In 2023, new consumer privacy laws will be effective in California, Colorado, Connecticut, Utah, and Virginia. These laws will come online throughout the year as follows:
- Virginia’s law is effective and enforceable on January 1, 2023;
- California’s amendments are effective on January 1, 2023 and enforceable on July 1, 2023;
- Colorado’s law is effective and enforceable on July 1, 2023;
- Connecticut’s law is effective and enforceable on July 1, 2023; and
- Utah’s law is effective and enforceable on December 31, 2023.
At the end of this article is a link to a summary chart, comparing key components of these laws. Additionally, for a more in-depth discussion of California, Virginia, and Colorado’s laws, review our prior article here. As an overview, the laws of each state share high level similarities in consumer rights, but the various laws fall into three buckets, with Colorado, Connecticut, and Virginia’s laws being closely related, Utah’s law representing a slight deviation from those, and California’s off on its own. It is important to note that the California Consumer Privacy Act (“CCPA”) is currently in effect, but the comparisons below and the summary chart consider the California law after January 1, 2023, the effective date of CCPA amendments adopted through the California Privacy Rights Act (“CPRA”).
1. Applicability
The Colorado, Connecticut, Virginia, and Utah laws adapt terminology of the European Union’s General Data Protection Regulation (“GDPR”) and apply to “controllers,” defined to include persons that determine the purposes for and means of processing personal data and that (i) conduct business or produce goods or services that are intentionally targeted to state residents, and (ii) either: (A) control or process personal data of more than 100,000 resident’s data per year; or (B) derive varying shares of total revenue from the sale of personal data of at least 25,000 residents. Utah also includes a revenue threshold of $25,000,000 or more, like California. Colorado, Connecticut, Virginia, and Utah, all include exemptions for personnel and business to business information, which is a major issue in California given that these exemptions will sunset on January 1, 2023, as we discuss briefly here. Notably, the states other than California exempt financial institutions subject to the federal Gramm-Leach-Bliley Act of 1999 (the “GLBA”) at the entity level; in California, only data collected subject to the GLBA (rather than the institutions themselves) are exempt from the CCPA.
2. Consumer Rights
The consumer rights provided by all of the state laws are similar. They provide rights of access, correction, portability and deletion, as well as rights to limit processing and to opt out of sales of data, profiling and targeted advertising.
3. Requirements for Processors/Service Providers
Although California uses different terminology, all five states also require controllers (or businesses in California) to enter into contracts (including specific terms) with processors (service providers or contractors in California), which are defined as third parties that process personal data on the controller’s behalf, and to protect the information they process with at least reasonable data security.
4. Data Protection Assessments
Colorado, Connecticut, and Virginia all require the performance of Data Protection Assessments (“DPAs”), prior to performing certain processing activities considered “high risk”. This includes processing of “sensitive data,” which includes health data, genetic or biometric data, children’s data, or data that would reveal an individual’s race, ethnicity, sexual orientation, sex life, or citizenship status. DPAs will also be required for targeted advertising or profiling if the processing could result in wide variety of otherwise reasonably foreseeable risks to residents following the processing activities. Notably, California includes two new types of assessments, one for processing similar to the DPA, and another for cybersecurity in the CPRA’s amendments to the CCPA. As we discuss briefly here, California has yet to provide any guidance on requirements for these new assessments.
5. Enforcement
Enforcement is one of the areas where the states have noticeably diverged. Colorado’s law is enforced by its Attorney General and District Attorneys, while the Attorneys General will be responsible for enforcement in Connecticut, Utah, and Virginia. In California, a newly formed agency, the California Privacy Protection Agency will be charged with enforcement. While all other states retained a right to cure for alleged violations, California removed its cure provision entirely. The lack of a cure period, in combination with its new, dedicated enforcement agency, may indicate higher enforcement risk in California than in other states.
Courtesy of Theodore Augustinos, Alexander Cox, Locke Lord LLP, JDSupra.com
(Jan. 28, 2022) State chartered credit unions in Illinois will receive a fee credit of nearly $1.9 million from the state, based on regulatory fees collected in 2021 that exceeded state regulatory expenses, the Illinois Credit Union League (ICUL) said last week. That represents one of the largest fee credits ever, according to the ICUL.
The fee credit is based on legislation, sought by the league, that implemented a settlement of a case brought by the ICUL in 2004. Among other things, the settlement reduced the state’s Credit Union Fund margin that triggers a credit back to credit unions. According to the ICUL, the amount of each regulatory fee credit is based on the fee paid by individual credit unions as a proportion of the aggregate total of fees collected by the state.
LINK:
(Jan. 21, 2022) There were 56 credit unions authorized to do business in Maine at mid-year 2021 – which altogether held $10.3 billion in assets, for 22.07% of all financial institution assets in the state — according to the annual report to the state’s legislature issued this week by the Maine Bureau of Financial Institutions. The charter types for the credit unions included 12 state credit unions chartered by Maine, two credit unions chartered by other states, and 42 federal credit unions. Overall, Maine-chartered credit unions, the report notes, held $3.15 billion in assets, representing a year-over-year increase of 15.2% ($416 million). For more information on Maine credit unions (and financial institutions) see the link below to the full report.
LINKS:
Annual Report from The Superintendent Of The Bureau Of Financial Institutions To The Legislature
(Dec. 3, 2021) The latest state supervsor to earn reaccreditation from NASCUS is the Texas Credit Union Department, following the series of in-depth reviews and assessments by a panel of veteran state supervisors.
Both Texas Commissioner John J. Kolhoff and NASCUS President and CEO Lucy Ito noted the significance of the certification.
“Reaccreditation demonstrates the value we as examiners and an agency provide to the industry and its members,” said Kolhoff, who also serves as secretary/treasurer of the NASCUS Regulator Board “Our credit union examination department ensures compliance with our laws while following best practices to meet the highest national standards in our supervision of more than $54 billion in assets across 175 credit unions. I am proud of our team for receiving the NASCUS Reaccreditation.”
Ito noted that accreditation is express evidence of an agency’s capabilities, which benefits all credit unions in the state. “This program recognizes the professionalism of a state agency’s regulators, supervisors, and staff while potentially delivering support for state law modernization and policy changes to advance state supervisory processes and best practices,” she said.
To earn the certification, a state supervisory agency must demonstrate it meets accreditation standards in agency administration and finance, personnel and training, examination, supervision, and legislative powers.
NASCUS began developing the program in 1989; it is modeled on the university accreditation concept by applying national performance standards to a state’s credit union regulatory program.
LINK:
(Sept. 24, 2021) Credit unions have long prided themselves as the financial institutions that put consumer members and communities first – and responses to last month’s hurricane by a Louisiana state-chartered credit union are perfect examples of putting that pride to work.
According to the Louisiana Office of Financial Institutions (OFI), Pelican State Credit Union (of Baton Rouge) took several key steps to offer relief to their members, and the community, in the wake of Hurricane Ida. The LAOFI reports that Pelican State told the regulator that the credit union:
- Proactively refunded more than $118,000 in overdraft protection program, non-sufficient funds and ATM fees for charges incurred from Aug. 28 to Sept. 3;
- Made available disaster relief loans, credit card limit extensions, and more time to make loan payments;
- Provided supplies to other credit unions in areas affected by the hurricane and its aftermath, including lunch to the employees of one credit union.
This week, according to LA OFI, the credit union completed its “gas giveaway,” which distributed $7,000 worth of gasoline to residents in hard-hit Terrebone Parish (on the Gulf Coast), offering relief to persons using generators to provide power in the wake of the storm, now more than three weeks ago.
“The efforts of Pelican State, supported by the LA OFI, to lend assistance to those in need at this critical time are a great reflection on the CU Industry in the state and nationwide,” said NASCUS’ Lucy Ito. “The credit union maintains the mission of serving its members above all else – and the state regulator ensures an environment where such service can be provided quickly and efficiently. Congratulations, and thanks, to all.”