Introduction
As 2023 is just around the corner, new state data privacy laws go into effect for California and four new States, Virginia, Colorado, Connecticut, and Utah. In other words we have US Data Privacy Law Expansion in 2023.
Depending upon which of these state data privacy laws and regulations apply to a business, the time between now and the end of 2023 could be spent evaluating and implementing information governance controls in order to meet new requirements and comply with the following American data privacy laws:
- California Privacy Rights Act (CPRA; replacing California Consumer Privacy Act, CPPA), effective January 1, 2023.
- Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023.
- Colorado Privacy Act (CPA), effective July 1, 2023.
- Connecticut Data Privacy Act (CTDPA), effective July 1, 2023.
- Utah Consumer Privacy Act (UCPA), effective December 31, 2023.
Although the United States does not have a federal data privacy law yet, other states are actively evaluating the implementation of a comprehensive privacy law.
Ultimately, all privacy laws are based on the same principles: transparency and limitations on purposes for collection and usage, data minimization, data accuracy, data storage limitations, integrity, and confidentiality.
The California Consumer Privacy Act (CCPA) was replaced by the California Privacy Rights Act (CPRA)
Just like the EU’s General Data Protection Regulation (GDPR) was a data privacy breakthrough, the 2018 California Consumer Privacy Act (CCPA), the US equivalent of GDPR, drastically transformed the US data privacy structure.
The California Consumer Privacy Act (CCPA) legislation was amended to significantly reduce privacy requirements for businesses collecting information about California residents. The Act introduced companies to new privacy laws and offered them considerably needed insight into their obligations. On the other hand, CCPA presented Californians with a way to control their data.
However, CCPA expands and creates new state data privacy laws and regulations for businesses and privacy rights for consumers.
California voters have approved a bill of significant changes that aim to improve and protect consumers’ privacy rights. The California Privacy Rights Act (CPRA), in general, has not been effective until January 1, 2023, giving companies a short time to comply with the law and focus specifically on the fundamental changes they need to know as they prepare to comply with the CPRA.
The California Privacy Rights Act (CPRA)
Effective January 1, 2023.
The CPRA, passed by California residents on November 3, 2020, boosts the existing CCPA.
Some essential differences between CCPA and CPRA are that the CPRA makes modifications to covered businesses, defines what is Personal Information (PI), revises definitions, outlines further obligations for businesses, and additional rights for consumers. The CPRA establishes the California Privacy Protection Agency (CPPA) to additionally enforce consumer privacy laws and impose fines.
CPRA & Businesses
The CPRA applies to all persons that run businesses that either:
- Have gross annual revenue of more than $25 million or
- Buy, sell, or receive personal information of at least 100,000 California consumers or households or
- Derive 50% or more of annual revenue from the sale of personal data of California residents.
The CPRA changes the standards by which companies must comply with the law. Companies are prohibited from retaining personal data for longer than is reasonably necessary. It triples the maximum penalties for violations against consumers under the age of 16 and provides civil penalties for consumer credential theft.
CPRA & Consumers
The CPRA expands consumer privacy rights, permits consumers to prevent businesses from sharing personal information, and allows consumers to correct inaccurate personal information. The Act also gives consumers the right to limit the use and disclosure of sensitive personal information. Sensitive personal information is defined as any data that includes genetic data, religion, ethnicity, race, precise geolocation, specified health information, sexual orientation, and private communications.
The Virginia Consumer Data Protection Act (VCDPA)
Effective January 1, 2023.
The state has stepped up its efforts as more states look to adopt data privacy laws. The Virginia Consumer Data Protection Act (VCDPA) provides a framework for controlling and processing personal data. Virginia is about to become one of these states with comprehensive data security laws.
VCDPA & Businesses
The VCDPA applies to all persons that run business based in Virginia or offers products or services to Virginia residents and either:
- Control or process data of at least 100,000 consumers during a calendar year or
- Control data of at least 25,000 consumers and derive 50% or more of gross revenue from the sale of that data.
The law sets out data controllers’ and processors’ responsibilities and privacy standards. The bill does not apply to state or local government entities and contains exceptions for certain types of data and information governed by federal law.
VCDPA & Consumers
The Act gives consumers the right to access, rectify, delete, obtain a copy of personal data, and opt-out of the processing of personal data for targeted advertising purposes.
The law also provides that the Attorney General has exclusive powers to enforce violations of the law, and the Consumer Privacy Fund was created to support these efforts.
The Colorado Privacy Act (CPA)
Effective July 1, 2023.
Colorado has joined California and Virginia in enacting comprehensive data privacy legislation after the Colorado Privacy Act was signed. The Colorado Privacy Act continues state-specific legislative direction on developing broader data protection laws across America.
The CPA defines various terms related to covered businesses, consumers, and data, including the term “controller” as the person or group of people who determine how data is used and processed.
CPA & Businesses
The Act applies to all persons and any data controller conducting business in Colorado or offering/delivering commercial products or services to Colorado residents and either:
- Control or process data of at least 100,000 consumers during a calendar year or
- Control or process data of at least 25,000 consumers and derive revenue or receive a discount on the price of goods or services from selling that data.
CPA & Consumers
The Colorado Privacy Act addresses consumers’ rights to privacy, and businesses’ responsibilities to protect personal data and authorizes the Attorney General and district attorneys to take enforcement action for violations.
The Connecticut Data Privacy Act (CTDPA)
Effective July 1, 2023.
The Connecticut Data Privacy Act assembles a framework for managing and processing personal information. It provides liability and privacy standards for data controllers and processors.
CTDPA & Businesses
The CTDPA applies to all persons that conduct business in Connecticut or deliver products or services targeted to Connecticut residents and that during the preceding calendar year, either:
- Controlled or processed the personal data of at least 100,000 consumers. However, this excludes personal data controlled or processed solely to complete payment transactions.
- Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from selling that data.
CTDPA & Consumers
The Act authorizes Connecticut residents five specific rights over their personal data, such as to access, correct, delete and acquire a copy of their personal data and opt-out of the processing of their personal information.
The Utah Consumer Privacy Act (UCPA)
Effective December 31, 2023.
Utah is another state that has enacted comprehensive consumer privacy laws. The Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022. Although it includes many of the broader privacy visions found in the privacy laws of California, Virginia, Colorado, and Connecticut, UCPA is generally narrower in scope and has some unique features, such as a diverged enforcement process and its own enforcement evaluation.
UCPA & Businesses
The UCPA applies to companies with annual revenue of over $25 million that conduct business in Utah or offer products or services to Utah residents and either:
- Control or process data of at least 100,000 consumers during a calendar year or
- Derive at least 50% of annual gross revenue from selling personal data and control or process data of at least 25,000 consumers.
UCPA & Consumers
Utah’s Consumer Privacy Act provides consumers the right to know what personal data a business collects, how the business uses the personal data, and whether the business sells the personal data. It also provides that consumers may access and delete personal data maintained by businesses and the right to opt out of the collection and use of their personal data.
The UCPA requires specified businesses to safeguard personal data, provide clear information about how consumers’ personal data are used, and accept and comply with consumer requests to access, delete or stop selling personal data. The law authorizes the attorney general to take enforcement action and impose penalties.
2023 here we come: Is your privacy agenda prepared?
The United States currently lacks a federal privacy law, as previously mentioned, but while California is the first state with omnibus privacy laws, four states have joined the process of adopting privacy laws.
Businesses worldwide are actively trying to tackle emerging data privacy issues, review their privacy practices, and prepare for compliance with these new privacy laws, in Brazil, China, India, and Saudi Arabia.
Data privacy law compliance could be a challenging thing for e-commerce businesses, but with the Pandectes GDPR Compliance app by Pandectes, you ensure you comply with the GDPR, CPRA, VCDPA, CPA, CTDPA, UCPA, and other data privacy laws. It provides a cookie manager, cookie compliance, and data subject requests portal. Moreover, you can modify the banner and its behavior based on your needs and the rules you want to apply.