In an era marked by rapid technological advancements and an ever-increasing dependence on digital platforms, data privacy has emerged as a critical concern. To address these concerns, several U.S. states have implemented strict data protection regulations. Starting in July 2023, Virginia, Connecticut, Colorado and Utah will enforce fines for non-compliance with these regulations, holding businesses accountable for mishandling sensitive information.
Currently, nine states (California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee and Montana) have comprehensive data privacy laws. Additionally, around 16 states introduced privacy bills during the 2022-23 legislative cycle, covering various issues such as biometric identifiers and health data. Proposed bills in other states (e.g., Illinois, Massachusetts, Minnesota, New York, Pennsylvania) offer similar rights but may differ in implementation and enforcement.
As new regulations come into effect, it is crucial for individuals and businesses to grasp their implications fully. Understanding the scope of these regulations and their specific requirements is essential for compliance. Let's understand what these regulations entail, who they apply to and what businesses need to do to avoid penalties and reputational harm.
Understanding the scope of the regulations
The upcoming data privacy regulations in VA, CT, CO and UT draw inspiration from the GDPR which are considered a global benchmark for data privacy protection and share similarities with the California Consumer Privacy Act (CCPA), one of the most comprehensive data privacy laws in the United States. Understanding the scope of these regulations is critical to creating an effective security and compliance strategy. Here's what security leaders need to know:
- Connecticut (CT): Connecticut's primary data privacy law (2022 S.B. 6/Public Act No. 22-15), establishes standards for companies to control and process personal data of Connecticut residents. It grants residents the right to access, correct and opt out of data processing. Effective from July 1, 2023, the law includes additional safeguards under Conn. Gen. Stat. § 42-471, ensuring personal information is protected from third-party misuse and properly disposed of. It also requires companies collecting Social Security numbers to publicly post privacy protection policies. The Attorney General must notify the controller of remediable violations, allowing a 60-day "right to cure." This provision expires on December 31, 2024. Willful violations can result in fines up to $5,000, along with attorney fees, actual and punitive damages. Violating restraining orders or injunctions can lead to penalties of up to $25,000.
- Virginia (VA): Virginia's Consumer Data Protection Act (2021 H.B. 2307/2021 S.B. 1392) regulates data control and processing for businesses, granting consumer rights to access, delete, correct and opt out of data processing for advertising. It applies to non-government companies handling data from 100,000+ consumers, earning over half their revenue from selling personal data from 25,000+ consumers. Enforced since January 1, 2023, the law carries penalties of up to $7,500 per violation for non-compliant companies, which means that for every 1000 customers a non-compliant organization can end up paying fines over US$7.5 million.
- Colorado (CO): Colorado's data privacy law, part of the Consumer Protection Act applies to businesses processing data from 100,000+ consumers or 25,000+ Colorado residents while earning revenue from data sales. It grants residents rights to opt out of targeted advertising and data sales, and access, delete, correct and obtain their data. Enforcement is carried out by the Colorado Attorney General and district attorneys, with penalties up to $20,000 per violation and a maximum of $500,000 lifetime for related violations.
- Utah (UT): Utah's Consumer Privacy Act (2022 S.B. 227) grants consumers rights to know and confirm processing activity, access, delete and obtain a portable copy of their data, opt out of sales and targeted advertising and avoid discrimination. Effective from December 31, 2023, it is enforced by the Utah Attorney General, who can impose fines of up to $7,500 per violation. The UCPA does not create a private right of action for consumers.
- California (CA): The California Consumer Privacy Act (CCPA), modified by the California Privacy Rights Act (CPRA), has undergone notable changes. On July 8, 2022, the California Privacy Protection Agency (CPPA), California's privacy regulator, unveiled proposed regulations for the updated CCPA, set to be effective from January 1, 2023.
This includes forthcoming information on automated decision-making, cybersecurity audits and data processing risk assessments. Personnel and B2B contacts will be treated as consumers under the CCPA. Consumers can limit data collection and use, including geolocation data within 1,850 ft. Businesses must disclose data retention policies and avoid excessive retention. Data sharing for cross-context behavioral advertising can be prevented by consumers. The 30-day "cure" period for enforcement actions is removed. Penalties for mishandling children's information have tripled to $7,500 per incident, increasing non-compliance repercussions.
What businesses need to know
In order to prevent non-compliance, businesses need to proactively take measures to stay ahead of threats and violations. Here are some essential points that businesses should acquaint themselves with as the initial step towards ensuring compliance.
Decode regulations and remediation scope
Having a detailed knowledge of the changing regulations enables effective implementation for businesses navigating data privacy. Additionally, it is crucial to be aware of the opportunities for remediation in the event of unintentional violations. By promptly addressing non-compliant practices within specified timeframes, businesses can minimize potential penalties and maintain strict compliance with the regulations.
Conduct impact assessment
Assess the potential impact of these regulations on your business operations. Identify areas where personal data is collected, stored, or shared, and evaluate whether current practices align with the new requirements. Identifying gaps will facilitate the implementation of necessary changes.
Consider cross-state implications
To comply with data privacy regulations in multiple states, businesses must be aware of implications in different jurisdictions. For example, if a business in Florida serves customers from Virginia, they must also meet Virginia's data privacy requirements. With privacy regulations in 22 U.S. states, businesses must conduct a thorough analysis of their customer locations to track and adhere to relevant privacy laws in each operating state.
Build comprehensive data privacy practices
To comply with data privacy regulations, businesses must update privacy policies, obtain explicit consent, ensure robust data security and provide accessible channels for consumers to exercise their privacy rights. Ongoing monitoring and automation are vital for tracking and reporting data privacy activities. Additionally, regular updates to applications and systems are crucial for evolving privacy requirements, despite associated costs (coding, updating app processes, etc.). Prioritizing a secure and privacy-conscious environment is essential for user trust.
The U.S. data privacy laws differ in their applicability to digital and paper records. While some laws, like HIPAA, apply to all types of records, others, such as Children’s Online Privacy Protection Act (COPPA), focuses on online data collection. California's previous laws focused on electronic data, including privacy notices and breach reporting. However, the CCPA extended its coverage to both electronic and paper records. The new US data privacy laws take inspiration from the CCPA.
How to avoid fines and reputational damage
Invest in people, processes and technology to strengthen security, compliance and governance. Leverage technology for automated monitoring, threat detection and incident response. Implement encryption, multi-factor authentication and secure coding practices to protect data and prevent reputational damage.
Key priorities for businesses include:
- Transparency and consent: Prioritize transparent data practices, obtain proper consent, clearly communicate data collection purpose, provide access to privacy policies and offer opt-out options for individuals.
- Continuous monitoring: Deploy a unified platform for continuous monitoring to identify and mitigate security and compliance risks effectively. Automating security, compliance and governance ensures comprehensive visibility, continuous assessment, prioritized mitigation and reduces risks for a better TCO.
- Proactive approach: Take a proactive approach by conducting regular risk assessments, audits and implementing strong security measures to prevent breaches and compliance failures before they happen.
- Building a framework and controls: Organizations must establish a framework, implement controls and adopt industry-recognized standards (e.g., ISO 27001, NIST Cybersecurity Framework) to protect sensitive data and ensure compliance. This involves defining policies, implementing technical measures like access controls, encryption and data loss prevention.
- Timely reporting: Demonstrate regulatory adherence and industry alignment, supporting audits and investigations to verify compliance. Deploying an application-centric solution automates control mapping, artifact creation and audit report generation, enabling continuous monitoring and prompt compliance management.
- Employee training and education: Invest in training and educating employees on privacy, security and compliance requirements to foster awareness and accountability, reducing errors. It is crucial for employees to understand the consequences of not following established processes, benefiting both themselves and the organization.
- Process validation and documentation: Validate processes, ensure alignment with privacy regulations and security best practices, conduct internal audits, document procedures and maintain accurate records. Well-documented processes serve as training material and aid in implementing automation technologies.