#childsafety | Summary Of Current State Privacy Laws

Effective Date January 1, 2020 (12-month lookback period) January 1, 2023 (12-month lookback period, but for personal information collected after 1/1/2022, consumers may request information beyond 12-month period) January 1, 2023 July 1, 2023 July 1, 2023 December 31, 2023 Covered Entities Businesses; requires contracts between Businesses and Service Providers No change to CCPA Controllers and Processors; requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations Controllers and Processors; requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations Controllers and Processors; requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations Controllers and Processors; requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations Threshold Requirements Any legal entity organized or operated for the profit or financial benefit of its shareholders/owners that does business in CA and:
(1) Has annual gross revenues > $25 mil;
(2) Annually buys, sells, or shares personal information of 50,000 or more consumers or households; or
(3) Derives 50% or more annual revenues from selling personal information Increases threshold number of consumers and households to 100,000 and applies to any legal entity that derives 50% or more annual revenues from selling or sharing personal information Person conducts business in VA or produces products or services targeted to VA residents and:
(1) Processes personal data of 100,000 or more consumers during a calendar year; or
(2) Derives revenue or receives a discount on goods or services from the sale of personal data, and processes personal data of 25,000 or more consumers Controller conducts business in CO or produces products or services targeted to CO residents and:
(1) Processes personal data of 100,000 or more consumers during a calendar year; or
(2) Derives revenue or receives a discount on goods or services from the sale of personal data, and processes personal data of 25,000 or more consumers Person conducts business in CT or produces products or services targeted to CT residents and during preceding calendar year:
(1) Controlled or processed personal data of 100,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
(2) controlled or processed personal data of 25,000 or more consumers and derived > 25% of gross revenue from the sale of personal data Controller or processor conducts business in the state or produces products or services targeted to UT residents and:
(1) has annual revenue of $25,000,000 or more; and
(2) Controls or processes personal data of 100,000 or more consumers or derives > 50% of gross revenue from the sale of personal data and
controls or processes personal data of 25,000 or more consumers Definition of Consumer CA resident; many provisions pertaining to commercial contacts and employees deferred until 1/1/2023 No change to CCPA VA resident, excluding commercial contacts and employees CO resident, excluding commercial contacts and employees CT resident, excluding commercial contacts and employees UT resident, excluding commercial contacts and employees Definition of Personal Information/Data Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household No change to CCPA Information that is linked or reasonably linkable to an identified or identifiable individual Information that is linked or reasonably linkable to an identified or identifiable individual Information that is linked or reasonably linkable to an identified or identifiable individual Information that is linked or reasonably linkable to an identified or identifiable individual Personal Information/Data Excludes De-Identified Data and Publicly Available Information No change to CCPA Sensitive Information/Data No change to CCPA

Mental/physical health condition or diagnosis

No change to CCPA No change to CCPA No change to CCPA

Genetic/biometric information

No change to CCPA X
Personal information pertaining to children is not defined as “sensitive,” but parental consent is required for the “sale” of personal information pertaining to children under 13, and teens under 16 must opt-in to a “sale” of their personal information No change to CCPA

X

Personal data pertaining to children is not defined as “sensitive,” but controllers must comply with COPPA No change to CCPA

X

No change to CCPA

X

No change to CCPA

X

No change to CCPA

X

No change to CCPA Consent Required to Process Sensitive Personal Information/Data

X

Personal information pertaining to children is not defined as “sensitive,” but parental consent is required for the “sale” of personal information pertaining to children under 13, and teens under 16 must opt-in to a “sale” of their personal information

X

No, but right to limit use and disclosure of sensitive personal information

Consent required to process sensitive data, and consent from parent or guardian required to process sensitive data pertaining to a child

Consent required to process sensitive data, and consent from parent or guardian required to process sensitive data pertaining to a child (defers to COPPA)

Consent required to process personal data for targeted advertising or sell personal data if Controller has actual knowledge, and willfully disregards, that the consumer is 13-16 years of age

X

Controller must provide consumer with notice and right to opt-out of data collection

Children’s data is not defined as “sensitive,” but controllers must comply with COPPA What Constitutes a Sale of Personal Information/Data Selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating personal information for monetary or other valuable consideration Adds “sharing” to definition and clarifies that behavioral advertising constitutes a sale Exchange of personal data for monetary consideration Exchange of personal data for monetary or other valuable consideration Exchange of personal data for monetary or other valuable consideration Exchange of personal data for monetary consideration What Does Not Constitute a Sale

Disclosure of personal data to a processor
Disclosure of personal data to a third party to provide a product or service requested by a consumer
Disclosure or transfer of personal data to an affiliate
Disclosure of personal data as part of a merger, acquisition, bankruptcy, or similar transaction
Disclosure of personal data at consumer’s direction or intentionally by consumer

Disclosure of personal data to a processor
Disclosure of personal data to a third party to provide a product or service requested by a consumer
Disclosure or transfer of personal data to an affiliate
Disclosure of personal data as part of a merger, acquisition, bankruptcy, or similar transaction
Disclosure of personal data at consumer’s direction or intentionally by consumer

Disclosure of personal data to a processor
Disclosure of personal data to a third party to provide a product or service requested by a consumer
Disclosure or transfer of personal data to an affiliate
Disclosure of personal data as part of a merger, acquisition, bankruptcy, or similar transaction
Disclosure of personal data at consumer’s direction or intentionally by consumer

Disclosure of personal data to a processor
Disclosure of personal data to a third party to provide a product or service requested by a consumer or a parent/guardian on behalf of a child
Disclosure or transfer of personal data to an affiliate
Disclosure of personal data as part of a merger, acquisition, bankruptcy, or similar transaction
Disclosure of personal data at consumer’s direction or intentionally by consumer

Privacy Notice Required No change to CCPA Consumer Rights Regarding Personal Information/Data Collected

Right to know categories, specific pieces of personal information collected, and categories of sources and parties with whom information is shared

Business must provide at least two methods for making requests, including toll-free number No change to CCPA

X

Business must provide at least two methods for making correction requests, including toll-free number

X

Right to opt-out of sale of personal information

Opt-in consent for consumers under 16
Parental consent for consumers under 13
Provide at least two methods for requests
Websites must include link to “Do Not Sell My Personal Information” page

Right to opt-out of sale or sharing of personal information

Websites must include “Limit the Use of My Sensitive Personal Information” link in addition to “Do Not Sell or Share My Personal Information” link Right to opt-out of sale of personal data, targeted advertising, and profiling Right to opt-out of sale of personal data, targeted advertising, and profiling

Contemplates a user-selected universal opt-out mechanism effective 7/1/2024 Right to opt-out of processing personal data for targeted advertising, the sale of personal data, or profiling

Methods employed to allow consumers to exercise their rights must include a website link to a page that enables a consumer or agent to opt-out of targeted advertising or a sale of personal data

No later than 1/1/2025, Controllers must allow consumers to opt-out of targeted advertising or a sale of personal data through an opt-out preference signal sent, with a consumer’s consent, by a platform, technology, or mechanism indicating the intent to opt-out Right to opt-out of sale of personal data and targeted advertising

Data should be provided in a format easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format Timeframe for Responding Access and Deletion Requests: Acknowledge within 10 business days; respond within 45 days
Opt-Out Requests: Respond within 15 business days

Adds 45 days to respond to correction requests 45 days 45 days 45 days 45 days 45 days Data Minimization No change to CCPA Non-Discrimination No change to CCPA Authorized Agent Can Invoke Rights on Behalf of Consumer No change to CCPA

X

Agent can invoke right to opt-out of a sale, targeted advertising, or profiling

X

Parent Can Invoke Rights on Behalf of Child No change to CCPA Parental Consent for Collection of Personal Information/Data from Children Under 13

X

Parental consent is not required for the collection of personal information from children, but parental consent is required for the “sale” of personal information pertaining to children under 13, and teens under 16 must opt-in to a “sale” of their personal information No change to CCPA

Defers to COPPA

Defers to COPPA Written Contracts with Service Providers/Processors and Others Required

Requires contracts between Businesses and Service Providers

New defined term of “Contractor” and new requirements for contracts between Businesses and Contractors

Requires contracts between Controllers and Processors

Requires contracts between Controllers and Processors Recordkeeping

At least 24 months

X

Data Impact Assessments Required

X

Implement and Maintain Reasonable Administrative, Technical, and Physical Data Security Practices No change to CCPA Private Right of Action

Only in the event of a security breach that compromises “personal information” (as that term is defined in a separate California data breach notification law)

Extends CCPA private right of action to breach of a username and password that permits access to an account

X

Enforcement AG Creates new California Privacy Protection Agency AG AG, District Attorneys AG Division of Consumer Protection will investigate and refer to AG Opportunity to Cure 30 days Eliminates CCPA right to cure effective 1/1/2023 30 days 60 days (expires 12/31/2024) 60 days (expires 12/31/2024, but within AG’s discretion after such date) 30 day

Source link
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .