This year is shaping up to be one for the data privacy history books in the United States. California has historically led the charge for data privacy in the U.S., but many more states are following their lead. This increase in legislation is sure to shape federal regulations moving forward.
Let’s explore recent developments in state-level privacy regulations to understand how they’re impacting businesses across the U.S.
All Eyes Are on the CCPA, CPRA, and CPPA
From when it went into effect in 2020 to June 30, 2023, the California Consumer Privacy Act (CCPA) was only enforceable by the California attorney general. As of July 1, 2023, the California Privacy Protection Agency (CPPA), which was established by the California Privacy Rights Act (CPRA) that amended the CCPA, will enforce the Golden State’s privacy regulations.
With an initial budget of $10 million, this dedicated enforcement agency will focus its attention on implementing, updating, and adopting new and current regulations.
A note: On Friday, June 30, 2023, the Superior Court of California, County of Sacramento, complicated matters by issuing an order delaying enforcement of OAL- and CPPA-approved regulations from March 2023 by one year, moving enforcement to March 2024. However, since these updated regulations primarily clarify the existing rules, both the CPRA and CCPA are fully enforceable in the meantime.
The CCPA’s details and timeline are complex and can be very confusing. To build consumer trust and ensure you’re in compliance with the CCPA, you may want to focus your company’s attention on these expected enforcement areas:
- Honoring Privacy Rights: Consumers and employees have the right to access, delete, and rectify their data, and businesses must honor these rights and accurately fulfill data subject requests (DSRs) in a timely manner.
- Displaying Clear Disclosure Practices: Businesses must provide consumers with clear, understandable information about organizational privacy practices. They also must avoid manipulative tactics like “dark patterns” that may invalidate consent.
- Closing Monitoring Vendor Contracts: The CCPA’s CPRA amendment provides highly specific guidance on contracting requirements for service providers, contractors, and third parties, and limits what these entities can do with personal data provided by the company.
- Making It Easy To Give Consent & Opt Out: Consumers have the right to opt out of the selling or sharing of their data, and businesses must make this process easy and understandable via their website or apps, in addition to respecting the Global Privacy Control (GPC) signal.
- Enforcing Data Security & Minimization: The CCPA requires businesses to use reasonable measures to keep personal information safe from unauthorized access, breaches, and theft. Companies must also practice data minimization by collecting only the data necessary to complete business tasks and using it solely for the purposes disclosed to consumers.
You can learn more about these enforcement areas and review some action steps in our Official Guide to CCPA.
How New State Legislation Is Impacting Businesses and Consumers: CTDPA, CPA, VCDPA, UCPA
There’s significant overlap between the Connecticut Data Privacy Act (CTDPA) and the Colorado Privacy Act (CPA). Both laws are effective as of July 1, 2023, and grant their respective state residents the ability to access their data, correct inaccuracies, delete and obtain copies of personal information, and opt out of personal information use. They also mandate applicable companies within the states do the following:
- Respond to DSRs within 45 days of receiving them
Issue consumers easily accessible privacy notices
- Maintain proper data privacy measures to protect sensitive information
- Refrain from collecting or using sensitive data without consumer consent
These laws arrive on the heels of Virginia’s Consumer Data Protection Act (VCDPA), which went into effect January 1, 2023, and precede the Utah Consumer Privacy Act, which goes into effect December 31, 2023.
It’s understandable if you’re feeling a bit dizzy. There are a lot of changes happening.
By the start of 2024, five states will have comprehensive data laws in effect with more on the horizon. The first step for companies is to assess which aspects of these regulations may impact their business operations. Organizations must start thinking about preparing for privacy regulations in the long term, even if current regulations don’t apply.
Preparing for and understanding privacy regulations can present confusing questions, but that’s why DataGrail is here. Once you assess how these regulations may impact your business, it’s time to start taking proactive privacy steps like building a data map, organizing and fulfilling DSRs, and conducting risk assessments. These are great ways to understand the strengths and opportunities within your data privacy program.
With DataGrail’s Help, Companies Can Take Action Now
More state privacy laws are coming, and they’re likely to bring additional enforcement models and agencies like the CPPA. Federal regulations have been proposed in the past, and it’s safe to say that some form of federal regulation is likely coming. If federal data privacy laws do come to pass, they could layer on top of state regulations, further muddying the waters for businesses operating in the U.S.
It’s an exciting — and confusing — time for data privacy, which is why we’re digging into these regulations. We want to help businesses operating within regulated states, but further, companies across the U.S. must prepare for what’s to come. We don’t want you to be caught off guard when new state regulations or a federal policy come into play.
Want to talk about your organizational goals and how to prepare for increasing data privacy regulations? We’d love to meet you. Contact us today to learn more about our comprehensive data privacy platform and how it can help you achieve privacy peace of mind.