There is a good chance that 2023 will go down as the year when consumer privacy and data protection finally took a much-needed leap forward in the United States.
When the clock ticked past midnight on January 1, 2023, the California Consumer Rights Act (CCRA) and the Virginia Consumer Data Protection Act (VCDPA) officially went on the books, soon to be followed by the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) on July 1, 2023, and the Utah Consumer Privacy Act (UCPA) on December 31, 2023.
Enforcement for each act varies, with enforcement of the VCDPA beginning on January 1 and the CCRA starting on July 1, 2023. The CPA initially will require the state Attorney General or district attorneys to issue a notice of violation and allow entities 60 days to cure the alleged violation – i.e., a right to cure. The right to cure will sunset on January 1, 2025. Connecticut is similar, but its 60-day right-to-cure option expires on December 31, 2024. In Utah, enforcement begins on December 31, 2023, but in each case, the organization has a 30-day period to fix the violation before damages are sought.
This means there is still time to align business practices with these new regulations without being exposed to fines, and it is important to remember compliance is required whether or not an organization is located in the state. What matters is if it compiles and stores data of that state's residents.
Preparing for Privacy Regulations
In the United States, there is no cookie-cutter approach to ensuring your organization is in compliance with local privacy regulations since each state regulates privacy on its own, unlike the EU's more sweeping General Data Protection Regulation (GDPR). This means an organization must meet its state's regulations and those of the other states where it conducts business.
On the plus side, most of the privacy acts going into effect in the U.S. are similar. Still, there is enough difference that a company could quickly find itself in trouble if it doesn’t understand the finer points of the law under which it operates.
Legal and human resources departments must determine what regulations are applicable. Then they need to understand who they are working with, where they are located, what type of business it conducts, as some have exemptions (like the U.S. government which does not have to comply with GDPR, what is the business-to-business relationship, and what rules the other businesses have to follow.
Who is Impacted
All of the newly instituted and upcoming acts vary to some extent on how they define a consumer and how an organization must comply with the regulations. However, in general, each law is designed to protect consumers residing in their state, giving these people the right to access their personal data and request that an organization delete it upon request. The regulations also require organizations to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes.
For example, every business in California must comply if it has gross revenues in excess of $25 million during the preceding calendar year, alone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or, households or derives 50 percent or more of its annual revenues from selling or sharing consumers' personal information. The Virginia code differs by including entities that control or process the personal data of at least 100,000 consumers in a calendar year, or the personal data of at least 25,000 consumers while deriving over 50 percent of gross revenue from the sale of that data .
Privacy regulations are taken very seriously by the California Attorney General, with one company being hit with a $1.2 million fine under the previously enacted California Consumer Privacy Act (CCPA). The general guidelines state that those not complying with the CCRA and CCPA face fines of $2,000 per violation, $2,500 for negligent violations, and $7,500 for willful violations.
The Privacy Regulations at a Glance
The privacy acts coming online this year cover much of the same ground as the CCRA, so let's dive into this bit of legislation. Please follow the links above to learn the specifics of the other privacy acts.
Since the California Consumer Privacy Act (CCPA) was the first in the nation when it went into effect three years ago, it became the template for other states to follow. And the CCRA is essentially an expansion of the CCPA, in fact, the CCRA is often referred to as CCPA 2.0.
A quick overview. The CCRA was passed by California voters in November 2020 and officially went into effect on January 1, 2023.
The CCRA carries over all the policies from the CCPA but includes two new consumer rights, two new rights when it comes to privacy management, and updates five current CCPA regulations, according to Bloomberg Law. The California Privacy Protection Agency administers the CCRA, and it is enforced by the California Attorney General's office.
Much like the CCPA and the EU's GDPR, the CCRA is designed to protect consumer privacy by forcing businesses to be more transparent regarding data storage, focusing on how consumer data is stored, managed, and distributed. Under the regulation, a "consumer" in the context of the CCRA is "a natural person who is a California resident, as defined in the state's tax regulations."
New Consumer Rights
The two new rights the CCRA gives consumers are:
- The right to correct inaccurate personal information.
- The right to limit use and disclosure of sensitive personal information, such as opting out of advertising.
In addition, the CPRA also expands the breach liability to include unauthorized access or disclosure of certain data elements (e.g., email addresses, passwords, or security questions). This means that the CPRA has broadened what would be considered "breaking the rules" to include unauthorized access or disclosure of certain data elements.
Under the CCRA, personal information is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Sensitive personal information is a subsection of personal information that includes:
- A consumer's social security, driver's license, state identification card, or passport number
- A consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- A consumer's precise geolocation
- A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership
- The contents of a consumer's mail, email, and text messages, unless the business is the intended recipient of the communication
- A consumer's genetic data
Now is the Time to Ensure Compliance
CCRA compliance is complex; organizations will need time to ensure their business practices align with the regulation. The CCRA requires:
- Businesses should specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice.
- Businesses should only collect consumers' personal information for specific, explicit, and legitimate disclosed purposes, and should not further collect, use, or disclose consumers' personal information for reasons incompatible with those purposes.
- Businesses should collect consumers' personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared.
- Businesses should provide consumers or their authorized agents with easily accessible means to allow consumers and their children to obtain their personal information, to delete it, or correct it, and to opt‐out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive personal information.
- Businesses should not penalize consumers for exercising these rights.
- Businesses should take reasonable precautions to protect consumers' personal information from a security breach.
- Businesses should be held accountable when they violate consumers' privacy rights, and the penalties should be higher when the violation affects children.
When it comes to privacy compliance, the devil is in the details. Organizations are being asked to handle data in a much different and more open manner than many are accustomed to, but in the end, this must be looked at as a net positive. In fact, it helps tick off several boxes that security professionals say will make an organization safter.
Eliminating out of date or unnecessary personal data limits what a cybercriminal can steal, which may make an organization a less attractive target. Is customer information from 2002 still needed?
In addition, the various privacy acts force organizations to know where personal data is stored and who is contained in their database, and this makes it easier to cull this information upon request.