Listen to this post

Companies may want to review their consumer rights processes as we approach July 1. This is the date of enforcement for those parts of CCPA modified by CPRA. It is also the effective date of two more state privacy laws: Colorado and Connecticut. Neither law is substantively much different from California and Virginia, but if an entity was not subject to those laws it may be subject to those in these two additional states. Let’s recap the requirements around choice and individual rights:

  • Companies in all four states need to give consumers the ability to opt-out of the sale of personal information, targeted advertising and profiling that produces a “legal or similarly significant” impact. (California also imposes requirements for opting out of the “sharing” of personal information).
  • In California, consumers must be given the opportunity to opt out of the processing of sensitive information. (Consent (an opt-in) is needed in Virginia, Colorado (with some exceptions) and Connecticut).
  • Consumers must be given the right to access, correct and have information deleted in all four states.
    • In all, certain exceptions apply, like if it involves a disproportionate effort (California), is manifestly unfounded, excessive or repetitive (California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah, Virginia), or technically infeasible or impossible (California, Colorado, Iowa, Montana, Utah).
    • Similar requirements -and exceptions- will apply in future jurisdictions as well (however Utah and Iowa will not give a correction right, and Indiana’s correction right is limited to that which the person gave the company).
    • Companies have 45 days to respond to rights requests in all states (except Iowa, where it will be 90 days and Florida, where it will be 60 days), with all allowing companies to extend that time frame by 45 days if “reasonably necessary” (Florida’s extension, however, will be 15 days). 
    • Additionally, from a process standpoint, all states contemplate verifying consumer identities as part of the rights granting process.
    • Consumers can exercise rights twice within a 12 month period in California, Florida, Iowa, Tennessee, Texas, and Virginia, but only once in Colorado, Connecticut, Indiana, Montana, and Utah.

Putting It Into Practice: As we approach the July 1 effective date for Colorado and Connecticut’s privacy laws, now may be an appropriate time to review your current rights response practices, especially if you already receive a high number of requests.