After the California Consumer Privacy Act was passed in 2018, multiple states proposed similar data privacy legislation to protect consumers in their states. Although many of these bills failed to become law, it is definite that state privacy laws continue to develop making it necessary for businesses to stay abreast of the changing state-privacy landscape.
US Federal Data Privacy Legislation
While there is no federal law that governs data privacy in the United States, there is a set of laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing.
The Federal Trade Commission Act aims to prevent unfair or deceptive trade practices and uses its authority to issue regulations, enforce privacy laws, and take enforcement actions to protect consumers. However, it does not explicitly regulate what information should be included in website privacy policies.
In addition to this, other federal laws that govern the collection of information online are:
- The Children’s Online Privacy Protection Act (COPPA),
- The Health Insurance Portability and Accounting Act (HIPAA),
- The Gramm Leach Bliley Act (GLBA), and
- The Fair Credit Reporting Act (FCRA).
State Data Privacy Legislation
Even though there is no data privacy legislation at the federal level, U.S. states have been moving ahead to push through an impressive number of important privacy bills. Following the passage of the far-reaching General Data Protection Regulation (GDPR) in 2016, California signed into law the California Consumer Privacy Act (CCPA).
In November 2020, California voters approved the California Privacy Rights Act (CPRA), which creates a new consumer privacy agency and aligns privacy regulations more closely with the GDPR.
In addition to this, more than 25 other U.S. states have introduced comprehensive data privacy bills. However, only Colorado and Virginia have enacted comprehensive consumer data privacy laws.
California Consumer Privacy Act (CCPA)
As the most comprehensive state data privacy legislation to date, CCPA went into effect on January 1, 2020. It introduced important definitions and broad individual consumer rights and imposed duties on entities or persons that collect personal information about or from a California resident. These duties include informing data subjects when and how data is collected and giving them the ability to access, correct, and delete such information.
In addition to this, the adoption of the CCPA encouraged other U.S. states to enact similar laws thus beginning a nationwide movement to protect the privacy of consumers online.
The California Privacy Rights Act (CPRA)
The CPRA amends the CCPA by widening rights for California residents and new compliance obligations for businesses. It expands on multiple provisions of the CCPA, including sensitive data, consumer rights, data minimization, purpose limitation, or actionable data in a breach. The CPRA also establishes a new privacy regulator, the California Privacy Protection Agency, in order to implement regulations, conduct investigations, and enforce actions. As a five-member board, the Agency will start enforcing six months after the CPRA goes into effect on July 1, 2023.
While both the CCPA and CPRA were inspired by the GDPR, there are some important differences. These include the applicability, territoriality, the scope of the protected data, the data protection officer, or the data protection impact assessment requirements as some of the major ones.Get an overview of new developments and modifications of California privacy law and find out what steps to take in the process of building effective compliance.
Virginia’s Consumer Data Protection Act (CDPA)
Virginia’s Consumer Data Protection Act (CDPA) was passed on March 2, 2021. The law has two main goals:
- providing Virginia residents with expanded rights in connection with their personal data, and
- imposing obligations on businesses, such as securing personal data, limiting the use of personal data for disclosed purposes, and flowing down requirements to processors receiving personal data.
CDPA contains some similarities to the EU GDPR’s provisions and the CCPA. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also do one of the following:
- Control or process the personal data of 100,000 or more, or
- Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information.
Colorado Privacy Act (CPA)
In June 2020, Colorado joined California and Virginia and became the third U.S. state to pass comprehensive data privacy legislation. The Colorado Privacy Act (CPA) is set to take effect on July 1, 2023.
The CPA contains some similarities to the CCPA, the CPRA, Virginia’s CDPA, and it even borrows some terms and ideas from the EU’s GDPR. It applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data.
The CPA lists five rights granted to Colorado residents once the law becomes effective. They are:
- The right to opt-out of targeted ads, the sale of their personal data, or being profiled,
- The right to access the data a company has collected about them,
- The right to correct data that’s been collected about them,
- The right to request the data collected about them is deleted, and
- The right to data portability.
Preparing for the Development of Data Privacy Legislation
Understanding comprehensive data privacy legislation is a necessary first step toward developing compliance programs. As the landscape becomes increasingly complex, it is critical that businesses do their due diligence to understand which laws they are subject to and to comply accordingly.
Given that other U.S. states will continue with their efforts to pass far-reaching data privacy legislation, companies should start adopting new technologies to classify personal data, delete unnecessary data, protect all collected personal data, and continuously monitor stored data. While this can require significant changes for many institutions, they can simplify the entire process by automating the collection, processing, and sharing of personal data and reduce the burden resulting from more states adopting data privacy legislation. As a result, employers can protect their organizations from potential penalties while making minimal impact on their operations and bottom line.Take proactive steps with data privacy automation and ensure effective compliance by implementing applicable data privacy laws.