There is a good chance that 2023 will go down as the year when consumer privacy and data protection finally took a much-needed leap forward in the United States.
When the clock ticked past midnight on January 1, 2023, the California Consumer Rights Act (CCRA) and the Virginia Consumer Data Protection Act (VCDPA) officially went on the books, soon to be followed by the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) on July 1, 2023, and the Utah Consumer Privacy Act (UCPA) on December 31, 2023.
Enforcement for each act varies, with enforcement of the VCDPA beginning on January 1 and the CCRA starting on July 1, 2023. The CPA initially will require the state Attorney General or district attorneys to issue a notice of violation and allow entities 60 days to cure the alleged violation – i.e., a right to cure. The right to cure will sunset on January 1, 2025. Connecticut is similar, but its 60-day right-to-cure option expires on December 31, 2024. In Utah, enforcement begins on December 31, 2023, but in each case, the organization has a 30-day period to fix the violation before damages are sought.
This means there is still time to align business practices with these new regulations without being exposed to fines, and it is important to remember compliance is required whether or not an organization is located in the state. What matters is if it compiles and stores data of that state's residents.
In the United States, there is no cookie-cutter approach to ensuring your organization is in compliance with local privacy regulations since each state regulates privacy on its own, unlike the EU's more sweeping General Data Protection Regulation (GDPR). This means an organization must meet its state's regulations and those of the other states where it conducts business.
On the plus side, most of the privacy acts going into effect in the U.S. are similar. Still, there is enough difference that a company could quickly find itself in trouble if it doesn’t understand the finer points of the law under which it operates.
Legal and human resources departments must determine what regulations are applicable. Then they need to understand who they are working with, where they are located, what type of business it conducts, as some have exemptions (like the U.S. government which does not have to comply with GDPR, what is the business-to-business relationship, and what rules the other businesses have to follow.
All of the newly instituted and upcoming acts vary to some extent on how they define a consumer and how an organization must comply with the regulations. However, in general, each law is designed to protect consumers residing in their state, giving these people the right to access their personal data and request that an organization delete it upon request. The regulations also require organizations to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes.
For example, every business in California must comply if it has gross revenues in excess of $25 million during the preceding calendar year, alone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or, households or derives 50 percent or more of its annual revenues from selling or sharing consumers' personal information. The Virginia code differs by including entities that control or process the personal data of at least 100,000 consumers in a calendar year, or the personal data of at least 25,000 consumers while deriving over 50 percent of gross revenue from the sale of that data .
Privacy regulations are taken very seriously by the California Attorney General, with one company being hit with a $1.2 million fine under the previously enacted California Consumer Privacy Act (CCPA). The general guidelines state that those not complying with the CCRA and CCPA face fines of $2,000 per violation, $2,500 for negligent violations, and $7,500 for willful violations.
The privacy acts coming online this year cover much of the same ground as the CCRA, so let's dive into this bit of legislation. Please follow the links above to learn the specifics of the other privacy acts.
Since the California Consumer Privacy Act (CCPA) was the first in the nation when it went into effect three years ago, it became the template for other states to follow. And the CCRA is essentially an expansion of the CCPA, in fact, the CCRA is often referred to as CCPA 2.0.
A quick overview. The CCRA was passed by California voters in November 2020 and officially went into effect on January 1, 2023.
The CCRA carries over all the policies from the CCPA but includes two new consumer rights, two new rights when it comes to privacy management, and updates five current CCPA regulations, according to Bloomberg Law. The California Privacy Protection Agency administers the CCRA, and it is enforced by the California Attorney General's office.
Much like the CCPA and the EU's GDPR, the CCRA is designed to protect consumer privacy by forcing businesses to be more transparent regarding data storage, focusing on how consumer data is stored, managed, and distributed. Under the regulation, a "consumer" in the context of the CCRA is "a natural person who is a California resident, as defined in the state's tax regulations."
The two new rights the CCRA gives consumers are:
In addition, the CPRA also expands the breach liability to include unauthorized access or disclosure of certain data elements (e.g., email addresses, passwords, or security questions). This means that the CPRA has broadened what would be considered "breaking the rules" to include unauthorized access or disclosure of certain data elements.
Under the CCRA, personal information is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Sensitive personal information is a subsection of personal information that includes:
CCRA compliance is complex; organizations will need time to ensure their business practices align with the regulation. The CCRA requires:
When it comes to privacy compliance, the devil is in the details. Organizations are being asked to handle data in a much different and more open manner than many are accustomed to, but in the end, this must be looked at as a net positive. In fact, it helps tick off several boxes that security professionals say will make an organization safter.
Eliminating out of date or unnecessary personal data limits what a cybercriminal can steal, which may make an organization a less attractive target. Is customer information from 2002 still needed?
In addition, the various privacy acts force organizations to know where personal data is stored and who is contained in their database, and this makes it easier to cull this information upon request.