The Implications of Varying "Opt-in" and "Opt-out" Requirements in New State Privacy Laws
Privacy Plus+
Privacy, Technology and Perspective
The Implications of Varying "Opt-in" and "Opt-out" Requirements in New State Privacy Laws. This week, let’s examine an intriguing subject: the variations among different state privacy laws concerning rules for "opt-in" and "opt-out" consent.
The Issue at Hand: Several states have already enacted comprehensive state privacy laws. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is often contrasted with the collective "Not California" acts, that is, the privacy laws enacted by states such as Virginia, Colorado, Connecticut, Utah, and now Iowa, with additional states soon to follow. The laws in these "Not California" states are purportedly designed to be simpler than the CCPA, yet they share a similar overall structure.
"Similar," however, doesn't equate to identical. The "Not California" privacy acts vary significantly. Minor variations include threshold requirements for compliance, such as the number of state residents for whom an entity may process personal data and the specific exemptions that apply, as well as the possible provision of cure periods. However, businesses can usually handle these variations without major disruption or inconvenience to consumers. In this respect, the “Not California” statutes resemble “Uniform” state acts,” which start from a common form, are then almost always tweaked in every state house, and yet somehow manage to come out the other end generally consistent and substantively workable from state to state.
Among the “Not California” states, however, there is a glaring issue. The laws coming out of these states lack consistency, particularly when it comes to "opt-in" and "opt-out" protections for consumers and data usage by businesses. For instance, some states require consumers to "opt in" proactively to allow businesses to use their data beyond specific services or products. Conversely, other states insist that consumers must "opt out" if they want to prevent businesses from using their data more expansively. The majority appear to have their own unique blends of these options, which might be logical within their legislative and regulatory context but together pose a challenge for businesses trying to comply with all these inconsistent requirements.
How will multistate businesses manage this mélange? Tools like the Global Privacy Control may help. But opt-outs aren’t straightforward when the laws requiring them vary with regard to their form, substance, and application. It’s one thing to have a special section for “California Residents” or “European Residents,” but will businesses have to offer multiple headings like, “If You Live in ____, then, ___,” with multiple definitions and threshold explanations? How will businesses handle the varying subjects that may require "opt-in" or "opt-out" decisions? How important is it to consider that many individuals use virtual private networks (VPNs) to conceal their actual locations, and how much effort should businesses be obligated to invest in identifying their real residences? What should be the appropriate length for a privacy notice? (We recently heard of one that is 43 pages long.) Alternatively, to what extent should a consumer be expected to put in an effort to safeguard their own privacy?
The Status of "Opt-in" and "Opt-out" Choices: Currently, California, Colorado, Utah, and Iowa allow consumers to "opt out" of the collection, use, and sale of particularly sensitive data, such as precise geolocation, albeit with variations in their specific definitions. However, in Virginia, Connecticut, and Colorado, consumers are required to actively "opt in" for the collection and processing of such sensitive information. Regarding targeted advertising, sales of personal data, and profiling for automated decision-making with legal or other significant impact on the consumer, "opt-out" options are available in California, Virginia, Connecticut, and Colorado. Conversely, Utah and Iowa do not provide the "opt-out" option for such profiling activities.
As these state acts start to take effect over the next few years, we anticipate the complexity of managing compliance will increase. However, as stakeholders gain more practical experience with these differing laws over time, there is hope that the process will become more manageable and may potentially inspire a resurgence of the valuable art of compromise.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.