Privacy & Data Ethics: State privacy law remediation,  November 2022

• Five new state privacy laws will go into effect in 2023
• Each new law regulates the processing of sensitive personal information
  California and Utah will provide people the right to limit the use of sensitive personal information through an opt-out method
• Colorado, Connecticut, and Virginia will require opt-in consent from people before processing data about

In 2023, five new state privacy laws will go into effect in California, Colorado, Connecticut, Virginia, and Utah. The new laws all include a definition of sensitive personal information with business obligations associated with the processing of sensitive data.

What is processing?
“Processing” has been generally defined by laws as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.” The broad definition of processing would include simply storing sensitive personal information.

What is sensitive data?
The five states all include a definition of sensitive personal information.

California
In California, the following personal information points are considered sensitive:
(1) Social Security, driver’s license, state identification card, or passport numbers
(2) An account log-in, financial account, debit card, or credit card number in combination with any required security codes
(3) Precise geolocation
(4) Racial and ethnic origins, religious or philosophical beliefs, union memberships
(5) Contents of mail, email, and text messages to unintended recipients
(6) Genetic data
(7) Biometric information if used to uniquely identify a person
(8) Personal health information
(9) Personal information related to a person’s sex life or sexual orientation.

Colorado, Connecticut, Utah, and Virginia
In Colorado, Connecticut, Utah, and Virginia the following personal information data points are considered sensitive:

(1) Racial or ethnic origin
(2) Religious beliefs
(3) Sexual orientation
(4) Citizenship or immigration status
(5) Biometric or genetic data
(6) Information regarding an individual’s medical history, mental or physical health condition, medical treatment or diagnosis
(7) Personal data from a known child
(8) Precise geolocation a radius of 1,750 feet or less.

It should be noted that Colorado does not include precise geolocation in its definition of sensitive personal information.

What obligations are required prior to processing sensitive data?
Opt-out (California and Utah)
The statutes in California and Utah give people the right to opt out of processing their sensitive personal information. People must be provided with clear notice and an opportunity to opt out of the processing. The sensitive personal information of people in these states can still be processed until a person exercises his or her right to opt out.

Opt-in (Colorado, Connecticut, and Virginia)
In Colorado, Connecticut, and Virginia, a business will be required to obtain opt-in consent before any sensitive personal information may be processed. Consent under these statutes requires a person to perform an affirmative act that is freely given, specific, informed, and unambiguous before sensitive personal information of that person may be collected or processed.