Data privacy advocates rejoice! 2023 is going to be one for the legislative history books, with the enforcement of four new state data privacy laws in the US.
Colorado, Connecticut, Utah, and Virginia will all begin enforcing GDPR-style legislation this year, closely following in the footsteps of California – the first ever state to implement a consumer privacy regulation in America.
The gold rush of data privacy laws is a watershed moment; one that will undoubtedly spark a domino-effect of privacy statutes across the country.
As the underlying philosophy of America’s approach to data privacy morphs, organizations must take note and augment their infrastructure accordingly.
Read on to find out how.
The story so far
You might be thinking, doesn’t the US already have privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA)?
It does, but these legislations are built on a “harm-prevention” approach. They enable organizations to collect and use citizens’ data, but seek to ensure this data is adequately protected from misuse or leakage – and only within certain sectors.
For example, HIPAA applies to healthcare organizations that interact with patient health information (PHI), while the GLBA governs financial institutions that work with credit card information and so on.
By contrast, the newest slew of state-enacted privacy laws take a broader, rights-based approach to data protection, taking a leaf out of the GDPR. Under these laws, individuals are in control over their personal information, and they can decide who uses it and how.
Until now, many American organizations have had unbridled power to collect, store and share personal information without much governance. But the newest slew of state-enacted privacy laws take a broader, rights-based approach to data protection, taking a leaf out of the GDPR. Under these laws, individuals are in control over their personal information, and they can decide who uses it and how.
GDPR: the inspiration for change
The General Data Protection Regulation (GDPR) is the driving force – the inspiration – behind the pivot towards a rights-based philosophical framework in the US. California, Colorado, Connecticut, Utah, and Virginia all looked to the GDPR to design their directives.
By understanding the GDPR, organizations can better understand the principles that underpin each of these state laws – and all the ones that are yet to come.
Vitally, the new state privacy laws are comprehensive in nature. All businesses that collect, process and store citizen data are subject to the law. No matter your organization’s sector, if you collect personally identifiable information (PII), you must take note.
With that in mind, here is an outline of the rights of individuals in regards to their personal data, as outlined in the GDPR. Note that rights vary in accordance with the level of information sensitivity. Data that is deemed highly-sensitive requires more protection and care than other types.
GDPR principles: an overview
Under the GDPR, individuals have the right to…
- Access: The right to request access to their personal data
- Correction: The right to request amends to any errors in their personal information
- Portability: The right to request their personal information is consigned to another entity
- Erasure: The right to request their personal information is erased
- Consent: The right to choose if their personal information can be shared or sold to third-parties, or used for advertising purposes.
- Appeal: The right to appeal under law if a business denies one of the above requests
Beyond empowering individuals with these rights, the GDPR also puts in place controls that organizations must implement to ensure the confidentiality, integrity and availability of personal information, including:
- Privacy by design: The organization must implement a data management system using the principles of privacy by design, using techniques such as data mapping and data loss prevention (DLP).. The goal is to create a system whereby organizations know where all personal data is at all times, and that is protected appropriately according to its sensitivity.
- Record keeping: The organization will contain adequate records for all personal information collected, processed and used throughout its lifecycle.
- Data minimization: Organizations must only collect the information they need from an individual to accomplish a specific purpose. This information, especially if it is deemed sensitive, must only be kept for the duration needed to serve its intended purpose, after which it should be deleted.
- Informed consent: Organizations must gain informed consent from individuals before collecting their data. They must be transparent about their intended uses in language that is clear and simple for the individual to understand, and the individual can decline their request as they see fit.
- Data protection officers and impact protection assessments: Organizations, where applicable, will appoint a data protection officer to oversee compliance and privacy initiatives. As part of their duties, they will also perform data impact protection assessments to identify and mitigate risks.
- Cybersecurity effectiveness: Organizations should implement cybersecurity best practices to safeguard data from malicious actors and accidental leakage.
- Data breach notifications: Organizations must prepare and rehearse an incident response plan, which should be put into action in the event of a data breach. Part of the incident response process includes notifying appropriate entities in a timely manner.
- Employee education and training: Employees must be educated on privacy protection policies, and access to sensitive information must be limited to a need-to-know basis among the employee population.
- Third-party risk management: Organizations must take into account their partners and suppliers within their risk management framework, ensuring that contracts include language and controls regarding how suppliers will protect personal information.
The above list of principles and rights is not an encyclopedic take on the GDPR. The regulation has 99 articles with many more nuanced controls and principles.
However, becoming familiar with these key aspects of the law will help you better understand the US state laws that have come into effect. While the details of these laws vary slightly, the underlying philosophy and principles are heavily drawn from the above.
This year’s state data privacy statutes
Now that we understand the GDPR’s guiding principles, we can take an informed look at the state data privacy laws coming into effect in 2023. Note that sector-focused, federal laws still take precedence over state enactments.
The state laws are as follows:
California put the California Consumer Privacy Act (CCPA) into effect in 2020. This year comes the California Privacy Rights Act (CPRA), which became effective this month, January 2023.
On top of the regulations in the CCPA, the CPRA gives consumers the right to:
- Edit and update personal information that is inaccurate
- Limit how companies use and disclose data about them
The new bill also puts increasing demands on organizations to put special controls in place to protect highly sensitive personal information like social security numbers and biometric data.
The Connecticut Data Privacy Act (CDPA), like Colorado, goes live on July 1, 2023. The CDPA closely follows the thinking of the GDPR, requiring controls like data minimization, a strong cybersecurity framework and data protection impact assessments.
The Colorado Privacy Act (CPA) will become active in July 2023. Again, it mimics the language of the CCPA and GDPR. However, while the GDPR takes an “opt-in” approach, whereby users must consent to entities processing their data, the CPA takes an “opt-out” approach, meaning organizations can collect user data by default. While this law isn’t as progressive as the GDPR in that respect, it is certainly a step in the right direction.
Virginia emulates the thinking of other state privacy laws, following the thinking of the GDPR, but with some carve outs, such as implementing the right to opt out rather than opt in. This law came into effect in January 2023.
The Utah Consumer Privacy Act (UCPA) comes into effect on Dec. 31, 2023. It takes a lot of its terminology from the GDPR, although it does not include explicit language regarding risk assessments. Like Colorado and Virginia, Utah excludes entirely employee and B2B data from the regulation.
Within each of these state statutes, there are slight variations regarding applicability based on revenue thresholds, data processing powers and more. So, if you operate in one of these states, we recommend carefully reviewing each law’s scope and requirements to ensure you are compliant by the deadline.
Plus, even if you are so far unimpacted by the state privacy law onslaught, we recommend you start implementing the principles of these laws as a matter of urgency. More state laws are making their way through the legislative process as we speak. Soon, every business will need to adhere to a privacy regulation of some sort.
You don’t want to be scrambling at the last minute. Preparation is vital.
Plus, incorporating the controls of the GDPR into your organization’s IT infrastructure will bolster your cybersecurity maturity, better enabling you to protect against data theft and data leakage. This, in turn, can do wonders for the bottom line.
We all know just how expensive a data breach can be – especially in terms of compliance fines. Aiming for an exemplary privacy framework can undoubtedly be a competitive differentiator in that sense.
As state privacy laws accelerate, congress is also reviewing the American Data Privacy and Protection Act, a federal law that will unify data privacy rights across the country. Whether or not the law passes this year, one thing is certain. In 2023, we crossed a data privacy threshold and there’s no looking back.
Elevate your privacy program
If you need support in complying with state or federal privacy laws, look no further than Polymer DLP.
Our tool is your virtual compliance officer in the cloud, using the power of natural language processing (NLP) and automation to discover, monitor and protect information like PII and PHI across apps like Slack, Box and Teams.
Assess your compliance with the GDPR and CPPA today with a free Polymer risk scan.