With stories of data breaches continuously making headlines, concerns about how personal data is processed and stored have led to the passage of regulations governing how companies handle consumer data. One of the most well-known international data privacy laws is GDPR, which was implemented across the European Union in 2018. The law states that individuals own their personal information and can decide who can use it. Any organization -- regardless of where it's headquartered -- that targets or collects data from people and businesses in EU member nations must comply with the GDPR privacy Compliance framework. The state privacy laws of 2023 apply to organizations that process personal data (controllers) as well as organizations that process personal data on their behalf (processors). Legal action can be taken against organizations found to be noncompliant with GDPR.
While more than 100 countries worldwide have enacted data privacy laws, the United States is not one of them. Until a federal privacy law is enacted, many states have stepped in to pass data privacy laws by state. According to the IAPP global information privacy community, there has been a rapid growth of U.S. privacy initiatives at the state level from 2018 through 2022. In 2023, state-level momentum for comprehensive privacy bills is at an all-time high. Each state law has different Compliance frameworks for how companies must allow consumers to exercise these rights. While there are some differences between the states’ laws, the structures are mainly similar, modeled after California’s Act.
Five states have enacted new state privacy laws that organizations have to comply with, from 2023.
Took effect on January 1, 2023, and amends the California Consumer Privacy Act (CCPA), which gave residents the right to ask businesses to disclose the type of information they collect, why they are collecting the information and the source of the data. The updated CPRA copies the GDPR controls framework in creating a new state agency to enforce the rights of residents to prevent businesses from sharing their personal data, request that inaccuracies in their personal data be corrected, and prevent companies from using sensitive data, such as race and sexual preference.
Takes effect July 1, 2023, and is patterned after the individual rights under GDPR. The law augments the existing privacy act by adding specific regulations such as data security laws for vendors and assessments for "high-risk" processing, as well as clarifications for how the law will be enforced.
Takes effect July 1, 2023, and governs how personal data privacy is protected and how data is collected and processed – also similar to GDPR – and requires additional scrutiny for "high risk" processing. The CDPA applies to organizations that control or process the personal data of at least 100,000 customers; or organizations that hold the data of at least 25,000 customers and derive over 25% of gross revenue from the sale of personal data. Penalties for noncompliance are clarified in the Connecticut State Privacy Law.
Takes effect Dec. 31, 2023, and will provide some GDPR-like individual rights for protecting the collection, processing, and distribution of personal data, but falls short of requiring risk assessments. The UCPA applies to organizations with an annual revenue of $25M or more; and either control or process personal data of at least 100,000 consumers, or hold the data of at least 25,000 customers and derive over 50% of gross revenue from the sale of personal data.
Took effect on Jan. 1, 2023, and provides GDPR-like guidelines and penalties regarding how personal data is collected, processed, and distributed. The law affects any organization that processes specific quantities of personal data each year, both government and non-government. The VCDPA applies to organizations that either control or process personal data of at least 100,000 consumers, or hold the data of at least 25,000 customers and derive over 50% of gross revenue from the sale of personal data.
More details about what each of these laws entails can be found here.
Key Takeaways of the 2023 State Privacy Laws
State regulations regarding collecting, processing, and distributing personal data can vary significantly. If your business handles personal data in one or some of the above states, here is a sampling of some of rules you need to know:
Given the expansion of consumer rights and heightened business obligations with regard to data privacy and Compliance, companies should take the time to find out what is privacy Compliance and the new obligations these laws present. Keep in mind, data privacy guidelines will soon be expanding further. Whether Congress ultimately passes national legislation via the American Data Privacy and Protection Act or additional states introduce their own privacy laws, it is up to each business – and their IT and Compliance departments -- to ensure they are processing personal data correctly. By complying with these guidelines, companies minimize the chances of being sued or fined and avoid future negative customer fallout and reputational damage.