Data privacy is still as big a thing for US businesses as it was last year, so what changes have been coming down the pike and who is on board? Five state privacy laws are gearing up to take full effect in the new year. These are:
· California Privacy Rights Act (CPRA replaces California Consumer Privacy Act – CCPA)
· Colorado Privacy Act (CPA)
· Connecticut Data Privacy Act (CTDPA)
· Utah Consumer Privacy Act (UCPA)
· Virginia Consumer Data Protection Act (VCDPA)
Who does this apply to and what does this mean for our 5?
California Privacy Rights Act (CPRA)
· Businesses operating with over $25million gross revenue, buying/selling/sharing personal information of 100,000+ consumers, or deriving more than 50% of their revenue from personal information sales
· Individual and opt-out rights increase, retention of personal data limited to necessary only, and includes protections for employee and business contact personal data
· January 1 2023
Colorado Privacy Act (CPA)
· Businesses in Colorado/Colorado residents that either process the personal information of 100,000+ residents or process the personal information of more than 25,000 Colorado residents and profit from the sale of personal information
· New data privacy and security assessments are required for high-risk processing requiring an assessment of the adequacy of vendors’ privacy/security including deletion or return of data by contract end
· Data collection limited to adequate, relevant and necessary. Data security controls implemented and consent/ consent-revocation for sensitive data processing
· July 1 2023
Connecticut Data Privacy Act (CTDPA)
· Businesses in Connecticut/Connecticut residents buying/selling/sharing personal information of 100,000+ consumers, or deriving more than 25% of their revenue from personal information sales of 25,000 consumers
· Consumers have the right to access, correct, delete and port their data, opt-out for targeted advertising, the sale of their data
· July 1 2023
Utah Consumer Privacy Act (UCPA)
· Businesses operating in Utah/ Utah residents or are buying/selling/sharing personal information of 100,000+ consumers, or have annual revenues of at least $25 million or are deriving more than 50% of their revenue from personal information sales of 25,000 or more consumers
· Consumers can access, delete, opt out of sale of personal data for purposes of processing of personal data for targeted advertising
· December 31 2023
Virginia Consumer Data Protection Act (VCDPA)
· Businesses in Virginia/ Virginia residents that either process the personal information of 100,000+ residents or process the personal information of more than 25,000 Virginia residents and profit from the sale of personal information
· When collecting or using sensitive data for minors explicit consent needs to be obtained
· There will be an assessment of the adequacy of vendors’ privacy and security including deletion or return of data by contract end
· January 1 2023
Does it affect you?
Compliance is not a quick check list that occurs before a new year deadline, it is something that most US businesses will prepare for ahead of time. Even if you are not in one of the listed states, getting compliant is good practice and preparation in case your business impacts users or customers in a state that is covered.
There are some nuances between the 2023 state privacy laws but most are unified on what kind of businesses will be subject to them. For example if a large portion of your revenue comes from selling consumer data, or if you process/control data of 100,000 state residents. It’s not the same for all the five listed above though, such as in Connecticut businesses who do not rely upon or use consumer data don’t need to show compliance. Or in California the laws only apply if your business has an annual revenue of over $25 million, the same applies in Utah. It is also worth noting that once CCPA exempt businesses are not also CPRA exempt, it just closes the data sharing and not data selling loophole that existed in California.
Better safe than sorry
Being abreast of privacy laws whether you think you need them or not is probably wise especially if there are growth elements added to the business. What happens when you digitize and your traffic begins to exceed that 100,000 person cap? It is worth being ready for that future scaling opportunity. Nobody goes into business to not grow and if you happen to be in one of the listed states and are not yet hitting the revenue or numbers thresholds, it does not mean it will always be the case. In truth, as the march of data gathering/sharing and selling gathers pace there will be privacy laws that reach all states, it is an inevitability so it is better to be ahead of the game.
How to is discussed here