Three states have enacted comprehensive privacy laws: California, Virginia, and now Colorado. Steve Richards of Mile High Outdoor + Pacific Outdoor wanted to know more about the impact of privacy laws on his company and other billboard companies. As chair of the OAAA Legislative Committee, Steve asked Gary Kibel of the law firm Davis+Gilbert LLP about privacy compliance.
Steve Richards: Mile High Outdoor operates in Colorado, the third state that has enacted comprehensive privacy legislation. Does the new Colorado law apply to my business?
Gary Kibel: The New Colorado Privacy Act (“CPA”) is broad. In many regards it combines elements from California and Virginia’s privacy laws to create a higher standard. However, it only applies to the processing of personal data of Colorado residents when acting in “an individual or household context.” So, it does not apply to B2B activities and there are other carve-outs as well, such as for data regulated under certain other laws and some publicly available information.
Companies in the OOH industry need to keep in mind that these laws apply not only to data collected through their inventory, but also from corporate websites, apps and other services.
Steve Richards: How do we define “processing personal information” in this context?
Gary Kibel: The Colorado Privacy Act adopts the European Union’s General Data Protection Regulation (GDPR) approach by defining processing as the “collection, use, sale, storage, disclosure, analysis, deletion or modification” of personal data. Therefore, most uses of personal data of a Colorado consumer, subject to the many carve-outs mentioned above, will be covered by the law. Like the California Consumer Privacy Act (CCPA), there is also a threshold test to carve-out small businesses from compliance obligations.
Steve Richards: In general, what are common do’s and don’ts for independent billboard operators?
Gary Kibel: All operators need to consider how data flows into and out of their organization and the data practices of the third parties with whom they work. Such “data mapping” exercises are very helpful in analyzing what legal obligations apply. Don’t look at just your out of home inventory. You need to consider all parts of your business, including data analytics, cross-device targeting, dealing with data brokers, websites, apps, off-line activities and more. For example, if you collect personal information from consumers through a ‘contact us’ form on your website, then a company needs to consider how it can comply with the consumer access rights under the law and the internal data security obligations. The Colorado Privacy Act, like Virginia and the California Privacy Rights Act, will require more comprehensive contracts with service providers.
Steve Richards: Will any of this change how we conduct email marketing? We often send company updates and offers via email.
Gary Kibel: In the United States, email still mostly operates on an opt-out basis. These laws do not flip such practices into an opt-in model. However, these laws do require new enhanced disclosures about data collection and use, and provide consumers with new rights about accessing their personal information and controlling how it is used.
Steve Richards: First California, then Virginia, and now Colorado. Are other States likely to enact privacy laws? What will it take for Congress to act?
Gary Kibel : Unfortunately this patchwork of State privacy laws is likely to get more complex over the coming years. Privacy laws are being considered in other states, such as Ohio, New York, Massachusetts, North Carolina, and Pennsylvania. Bills nearly passed but failed recently in Connecticut, Florida, and Washington. The hope is that Congress will step in and create one national standard that will preempt these disjointed state laws. The chances of that happening soon are perhaps 50/50.
Steve Richards: If my company is not located in California, Virginia, or Colorado, does any of this matter to me?
Gary Kibel: The laws are designed to protect the personal information of the residents of those states. So, it’s not a matter of where your company is located, but rather, what data you are processing. Each law has a threshold test to determine if the law applies to you based, in part, upon the amount of data you are processing. Given the size of California (by itself, the fifth-largest economy in the world), it’s hard to avoid the California Consumer Privacy Act (CCPA) unless you are a small organization. In many ways, CCPA is becoming a national standard.
Steve Richards: When do these laws take effect?
Gary Kibel: The CCPA (California) is already in effect and regulators there are actively looking to enforce the law against companies.
California’s second privacy law (California Privacy Rights Act, CPRA) takes effect January 1, 2023 as does the new law in Virginia. The Colorado Privacy Act takes effect July 1, 2023. However, Governor Jared Polis when signing the CPA wrote: “[I]n the haste to pass this bill, several issues remain outstanding. My chief concern is ensuring Colorado’s competitiveness with other states as an incubator of new technologies and innovations. SB 21-190 will require clean-up legislation next year.”
Steve Richards: So what should I be doing right now?
Gary Kibel: If you have not already gone through a California Consumer Privacy Act (CCPA) compliance review, do not waste any time. This means you should analyze whether the law applies to your company, update your privacy disclosures, develop a process to respond to consumer data access requests, and review how you contract and work with industry partners and clients. Again, California regulators are actively looking at companies right now and recently published summaries of some enforcement actions. California’s second law (California Privacy Rights Act) requires regulations to be issued; a first draft is expected later this year. Once that happens, it’s likely that companies will seek to tackle compliance with multiple laws at once.