CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
June 27, 2022
Now that we’ve made some headway into 2022, it’s a good time to pause and look back on the most recent data privacy laws enacted in the US.
There have been so many developments in data privacy legislation that it can be easy to miss the newest laws on the books or even fail to realize your business is subject to one law or another. To help businesses take a moment and catch their breath, let’s take a look at the two laws enacted in 2022 thus far: the Utah Consumer Privacy Act (UCPA) and the Connecticut Data Privacy Act (CTDPA).
Incidentally, these are an interesting pair to examine because they represent very different approaches for US data privacy laws. The UCPA is quite business-friendly, while the CTDPA is quite consumer-friendly.
In the US, the most consumer-friendly law is California’s CCPA/CPRA, but even that doesn’t quite match up to the consumer-first attitude seen in the EU’s GDPR. While the spectrum of business- vs. consumer-friendliness in the data privacy world is broad, the UCPA and CTDPA serve as two good examples of the different approaches.
As we mentioned before, the UCPA is one of the more business-friendly data privacy laws in the US. There are a few different features that make this the case.
Namely, there are some large exceptions to what the UCPA considers “data” and what activities it covers. For example, it defines the “sale” of data as actually requiring an exchange of money, whereas other laws define the “sale” of data as any exchange of data at all or explicitly cover sharing data as well.
Moreover, the UCPA defines “data” as “information that is linked or reasonably linkable to an identified individual or an identifiable individual,” which seems pretty broad. However, it carves out exceptions for aggregated and de-identified data. These refer to personal information related to a group or category of consumers and data related to an individual, respectively, that cannot be linked back to the original data subject(s). In contrast, most data privacy laws only make exceptions for de-identified data, if at all.
Organizations are also freely permitted to collect data on employees, commercial partners, and the like, as they do not constitute “consumers” under the UCPA. And if the organization in question is a higher education institution, a nonprofit, or a government contractor, the UCPA doesn’t apply to them at all (though often other privacy-related regulations cover these entities).
Even though there are looser requirements under the UCPA relative to other data privacy laws, it’s worth noting that the bulk of businesses operating within or serving Utah are still subject to it. There are plenty of businesses with $25 million in revenue that control or process at least 100k Utah residents’ data. Their energy will be better spent becoming compliant rather than searching for a loophole.
What’s more, the UCPA is one of the easier privacy laws to become compliant with anyhow. For example, the UCPA, like many other data privacy laws, requires data controllers (e.g., the business collecting data) and processors (e.g., a vendor analyzing that data) to have a contract in place with one another laying out how data will be processed and protected. Among other requirements, the UCPA requires these contracts to:
But compared to other data privacy laws, UCPA has the fewest requirements for these data processing agreements.
There are other business-friendly aspects to the UCPA, like the inability for private citizens to sue over noncompliance and requiring consumers to opt-out of collection (rather than opt-in), but these are common to most US privacy laws — which are generally more favorable to businesses than, say, the EU’s GDPR.
Unlike the UCPA, the CTDPA skews more toward consumer-friendliness. It doesn’t feature the broad exceptions and carve-outs that the UCPA features, although it does exempt businesses that solely process data to complete a payment transaction. The thinking here is that data privacy regulations really shouldn’t apply to businesses like convenience stores, barbers, and others that aren’t really analyzing or profiting off of customer data.
It also does not feature a revenue threshold. Under the UCPA, businesses have to have at least $25 million in revenue before they are subject to the regulation, but the CTDPA covers any business that processes at least 100k consumers’ data or earns a quarter of its revenue from processing the data of at least 25k consumers.
Like the UCPA, the CTDPA exempts state and local government entities, nonprofits, and higher education institutions from the regulation, as well as employees and commercial partners. It also does not give private citizens a right to sue for noncompliance — in fact, the only regulation that does permit a limited “private right of action” is the CCPA/CPRA.
The CTDPA also defines the “sale” of data as involving a monetary transaction as well as “other valuable considerations.” Thus, it covers a broader swathe of data transfers, including sharing the data for targeted advertising.
Furthermore, the CTDPA defines a special category of personal information known as “sensitive information.” This includes certain types of information like race, sexual orientation, health information, citizenship status, and more.
While the UCPA and several other data privacy regulations recognize this category, they don’t treat it particularly differently. The CTDPA, however, requires consumers to explicitly opt-in when sensitive information is being collected. Under most other circumstances, the US takes an opt-out approach to consumer consent; consumers are assumed to consent to data collection by continuing to use the website or app. When sensitive information is collected, the CTDPA says you have to get consumers to explicitly consent to its collection first.
Lastly, the CTDPA explicitly forbids the use of so-called dark patterns — or manipulative design practices — from securing user consent. The CPA (Colorado’s Consumer Protection Act) and CCPA/CPRA also share this feature.
Between the lack of a revenue threshold, the opt-in requirements for sensitive information, and the ban against dark patterns, we can see that the CTDPA generally takes the consumer’s side in data privacy. But even more business-friendly regulations like the UCPA are a far cry from the wild west of broad data collection that we saw in the 2000s and 2010s with companies like Facebook, Amazon, and Google.
While reviewing the notable aspects of each of these laws is a good way to build a general awareness of the regulations that might apply to you and your business, there really isn't any substitute for reviewing the text of the laws yourself and/or with legal counsel. That's not to say there isn't any benefit to reading blogs like this one — they're a good way to stay alert to the comings and goings of the privacy world without needing to be plugged into the minutiae of every state legislature in the US.
That’s especially true considering the fact that states are producing new data privacy laws all the time, and states even tweak old laws that you thought you were familiar with (case in point: California’s CPRA, which revises its previous data privacy regulation, CCPA).
If you’re looking for a quick and digestible way to stay up to date on data privacy, subscribing to the Osano newsletter is a great place to start. But if you don’t want to have to think about data privacy anymore whatsoever, then trying a free trial of Osano’s Consent Management Platform (CMP) might be what you’re looking for.
CMPs help companies stay compliant with data privacy laws, and we designed ours specifically for non-experts. If reading about the most recent data privacy laws made you feel a bit overwhelmed, the Osano CMP can help you get compliant without feeling like you’re out of your depth.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.