- Transparency. Controllers must provide consumers with a clear and meaningful privacy notice. The notice must be reasonably accessible and must include: (a) the categories of personal data collected or processed; (b) the purposes for which the personal data is processed; (c) a description of the consumer rights described above and how a consumer can exercise them; (d) the categories of personal data that are shared with third parties; and (e) the categories of third parties with whom the personal data is shared.
- Data Minimization. Controllers must limit collection of personal data to that which is relevant and reasonably necessary in relation to the specified purpose of the data processing.
- Purpose limitation. Controllers are required to clearly and conspicuously disclose the express purposes for which personal data is collected and processed. Controllers must first obtain the consumer’s consent for use of personal data that is not reasonably necessary or compatible with the disclosed purposes.
- Duty of care. Controllers must take reasonable measures to secure personal data from unauthorized acquisition during storage and use. Data security practices must be appropriate for the nature of the business and the amount and type of data processed.
- Avoiding Unlawful Discrimination. Controllers are prohibited from processing personal data in violation of federal or state laws that prohibit unlawful discrimination against consumers.
- Consent for Processing Sensitive Data. Controllers must obtain consent before processing a consumer’s sensitive data. If processing sensitive data of a child, the business must first obtain consent from the child’s parent or lawful guardian. Sensitive data is defined as personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, a person’s sex life or sexual orientation, citizenship or citizenship status, as well as genetic or biometric data that may be processed for the purpose of uniquely identifying an individual. Sensitive data also includes personal data from a known child.
- Sales of Personal Data. Controllers must clearly and conspicuously disclose the sale of personal information or any processing of personal data for targeted advertising, and must provide consumers with an opportunity to opt-out of such activities.
- Data Protection Assessments for High-Risk Processing. Controllers must conduct and document a data protection assessment if their processing activities will present a heightened risk of harm to a consumer. Such activities include processing sensitive data, selling personal data, and targeted advertising or profiling if the profiling presents certain reasonably foreseeable risks.
- Processors and Data Processing Agreements. Processors are entities that process personal data for or on behalf of controllers. Processors are required to comply with the Controller’s instructions. Furthermore, processors are also required to assist the controller in meeting its obligations under the CPA, including by taking appropriate measures to assist in responding to. Consumer requests, helping meet the security and breach notification obligations, and providing necessary information to conduct data protection assessments. Controllers and processors must enter into a written agreement with terms and conditions that are similar to those of GDPR:
- Describes the purpose of the processing, the duration of the processing, and the types of personal data to be processed;
- Requires that each person involved in the processing be subject to a duty of confidentiality;
- Requires that the processor only use subprocessors pursuant to a similar contract and that the processor take responsibility for any subprocessors;
- Describes the allocation of responsibility for security measures;
- Requires the processor to either delete the personal data or return it to the controller, unless retention is required by law;
- Requires the processor to allow for and contribute to reasonable audits and inspection of the controller or a third party auditor. However, with the controller’s consent, the processor can retain an independent auditor and audit the processor’s policies and security standards against an appropriate and accepted control standard or framework; and
- Requires the processor to make available all information necessary for the controller to show compliance.
VIRGINIA PRIVACY LAWS
Disclaimer. This summary regarding the Consumer Data Protection Act (CDPA) is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CDPA. If you have questions about complying with the CDPA, you should contact your legal counsel.
On March 2, 2021 Virginia’s governor signed the Consumer Data Protection Act (“CDPA”) into law. The CDPA contains elements of both the newly passed California Privacy Rights Act (“CPRA”), which revised the California Consumer Protection Act of 2018 (“CCPA”), and the European General Data Protection Regulation (“GDPR”). Even businesses who are compliant with the current CCPA and/or GDPR will find that there are a few nuances in the CDPA that will require a few adjustments to their privacy practices to address the nuances between those laws and the new CDPA.
CPDA AT-A-GLANCE
- CDPA gives consumers broad rights to access and obtain, correct, delete, and opt-out of certain processing of their personal data, protects against non-discrimination, and provides consumers with the right to appeal a businesses’ denial of a consumer right.
- Opt-in consent requirements for sensitive data.
- CDPA is effective January 1, 2023.
- Controllers and Processors (as described below) will need to modify operations, policies and procedures to comply with the new requirements of the CDPA.
- No private right of action, but CDPA does provide for statutory penalties after a 30-day cure period.
Scope of the CDPA
- Definition of Personal Information: The CDPA defines personal information broadly as “any information that is linked or reasonably linkable to an identified or identifiable person.”
- Definition of Consumers: The CDPA has narrower definitions of consumers than the CCPA. Under the CDPA, a “consumer” is defined as a natural person who is a Virginia resident “acting only in an individual or household context” and “does not include a natural person acting in a commercial or employment context.” This means that information obtained in the “business to business” context and employee information is not subject to CDPA.
- Thresholds: Like the CCPA, the CDPA only applies to organizations that meet certain thresholds (the “Controller”). CDPA only applies to organizations which:
- Control or process personal data of at least 100,000 consumers; or
- Control or process data of at least 25,000 consumers, and, that derive more than half of their revenue from the sale of personal data.
Since a consumer under the CDPA is only a Virginia resident, and there is no broad CCPA-like revenue trigger (businesses must comply with the CCPA if they have over $25 million in revenue per year), the CDPA applies much more narrowly than the CCPA. The practical effect is that fewer smaller and mid-size businesses may be subject to the CDPA; however, certain industries which rely on the sale of personal data will be subject to the CDPA regardless of the size of the entity.
- Excluded Organizations: The CDPA does not apply to certain businesses, such as governmental agencies, non-profits, covered entities and business associates subject to Health Insurance Portability and Accountability Act (“HIPAA”), financial organizations subject to Gramm-Leach-Bliley Act (“GLBA”), and higher education institutions.
- Excluded Information: Similar to other privacy laws, the CDPA excludes certain information, including employee information, and information subject to GLBA, HIPAA, the Family Educational Rights and Privacy Act, and the Fair Credit Reporting Act, among others.
- Definition of a “Sale”: Both the CDPA and CCPA define what it means to sell data, and require that consumers have the opportunity to opt out of a sale. The CDPA defines a sale much more narrowly than the CCPA. The CDPA states that a sale has occurred when money was exchanged for data. The CCPA, however, states that a sale has occurred when data is transmitted in exchange for “any valuable consideration.” Practically, this means that far fewer data exchanges are “sales” under the CDPA than under the CCPA.
CDPA Consumer Rights
The CDPA provides the following rights to consumers:
- Right to Access and Obtain Personal Data. Consumers will have the right to access and obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format;
- Right to Correct. Consumers will have the right to correct inaccuracies in a consumer’s personal data;
- Right to Delete. Consumers will have the right to delete personal data collected about them;
- Right to Opt-out of Sales, Profiling and Targeted Advertising. Consumers will have the right to opt-out of sales of their personal data, profiling that produces a legal or similarly significant effect, and processing of their data for targeted advertising;
- Right to Non-Discrimination. Controllers may not discriminate against a consumer for exercising a right under the CDPA, such as by denying goods or services to the consumer, by charging different prices or rates for goods and services, or by providing a different level of quality of goods and services to the consumer;
- Right to Appeal. Consumers will have the right to appeal a decision of the entity refusing to take action or denying a consumer rights request; and
- Opt-In Rights to Processing of Sensitive Data. Controllers may not process certain sensitive data unless the consumer has affirmatively opted-in to the processing. Additionally, Controllers must process data from a child who is known to be under 13 years of age in compliance with the Children’s Online Privacy Protection Act (“COPPA”), including its verifiable parental consent requirements. Sensitive data is defined as data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation data, and data of a child known to be under 13 years of age.
New Controller Requirements
- Data Minimization. Controllers must limit the collection of personal data to that which is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer.
- Use Limitations. The processing of personal data must be reasonably necessary and compatible with the purpose disclosed to the consumer.
- Employ Reasonable Security. Controllers must establish, implement and maintain reasonable administrative, technical and physical security practices that are appropriate to the volume and nature of the personal data.
- Notice of Sales and Targeted Advertising. Controllers must clearly and conspicuously disclose sales of personal data and targeted advertising. The CDPA does not specify how a Controller can comply with this requirement; however, CDPA also establishes a working group that will provide recommendations and best practices, which may provide additional guidance on this requirement.
- Privacy Notice. Controllers will need to be substantially more transparent about their collection and use of personal information and must provide consumers with notice (in their privacy policies) of their new rights under the CDPA.
- Data Processing Agreements. Controllers will be required to enter into contracts that govern Processors’ (as discussed below) use and processing of personal data, including specific terms to be entered in that agreement.
- Mandatory Data Protection Assessments. Controllers must conduct a data protection assessment for certain personal data processed after the effective date of CDPA, January 1, 2023. Note, that this can include data that was collected prior to this effective date but are processed on or after January 1, 2023. Assessments are required for the following processing activities:
- Processing of personal data for targeted advertising.
- Processing of personal data for certain profiling with a reasonably foreseeable risk of disparate impact or treatment, financial, physical or reputational injury, intrusion on seclusion or other substantial injury to a consumer.
- Sales of personal data.
- Processing of sensitive data.
- Processing of personal data that presents a heightened risk of harm to consumers.
New Processor Requirements
- Under the CDPA, an entity who is processing data on behalf of another entity (the “Processor”) must adhere to the Controller’s instructions and assist the Controller with the Controller’s obligations under CDPA.
Enforcement
- Unlike the CCPA, there is no private cause of action for violations of the CDPA and a business has a 30-day cure period for violations. If a Controller or Processor has not cured the violation within the cure period, the Virginia Attorney General may assess a civil penalty of up to $7,500 per violation and recover reasonable costs for the investigation and prosecution by the Attorney General.