Although there have been many attempts over the past decades to coordinate data privacy and protection, there is no federal law that governs data privacy in the U.S. In the absence of such a regulatory framework, some states have passed new comprehensive data privacy laws to control how information is collected, how data subjects are informed, and what control a data subject has over their information once it is transferred. At present, California, Colorado, and Virginia have enacted data privacy laws on a state level, and many other states, including New York and Massachusetts, are considering their own versions of privacy law.
While these state laws are generally inspired by the European General Data Protection Regulation (GDPR), the levels of data privacy, data protection, scope, or business obligations can vary widely. Therefore, even though handling these regulations can be complex and time-consuming, businesses and employers need to monitor the developments regarding 2022 data privacy laws that affect their users. Otherwise, they may face significant fines or lawsuits.
State-Level Data Privacy Laws in the U.S.
In recent years, data privacy has gained momentum as a significant issue in state legislatures. As a result, an increasing number of state legislatures have been considering a more comprehensive approach to privacy regulation. Following the enactment of the California Consumer Privacy Act (CCPA), and the follow-up California Privacy Rights Act (CPRA), a number of jurisdictions have introduced similar measures, granting consumers more expansive rights over their personal information.
Different state privacy laws create a significant challenge for employers as each state’s law differs from the others, making compliance with every applicable law time-consuming and costly. Therefore, it is critical for them to ensure compliance with the key data privacy laws by state that have been enacted so far:
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) was the first comprehensive data privacy law that was signed into law on June 28, 2018, and went into effect on January 1, 2020. It is currently applicable to businesses that collect personal information from California residents and meet any of the following thresholds:
- At least $25 million in gross annual revenue,
- Buy, sell, or receive personal information about at least 50,000 California consumers, householders, or devices for commercial purposes, or
- Derive more than 50% of its annual revenue from the sale of personal information.
In addition to this, the CCPA also introduces important definitions and broad individual consumer rights and imposes substantial duties on entities or persons that collect personal information about or from a California resident. These duties include informing data subjects when and how data is collected and giving them the ability to access, correct, and delete such information.
When it comes to non-violations, the law gives companies 30 days to cure violations. Failure to address a violation leads to a civil penalty of up to $7,500 for each intentional violation and $2,500 for each unintentional violation.
California Privacy Rights Act (CPRA)
On November 3, 2020, Californians voted to approve Proposition 24, a ballot measure that creates the California Privacy Rights Act (CPRA). The CPRA will go into effect on January 1, 2023. It applies to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. In addition to this, it excludes de-identified data, publicly available information, and aggregate information.
Compared to the CCPA, this law adds the following:
- Right to rectification that updates and adds to a consumer’s right to correct inaccurate personal information,
- Right to the restriction that grants consumers the right to limit the use and disclosure of their sensitive personal information, and
- Sensitive personally identifiable information that updates the definition of personal information. Therefore, certain types of information, like a consumers’ Social Security number, have to be treated with special protections.
Apart from this, the CPRA also:
- Increases fines for breaches of children’s data threefold,
- Expands breach liability beyond breaches of unencrypted data to disclosures of credentials that could lead to access to a consumers’ account,
- Limits the duration of time a company may retain a consumers’ information,
- Requires companies using third-party vendors to mandate that those third parties exercise the same level of privacy protection to data shared with them as the first party, and
- establishes a new privacy regulator, the California Privacy Protection Agency.
Fines for non-compliance can range from $2,500 to $7,500, and there are also automatic fines of $7,500 for violations of the data of anyone under the age of 16.To follow the speed and volume of changes in privacy compliance requirements, businesses need to take proper measures. Learn more about obligations and possible compliance challenges to prepare and ensure compliance with the CPRA, as the most robust consumer privacy law in the U.S.
Virginia’s Consumer Data Protection Act (CDPA)
The Virginia Consumer Data Protection Act (CDPA) was signed into law by Governor Ralph Northam on March 2, 2021, and will go into effect on January 1, 2023. It protects the consumer, defined as a natural person who is a Virginia resident, and it protects personal information, defined as any information that is reasonably linkable to an identified or identifiable natural person.
It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also do one of the following:
- Control or process the personal data of 100,000 or more, and
- Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information.
The CDPA requires covered companies to assist consumers in exercising their data rights by obtaining opt-in consent before processing their sensitive data, disclosing when their data will be sold, and allowing them to opt out of it. It also requires companies to provide users with a clear privacy notice that includes a way for consumers to opt out of targeted advertising.
The enforcement of the CDPA will be done by the Virginia Attorney General’s Office. The controller has 30 days to cure the violation after the Attorney General notifies the controller that action will be taken. If the controller fails to cure the violation within this period, the Attorney General may fine them up to $7,500 per violation.
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) became the third comprehensive regulation among data privacy laws adopted in the U.S. It was unanimously passed on May 26, 2021, and signed into law on July 7, 2021, by Governor Jared Polis. The law will go into effect on July 1, 2023. CPA contains some similarities to California’s CCPA and CPRA, as well as Virginia’s CDPA. It even borrows some terms and ideas from the EU’s General Data Protection Regulation (GDPR). However, certain elements distinguish the Colorado law from other regulations and require additional compliance efforts from companies that fall within its jurisdiction.
It protects personal data, which is defined as information that is linked or reasonably linkable to an identified or identifiable individual. The CPA excludes de-identified data and publicly available data. It does not specify if aggregate information is excluded. The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data.
There is no private right of action, so the Attorney General of Colorado and district attorneys will enforce the CPA. They can seek monetary damages or injunctive relief. Before taking action, however, the Attorney General and the district attorneys must issue a notice of violation and allow companies or individuals 60 days to cure the alleged violation. After January 2025, this right to cure will be replaced by the controller’s right to request guidance from the Attorney General’s office.
Meeting Data Privacy Laws Requirements
In the absence of a comprehensive federal data privacy law in the U.S., more state laws will come into effect in the coming months and years. As a result, businesses will have an increasingly challenging task of complying with multiple regulations.
While many of these data privacy regulations share a common approach, their differences can be hard to understand and apply, especially if businesses operate in different jurisdictions. However, to avoid steep penalties, lawsuits, and other consequences of non-compliance, organizations should carefully review data privacy laws in the U.S. and ensure they meet all applicable requirements. To achieve this successfully, they can outsource the entire process and secure the implementation of proper security frameworks, create appropriate policies, and keep data safe to prevent hefty fines. In addition to this, businesses can ensure meeting specific details of different data security laws and comply with requirements regarding the scope of the protected data, types of and responses to consumer rights, assessment requirements, and more.Simplify compliance with various data security laws and standards and ensure the maximum security of your employees, customers, and company’s data, while staying ahead of constantly changing regulations.