Five states have enacted new regulations or amended laws to further protect the privacy of their residents’ personal data
Individuals are transacting business and purchasing goods and services online in record numbers. As a result, protecting the privacy of their data has become nearly as important as keeping it secure against hacking, malware, ransomware, and other cyberattacks.
The worldwide scale of electronic payments and e-commerce is staggering. As of October 2022, the total transaction value of payments made online is projected to reach almost $8.5 Trillion in USD by year-end, according to data compiled by Statista. The largest segment of those online payments, known as digital commerce or e-commerce, is set to reach $5.5 Trillion USD by the end of 2022.
Many federal regulations in the U.S. address both security and privacy, including HIPAA and GLBA to name two. And many global security frameworks incorporate data privacy safeguards as well, including NIST-CSF and ISO/IEC 27001. However, some states have adopted their own consumer privacy laws in an effort to provide individuals with additional privacy rights. And to give them recourse when those rights are violated.
In 2023, comprehensive state privacy laws will go into effect in five states. They are California, Colorado, Connecticut, Utah, and Virginia. The laws are summarized below to assist organizations who do business in those states in understanding some of the new data protection requirements. All the necessary details are available from each state.
California currently has more privacy laws than any other state, and its most recent legislation will take effect January 1, 2023. The new California Privacy Rights Act (CPRA) builds upon the California Consumer Privacy Act of 2018 (CCPA), which allows California residents to ask businesses to disclose the type of information they collect, why it is being collected, and the source of the data. It also granted consumers the right to have their personal information deleted and to opt out of having it sold. In crafting the CCPA, California borrowed from the General Data Protection Regulation (GDPR) in the European Union.
The new CPRA gives California residents even greater control over their data by enabling them to prevent businesses from sharing their personal data and to correct inaccurate data. They can also stop businesses from using sensitive data, such as their exact geolocation, their race, and their sexual orientation, for example. The CPRA also increases the maximum penalties for violations against young consumers (16 and younger) and prohibits the retention of personal data for longer than needed. The California Privacy Protection Agency is responsible for enforcement.
Colorado’s newest protections are incorporated into the original, comprehensive data privacy law known as the Colorado Privacy Act (CPA). The newest provisions, known as Part 13, will become effective July 1, 2023.
Part 13 gives Colorado consumers the right to access, correct, and delete personal data, along with the right to opt out of the sale, collection, and/or use of their personal information. It requires companies to safeguard personal data and to provide clear, understandable, and transparent information to consumers about how their personal data is used. The law further requires companies to perform data protection assessments of their collection and use of personal data.
Finally, Part 13 of the Colorado Privacy Act empowers the state’s attorney general and district attorneys to review a company’s data protection assessments, to impose penalties where violations are found, and to prevent future violations. It comprehensively defines terms and responsibilities to provide maximum clarity and prevent any confusion.
Connecticut is all in on the state privacy laws action. The Connecticut Act concerning Personal Data Privacy and Online Monitoring was enacted May 10, 2022, to take effect July 1, 2023. In addition to spelling out new consumer data protection provisions for Connecticut residents, the Act details lengthy requirements for companies who collect and use their personal data, known as controllers, and for companies who process that data for them, known as processors. (These terms are used throughout the European Union’s General Data Protection Regulation.)
Consumer rights include the right to confirm that their personal data is being processed, to correct inaccuracies in their data, to delete their personal data, and to obtain a copy of their data in a format they can use to transmit to another controller. In addition, consumers have the right to opt out of the use of their data for targeted advertising, sale, or for profiling purposes. Consumers may also designate authorized representatives to act on their behalf, as in (but not limited to) cases of parental or legal guardianship.
The Utah Consumer Privacy Act (UCPA) was signed into law March 24, 2022, and will take effect at the end of 2023, on December 31. The state attorney general is responsible for enforcement and the imposition of penalties for violations.
As with the other comprehensive state privacy laws, the UCPA gives consumers the right to know what type of data businesses are collecting about them, how it is being used, and whether or not a business intends to sell their data to third parties. It also gives them the right to access and delete their data and to opt out of data collection completely.
The Utah Consumer Privacy Act also provides clear, detailed guidelines for the protection of consumer data by the businesses who collect, use, and process the data.
Virginia’s comprehensive Consumer Data Protection Act (CDPA) establishes a framework for controlling and processing large volumes of personal data in Virginia and will become effective January 1, 2023. The CDPA applies to all persons who conduct business in Virginia and either (1) control or process the personal data of at least 100,000 consumers, or (2) derive more than 50% of their gross revenue from the sale of personal data and control or process the personal data of at 25,000 or more consumers.
The Virginia Consumer Data Protection Act provides detailed responsibilities and privacy protection requirements for data controllers and processors. It does not apply to state or local governments and also has exceptions for certain types of data and information governed by federal law, to avoid conflict and confusion. The bill gives consumers the right to access, correct, delete, and obtain copies of their personal data, and also to opt out of the processing of their data for the purposes of targeted advertising.
The state attorney general has exclusive authority to enforce the law and penalize violators.
Other State Privacy Laws Provide Limited Consumer Privacy Protections
The five states above have enacted comprehensive privacy protections for personal data. Eleven additional states have limited protections in place. They are Arizona, Delaware, Hawaii, Maine, Minnesota, Missouri, Nevada, New York, Oregon, Tennessee, and Vermont.
Data privacy has become such a concern that in 2022, for the first time, the National Cybersecurity Alliance extended National Data Privacy Day. It became a seven-day event known as National Data Privacy Week. This new tradition will further emphasize the importance of implementing robust data privacy protections and enforcing privacy safeguards for consumers.
As Congress continues to drag its feet in enacting a comprehensive U.S. federal privacy law, such as the European Union’s General Data Protection Regulation, states are actively developing their own data privacy protection requirements. California, Colorado, Connecticut, Utah, and Virginia have enacted comprehensive state laws to take effect as early as January 1, 2023. Eleven other states have limited privacy laws in place.
While the five new comprehensive laws have many similarities, they also have some notable differences. Organizations who do business in these states should act now to familiarize themselves with the detailed legal requirements. To implement the privacy safeguards you need. And to train your employees. This will help you avoid violating the new consumer protection provisions and incurring penalties and other consequences.