There currently is no federal comprehensive data privacy law. Various states, however, have been enacting their own data privacy laws. California was the first (the CCPA), and recently passed a substantial amendment to its law (the CPRA), some of which is currently in effect and the majority of which will become effective January 1, 2023. One of the sections of the amended law currently in effect relates to data privacy of employees, owners, directors, officers, and independent contractors, residing in California. “Independent contractor” means a natural person who provides any service to a business pursuant to a written contract. Presumably even if the contract is with a business entity, individual employees of that company would be considered independent contractors of the business to whom they provide services. Certain disclosure obligations are owed to these individuals.
This year Virginia and Colorado have followed suit with their own versions of comprehensive data privacy laws. The Virginia law takes effect on January 1, 2023 and the Colorado law takes effect on July 1, 2023. While California has a very limited exemption for personal information collected in a business to business transaction, Colorado and Virginia explicitly limit their laws to personal information of individuals acting in a personal or household context. However, for companies collecting personal information in a personal or household context of individuals residing in California, Colorado or Virginia, the data privacy laws could apply if other threshold requirements are met. Other states, including New York and Massachusetts, have comprehensive data privacy legislation pending. Gone are the days when privacy notices are primarily optional. Not only do certain disclosures to individuals have to be made in particular circumstances, those individuals also have a number of rights which, depending on the law, could include among other things rights of access, correction, and deletion.