December 23, 2022 By Josh Nadeau 5 min read

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy’s legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement.

But while the laws may differ from place to place, one common trend is starting to emerge: individual states are taking action to fill the void left by the federal government’s lack of comprehensive data privacy regulation. California is leading this charge with its recently enacted California Consumer Privacy Act (CCPA).

Effective January 1, 2020, the CCPA is the most comprehensive data privacy law in the United States. The law gives Californians new rights concerning their personal information, including the right to know what personal information is being collected about them, the right to know whether their data is being sold and the right to opt out of the sale of their personal information. In addition, the CCPA creates new obligations for businesses handling personal information, including the requirement to provide a “Do Not Sell My Personal Information” link on their websites.

The CCPA has been described as a “game-changer” in the world of data privacy, and it is already having a ripple effect beyond California’s borders. In fact, other states are already starting to emulate California’s approach to creating their own comprehensive data privacy laws.

What you need to know about the newest proposed CCPA amendments

The California Privacy Rights Act (CPRA), which updated the CCPA in 2020, created the California Privacy Protection Agency (CPPA) to replace the state’s attorney general as the designated regulator enforcing CCPA. On July 8, 2022, CPPA issued a notice of its proposed regulations that will go into effect on January 1, 2023.

These proposed regulations, if put into effect as currently written, will significantly impact how certain companies deal with information. Some of the proposed changes include:

Data minimization and retention

The new data minimization regulations require businesses to only collect, use, retain and/or share consumers’ personal information when it is “reasonably necessary and proportionate” to the original purpose for collecting it. Anything not meeting this standard will require additional notice and the consumer’s clear agreement to the terms.

Dark patterns

The new law passed in March 2021 concerning the CCPA bans dark patterns that prevent or make it difficult to opt out. This can include using confusing language, adding more steps to opt out than opting in and requiring the submission of personal information to be removed from further solicitations.

Service provider and contractor agreements

The new regulations place different responsibilities on the service provider and the person or organization receiving the services. Some of these changes broaden which service providers are covered while exempting cross-contextual advertising services. They also institute explicit and specific requirements for contracts with service providers and contractors, such as listing the business purposes of data collection on agreements beyond a mere reference to the purpose of the contract.

Sensitive personal information

If your business manages sensitive personal information, you may need to present a notice about this type of processing. Companies that use or disclose this kind of personal data would have to propose two or more methods for requesting usage limits. At least one of these methods must correspond with how the customer typically interacts with the company — for example, by restricting processing through a “Limit the Use of My Sensitive Personal Information” link.

Learn about IBM Security Guardium Insights

How do other privacy laws compare to the CCPA?

While many current and proposed regulations surrounding the CCPA are unique to California, the law has served as a model for other states when crafting their own comprehensive data privacy laws.

Below, we’ll cover a few examples of how the CCPA has influenced other states:

Colorado Privacy Act 

On September 30, 2022, the Colorado Attorney General’s Office released draft regulations for the Colorado Privacy Act (CPA). The proposed rules are primarily consistent with the California Consumer Privacy Act regulations and do not contain too many new obligations beyond the plain language of the CPA itself. However, some key differences between the CCPA and CPA include the following:

  • The CPA requires disclosure of a new consumer right to appeal a data subject request decision of a company.
  • There is significantly more detail regarding how companies will be expected to acknowledge and honor opt out signal technology (as of 2024) compared to CCPA regulations.
  • Colorado is taking a more practical approach to loyalty programs than California, showing that companies are under no obligation to provide benefits through their programs if it is impossible to do so.

Virginia’s Consumer Data Protection Act

On March 2, 2021, Virginia passed the Consumer Data Protection Act (VCDPA), which gives Virginia consumers control over their data and introduced new regulations around how covered companies collect data, how they must protect it and with whom they can share it. The law, which applies to businesses that operate in Virginia or sell products and services to Virginia residents, has some aspects similar to the EU’s General Data Protection Regulation and California’s Consumer Privacy Act.

However, there are some critical differences between the VCDPA and the CCPA, including:

  • Unlike other privacy acts, the VCDPA stipulates that the use and collection of sensitive data “must” be opted in at the outset. Simply allowing an “opt out” feature is not sufficient.
  • Opt out features, while standard in other privacy acts, are not mandatory features in the CDPA.
  • Businesses can only collect and retain reasonably necessary data that requires disclosure to consumers.

Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023, and is similar to other laws put in place by other states. Companies with operations in Connecticut have up to two years to comply with the new data privacy rules set by the state’s legislature.

While the CTDPA shares similarities with other privacy acts in other states, it is associated with the laws set out by the VCDPA. The CTDPA applies to companies that do business in Connecticut or produce products or services targeted to Connecticut residents.

The main differentiators with this act relate to threshold requirements and levels of consent required to process collected information. These apply to companies that:

  • Have overseen or collected the personal information of 100,000 people or more for anything other than completing a payment transaction.
  • Reported gross revenue from the sale of personal data representing 25% of total income when controlling or processing the personal data of at least 25,000 consumers.

Utah Consumer Privacy Act

On March 24, 2022, Utah followed in the footsteps of California, Virginia and Colorado by enacting a consumer data privacy law known as the Utah Consumer Privacy Act (UCPA). The UCPA’s protections only apply to Utah residents acting as individuals and not in a commercial setting. There is an exception for employment or if you work on behalf of another business (B2B).

Similar to the regulations above, the UCPA provides Utah consumers with specific rights. These include the right to access their data, delete it if they please, receive a copy of their data in an accessible way and decline to have their “sale” data be used for targeted advertising purposes.

Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not necessitate controllers to do data protection evaluations before partaking in data processing ventures that could harm consumers. It also does not require controllers to conduct cybersecurity audits or risk assessments.

Notable dates companies should be aware of in 2023

With new regulations around the corner, companies must remain aware of upcoming deadlines to avoid penalties. Here are some notable dates companies should keep in mind:

January 1, 2023

  • The CPRA amendments to the California Consumer Privacy Act go into effect
  • Virginia’s Consumer Data Protection Act goes into effect.

July 1, 2023

  • Enforcement of consumer rights begins for the California Privacy Rights Act
  • Colorado Privacy Act goes into effect
  • Connecticut Data Privacy Act goes into effect.

July 1, 2023, to December 31, 2024

  • 60-day cure periods in effect for recorded Connecticut Data Privacy Act violations.

December 1, 2023

  • Utah Consumer Privacy Act goes into effect.

It is clear that the CCPA is having a ripple effect on other states’ data privacy laws. As more and more states enact their own data privacy laws, it is important for companies to be aware of changing compliance requirements. Failure to comply with these laws can result in significant penalties. By staying up-to-date on the latest developments in data privacy law, companies can ensure that they are in line with the latest requirements while also redefining how they approach data privacy.

More from Data Protection

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today