Several states, including California and Virginia, are working to pass comprehensive data privacy legislation. This law will require businesses to comply with data privacy regulations and impose broad consumer rights.
In addition to the consumer protections that a business must provide, numerous data security regulations apply. Included are state and federal privacy and data protection requirements.
As one of the nation's first pieces of digital consumer data privacy legislation, the California Consumer Privacy Act (CCPA) has high expectations. Its influence extends beyond the state and encourages other states to pass similar legislation.
The CCPA becomes effective on January 1, 2020, and the California Attorney General (AG) begins enforcing it on July 1, 2020. It applies to any company with a cumulative annual revenue of $25 million or more or that earns at least 50 percent of its annual revenue from selling the personal information of California consumers.
The CCPA grants consumers the right to request that a business disclose the categories of personal information it collects, the reason it collects it, and the parties to whom it sells it. Additionally, the law permits them to opt out of selling their personal information twice yearly.
The New York SHIELD Act expands the expansive state data privacy and security regulations enacted nationwide in recent years. It pertains to all businesses that hold the private information of New York residents, whether or not they conduct business in the state.
The law adds a new section to New York's general business law (NY GBS SS 899-bb) mandating that anyone who licenses computerized data must develop, implement, and maintain reasonable safeguards to protect private information. It also modifies New York's security breach notification law to expand the definition of private information subject to notification requirements.
In addition, substantial penalties are imposed for noncompliance with the new security program requirements and breach notification provisions. These requirements must be familiarized by HR professionals and in-house employment counsel at companies with New York employees.
Signing the UCPA on March 24, 2022, Utah became the fourth U.S. state to enact comprehensive data privacy legislation. The law shares many similarities with California's CPRA, Virginia's CDPA, Colorado's CPA, and Connecticut's CTDPPA; however, it also contains distinctive provisions requiring businesses to reevaluate their privacy practices to comply.
The law applies to Utah-based businesses that generate more than 50 percent of their aggregate revenue from the sale of personal data and control or process the personal data of at least 25,000 Utah consumers. Additionally, it seeks to safeguard children's data.
The UCPA provides consumers with rights such as access, deletion, portability, and the right to opt out of targeted advertising or personal data sales. However, these consumer rights are more limited than those provided by the CCPA/CPRA, the CPA, and the VCDPA.
Like the CCPA, CPA, VCDPA, and UCPA of California, Colorado, Virginia, and Utah, the CTDPA combines consumer protection rights with obligations for enterprises that process personal data. It was signed into law by Governor Lamont on May 10 and goes into effect on July 1, 2023.
The law applies to any entity that processes the personal information of consumers. This includes both "controllers" and "processors" who obtain, use, store, disclose, analyze, or delete personal data on behalf of a controller.
The CTDPA also mandates that businesses conduct data protection assessments before processing consumer-harming data types. In addition, the CTDPA grants consumers new rights, such as the right to have their personal information updated or corrected. In addition, it mandates that businesses provide a privacy notice and implement opt-out mechanisms in response to consumer requests.