Click on the blocks available below to check out our privacy programs based on your requirements and jurisdiction
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA), a first of comprehensive data-privacy legislations
in the US, was introduced in 2018 and has been enforced from January 1, 2020 by the State of
California. The legislation seeks to establish the procedure for identifying, managing, securing,
tracking, producing and deleting consumer privacy information so as to protect the privacy
rights of the users.
CCPA includes within its ambit the entities that do for-profit business in the territory of California involving the personal data of the Californian resident where the business meets one of the thresholds:
- annual gross revenue over US $25 Million;
- receive or disclose the personal information of 50,000 or more California residents;
- or derive 50 percent or more of their annual revenues from selling California residents’ personal information.
This legislation operates for the protection of person data entailing a broad interpretation, including items such as phone numbers, social security numbers, biometric information, and Internet Protocol (IP) addresses.
Rights of Consumers
CCPA seeks to provide a strong legal protective cover to consumers through their enumerated rights. Firstly, the consumers have the
- Right to know: The consumers have the right to know the details of the personal information being collected by the business entity along with the source and purpose of such collection. The consumers have the right to access such personal information which has been collected by way of requests to the entity that must be disclosed to them free of charge within 45 days.
- Right to delete: The consumers have a right under the CCPA to ask the business entity to delete the personal information in their possession pertaining to the consumer with certain exceptions such as information that must be retained for legal and regulatory purposes.
- Right to op out of sale: The consumers must also have access to know if and to whom their personal information is sold or disclosed/shared. In such a case, the consumers further have the right to opt out of such a sail subject to certain exceptions.
- Right to non discrimination: Any business entity cannot deny the rights of any individual to not be treated equally. They cannot discriminate against a consumer, who has exercised their CCPA rights.
CCPA puts various obligations on the business entities to ensure protection of personal information from unrestrained transfers and processing.
- They are also obligated to ensure that consumers are provided the information relating to the processing of their personal data.
- In the interest of maintaining transparency consumers must be notified before or at the point of data collected that the permission is being asked to collect the specified data.
- The consumers have to be granted the right to access the personal information that the entity holds.
- It is the obligation of the entity to lay down the procedure for making requests and similarly, an opt out option for “Do Not Sell My Personal Information” must be maintained by the entity to enable the exercise of the consumer rights.
- A data Inventory has to be maintained by the entity to track data processing history.
Basis for Processing of Data under CCPA
Under CCPA, data maybe processed for either business purposes or commercial. The general rule is that consent of the consumer is not required for collecting or using their personal information. The exception is that consent of the consumer is required when the business entity intends to sell the personal information of the consumer to a third party. In case of minors who are consumers less than 16 years of age, the guardian of the individual must grant an affirmative authorization for the sale by way of opting-in.
Corresponding to the obligations laid down under CCPA, there is a provision for the imposition of penalties for accountability and compliance under the regulation. The strictness of the penalties varies with the intent, frequency and severity of the non-compliance by the entity. CCPA mandates maximum civil penalties of $7,500 for intentional violations of the CCPA whereas maximum civil penalties of $2,500 can be ordered for unintentional violations of CCPA.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act which shall be enforced on 1st of January 2023 gives the control of Data to the Data Subjects. These Rights those are conferred by the Act would play a major role in the data subject knowing the amount of data being processed, for the reason it is being processed and for the period they would be retaining it, as well as the extent to which it will be used. The key element to this is CPRA does not apply to Non-Profit Entities and other small businesses. CPRA also regulates 3rd parties who collect data from the entities that function in California. This act is also applicable on those entities that don’t function inside California but collect data of the citizens of California.
The CPRA applies to:-
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Rights of Consumers
- Right to delete – The customer can ask the business to delete the personal data collected by them.
- Right to limit use of data / Right to Opt-out– The consumer can opt out from sharing his data or can limit the use of his data.
- Right to Access the data- The company needs to provide this data to the consumer on their demand as soon as possible. Right to Alter the data collected by the company.
- Right to know- The consumer has a right to know what data is shared and with whom. Consumer shall have the right to request that a business that sells or shares the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer.
- The company needs to Map Data Collection, Flow and Processing activities. The company needs to maintain strong track of the data that is being collected and used.
- The company needs to provide elaborate Privacy Notices to the consumers about the data they are collecting and the purpose for which they would be using it. They also need to provide information if such data is being shared, with whom and for what purpose.
- The company needs to maintain Security Practices for preventing breach.
- The company needs to maintain a procedure to process any request by the data subject immediately.
Basis of processing data
Consent is the key factor under CPRA for processing of Data. CPRA establishes that consent should be undisputed and clear. The company should clearly mention the purpose of processing such data. Also the company needs to take special consent when it comes to processing special data. In case a service provider engages another person to process the personal data for the service provider, the existence of such engagement shall be notified. For the fulfillment of legal compliance obligation or in matters of special concerns such data can be processed.
Any business, service provider, contractor, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers.
Connecticut Data Breach Law (CDBL)
The Connecticut Data Breach Law is set to be enforced on 1st of October, 2021. This law provides the same kind of protection of data and rights as that of the California Privacy Rights Act. This Law applies to Non-Profit Organization as well, thus giving wider jurisdiction to the law.
The Personal Information that have been included under the ambit of this Act are:-
- Individual taxpayer identification number
- Identity protection personal identification number issued by the IRS
- Passport number, military identification number or other identification number issued by the government that is used to verify identity
- Medical information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a healthcare professional
- Health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual
- Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; and
- User name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
Rights of Data Consumers
- The consumer can choose to opt-out from sharing any data. They can request the company to stop sharing their data to any 3rd party.
- The consumer can on request get all the data that the company stores related to them.
- The consumer can request the company to delete all the data related to them.
- The consumer can make corrections to the data they earlier provided to the company.
- The company should do a thorough Data assessment and should map what are the data they are collecting and what are the data they are sharing.
- They have a duty to send Data Breach Notification to State Residents, License of Personal Information and Third Party and the Attorney General about who’s Personal Data is breached or believed to be breached.
Basis of Processing of Data
The basis of Processing Data is consent. The controller has to collect data from user only after an affirmative consent in written form. The controller shall not process any sensitive data without the consent of the user. The processing of data between the processor and controller shall be governed by a contract. The data can be processed without consent for fulfillment of any legal obligation or in case there is a necessity to protect someone’s interest. However while processing such data; it needs to take care that there is no damage to be caused by the processing of such data to the interest of the consumer.
The law shall be enforced by the Attorney General of Connecticut. Civil Penalties shall be imposed for Unfair Trade Practices and Private Right of Action granted to Data Subjects.
Any controller or processor shall be liable for a civil penalty of not more than $7500 for each violation.
Virginia Consumer Data Protection Act (VCDPA)
The State of Virginia has enacted their Data Protection Law- Consumer Data Protection Act on the date of March 2, 2021. The Act shall be enforced from 1st of January, 2023. The legislation is on the framework of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act of 2018 (CCPA). The law provides the individuals of the state with certain rights when their data is being collected. Such rights ensure a control over the processing of their data.
The legislation applies to those entities that conducts business in Virginia or produces products or services that are targeted to Virginia residents, and those which:-
- Annually controls or processes the personal data of at least 100,000 Virginia residents, or
- Controls or processes the personal data of at least 25,000 Virginia residents and derives over 50% of its gross revenue from the sale of personal data.
Rights of the Consumers
- To confirm the processing of personal data by the controller;
- access the personal data processed;
- To correct inaccuracies in the personal data;
- To delete personal data provided to company;
- To obtain a copy of the personal data provided to the controller;
- To opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- The company needs to do annual Data Assessment and Map the flow of data.
- They need to give maintain list of all the data they are collecting and need to provide a reason for such collection of data.
- Privacy Notices & Policies should be provided to consumers to provide the information for purpose of collected, retention and termination of processing.
- Upon selling or sharing the collected data, there needs to be appropriate safeguards in place and ensure that there are appropriate safeguards maintained by the recipient company.
- If the data is being transferred out of country, then the company should ensure that such data is safe and the company maintains strong privacy policies to avoid any breach of data.
Basis of processing of Data
The Basis of Processing Data is consent. The controller has to collect data from user only after an affirmative consent in written form. The controller shall not process any sensitive data without the consent of the user.
This law gives special focus on data mapping the procedures that are being followed to sell or share the data and also exclusively provides the Right to opt-out to the data subject unlike the CPRA and CDBL. For any violation of this act, fines upto 7500$ for each violation can be imposed.
Colorado Privacy Act (CPA)
The Colorado Privacy Act was passed on June 8, 2021 and will be enforced on July 1, 2023. The scope of the Colorado Privacy Act (CPA) is reminiscent of the CDPA and CCPA but includes a few notable differences.
The CPA applies to any controller that:
- Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
- Controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.
Rights of Consumers
- Right to Opt-out – The data subject can choose to opt-out from sharing any data.
- Right to Access – The company needs to provide the user with all the data that the company has related to the user on request.
- Right to Correction – The user has the right to rectify any error in the data that has been provided earlier.
- Right to Deletion – The user can opt to delete any data that they have earlier provided to the user.
- Right to Data Portability – If the user wants to transfer their data from one company to another, they can request the company to transfer their data to the concerned company.
- The company needs to map from where the data is being collected and used.
- The company needs conduct Privacy Impact Assessments from time to time to ensure that there is no possibility of breach of data of any sort.
- Data security measures need to be checked at regular intervals.
- The company needs to maintain Privacy Notices and Policies.
- Maintaining a procedure to process any request by the data subject immediately.
Basis for processing of data
The Basis of Processing Data is consent. The controller has to collect data from user only after an affirmative consent in written form. The controller shall not process any sensitive data without the consent of the user. The data being processed by the processor for the controller shall be governed by a contract. The data processing can be allowed without consent for reasons of public interest in the areas of public health but solely to that extent. The data cannot be transferred to a third party without the consent of consumer. In case of a contractual obligation, such must be notified to the consumer.
The Attorney General and District Attorneys have the exclusive authority to enforce this Act. The party would be held liable for any of the breach that happens.
Utah Consumer Privacy Act
The Utah Consumer Privacy Act (“UCPA”) was introduced on February 17, 2022 ad was signed into law on March 24, 2022. The UCPA will take effect on December 31, 2023.
It applies to businesses with annual revenue of $25,000,000 or more that conduct business in Utah or produce products or services that target Utah residents and that:
- Controls or processes personal data of 100,000 or more consumers; or
- Derive over 50% of gross revenue from the sale of personal data of more than 25,000 consumers.
The UCPA does not apply to:
- Government entities;
- Higher Education institutions;
- Businesses that are covered entities according to HIPPA; and
- Information subject to HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, or the Drivers Privacy Protection Act.
Under the law personal information has been defined as “information that is linked or reasonably linked to an identified individual or an identifiable individual ” and consumer as “an individual who is a resident of Utah acting in an individual or household context and only applies to the personal data of consumers”.
The act however provides an exception for de-identified data, aggregated data and publicly available information. Entities subject to the UCPA are not required to re-identify de-identified or pseudonymous data to comply with the statute’s obligations.
Rights of Consumers
The act has extended rights to its consumers relating to their personal data which is to be processed by controllers and processors. These rights can be exercised by consumers upon their request as per the methods specified by the controller in the required privacy notice. These consumer rights include:
- Right to seek confirmation from the controller with respect to the processing of the consumer’s personal data.
- Right to seek access to the data collected/provided by the consumer to the controller.
- Right to seek deletion of the personal data that the consumer provided to the controller.
- Right to obtain a copy of the personal data, in a “portable” format, that the consumer provided to the controller.
- Right to opt-out from the sale and use of one’s personal data targeted advertising; disclosure to third parties is not equivalent to sale if the purpose is consistent with a consumer’s reasonable expectations.
- Right against discrimination.
UCPA requires the parties to enter into a contract establishing the details of the processing, along with the parties’ rights and obligations. Such a contract must set forth the instructions for processing, the nature and purpose of the processing, the type of data being processed and the duration of processing
- Providing consumers with privacy notices with information such as categories of personal data processed by the controller, purposes for such processing, how consumers can exercise their rights under the law, categories of personal data shared with third parties align with their details.
- Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
- Outlining contractual requirements in engaging data processors;
- Grant explicit notice to consumers before processing “sensitive data” and provide them with an opportunity to opt-out of processing.
- Processors must adhere to the instructions of the controller and take appropriate technical and organizational measures to assist the controller in meeting its obligations, including as related to the security of personal data and breach notification.
- Ensure that all persons handling personal data are subject to a duty of confidentiality with respect to the personal data
- Engage any subcontractors via a written agreement that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.
There is no right of private action under the act however, it does provide for a bifurcated enforcement scheme.
This includes the Utah Department of Commerce Division which is required to investigate companies based on consumer complaints, and it then sends cases it deems legitimate to the Attorney General’s office.
Subsequently, the Attorney-General must first provide the business with written notice 30 days before and an opportunity to cure within 30 days of receipt of the notice before taking any action.
The UCPA allows penalties to include the cost of actual damages and statutory penalties of up to $7,500 per violation of the statute
Oklahoma Computer Data Privacy Act of 2022
The Oklahoma Computer Data Privacy Act of 2022 (“Bill”) would apply to for-profit businesses that do business in the state, collect the personal information of Oklahoma residents, determine the purposes for and means of the processing, Business” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of Oklahoma, and that satisfies one or more of the following thresholds:
- has annual gross revenues in excess of ten million dollars ($10,000,000.00) in the preceding calendar year;
- alone or in combination, annually buys, receives, shares, or discloses for commercial purposes, alone or in combination, the personal information of twenty-five thousand (25,000) or more consumers, households or devices; or
- derives fifty percent (50%) or more of its annual revenues from sharing consumers’ personal information;
- any entity that controls or is controlled by a business and that shares common branding with the business and with whom the business shares consumers’ personal information;
- a joint venture or partnership composed of businesses in which each business has at least a forty-percent (40%) interest.
Rights of Data Subjects
- Right to access request disclosure of the categories and specific items of personal information the business has collected via verifiable consumer request
- The right to seek deletion of personal information.
- Right to be disclosed information regarding the sale/disclosure of one’s data
- Right to right to prohibit retent
- ion, use or disclosure of their own personal data.
- Right to opt-in to the sale of their personal information.
- Right against non-discrimination
- Right to data portability
- Right to correct inaccurate information
- Reasonable steps must be taken to erase the personal information that the business, service provider or third party made public, taking into account available technology and the cost of implementation.
- A business shall only collect and/or share information with third parties that is reasonably necessary to provide a good or service to a consumer who has requested the same or is reasonably necessary for security purposes or fraud detection.
- A business shall limit its use and retention of a consumer’s personal information to that which is reasonably necessary to provide a service or conduct an activity that a consumer has requested or for a related operational purpose.
- A business shall apprise any consumer whose data is collected that the consumer has the right to opt-out of personalized advertising and the business shall have the duty to comply with the request promptly and free of charge.
- A third party must notify the consumer of the third party’s new or changed practices in a conspicuous manner that allows the consumer to easily exercise a right provided under this act before the third-party collector uses or shares the personal information.
- A business shall designate and make available to consumers, in a form that is reasonably accessible, at least two methods for submitting a verifiable consumer request for information required to be disclosed or deleted under this act.
- Upon receiving a verifiable request from a consumer, must take all prompt steps to verify the details regarding the consumer making the request as detailed in the bill.
- A business shall ensure that each person responsible for handling consumer inquiries about the business’s privacy practices or compliance with this act is informed of the requirements of the Bill.
Legal Basis for Processing
Any eligible business will be required to “only collect and/or share information with third parties that is reasonably necessary to provide a good or service to a consumer who has requested the same or is reasonably necessary for security purposes or fraud detection.”
It is also explicitly provided that the monetization of personal information shall never be considered reasonably necessary for any purpose.
The enforcement authority under the Bill is the Oklahoma Attorney General who is entitled to recover reasonable expenses, including reasonable attorney fees, court costs and investigatory costs, incurred in obtaining injunctive relief or civil penalties, or both, under this section. Amounts collected under this section shall be deposited in a dedicated account in the General Revenue Fund and shall be appropriated only for the purposes of the administration and enforcement of this act.
Any person, business, or service provider that violates this act may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each intentional violation and up to two thousand five hundred dollars ($2,500) for each unintentional violation.
We offer the following services to our clients as a part of our US Implementation Programs:
- Implementing Privacy Ecosystems
- Providing Data Protection Impact Assessments
- Providing GAP ecosystems
- Acting as a Data Protection Officer
- Data Protection and Privacy Consulting and Advisory
- Evaluating and monitoring compliance levels from a legal standpoint under various jurisdiction
- Drafting relevant agreements/ policies for securing consent, provision of notice etc.
- Suggesting security and privacy best practices, policies and standards
- Developing mitigation plan for possible privacy breaches
- Assisting with disputes under the realm of data protection/ privacy, if any
- Delivering trainings on the legal provisions to the concerned teams
Benefits of the USA Compliance Program
As part of our USA compliance program, we help you to:
- Provide compliance with the Privacy Laws efficiently and effectively.
- Recognize, Access and Strategize Personal Data within your organization
- Adapt, Improvise and leverage your existing privacy compliance in order to comply with the legislations.
- Respond to Data Subject Rights and Fulfil Business obligations under the legislations.
- Policy and Notice Management and maintain data privacy structures within the organizations.
- Provide an effective solution to all organizational requirements in privacy.
- Cost Effective solutions for privacy compliance with subject matter experts.
- Implementation of the privacy program from industry professionals with prior experience with MNC’s of US.
Get in touch with us
© 2019 Reina Consulting LLP – All rights reserved