December 23, 2022 By Josh Nadeau 5 min read

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy’s legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement.

But while the laws may differ from place to place, one common trend is starting to emerge: individual states are taking action to fill the void left by the federal government’s lack of comprehensive data privacy regulation. California is leading this charge with its recently enacted California Consumer Privacy Act (CCPA).

Effective January 1, 2020, the CCPA is the most comprehensive data privacy law in the United States. The law gives Californians new rights concerning their personal information, including the right to know what personal information is being collected about them, the right to know whether their data is being sold and the right to opt out of the sale of their personal information. In addition, the CCPA creates new obligations for businesses handling personal information, including the requirement to provide a “Do Not Sell My Personal Information” link on their websites.

The CCPA has been described as a “game-changer” in the world of data privacy, and it is already having a ripple effect beyond California’s borders. In fact, other states are already starting to emulate California’s approach to creating their own comprehensive data privacy laws.

What you need to know about the newest proposed CCPA amendments

The California Privacy Rights Act (CPRA), which updated the CCPA in 2020, created the California Privacy Protection Agency (CPPA) to replace the state’s attorney general as the designated regulator enforcing CCPA. On July 8, 2022, CPPA issued a notice of its proposed regulations that will go into effect on January 1, 2023.

These proposed regulations, if put into effect as currently written, will significantly impact how certain companies deal with information. Some of the proposed changes include:

Data minimization and retention

The new data minimization regulations require businesses to only collect, use, retain and/or share consumers’ personal information when it is “reasonably necessary and proportionate” to the original purpose for collecting it. Anything not meeting this standard will require additional notice and the consumer’s clear agreement to the terms.

Dark patterns

The new law passed in March 2021 concerning the CCPA bans dark patterns that prevent or make it difficult to opt out. This can include using confusing language, adding more steps to opt out than opting in and requiring the submission of personal information to be removed from further solicitations.

Service provider and contractor agreements

The new regulations place different responsibilities on the service provider and the person or organization receiving the services. Some of these changes broaden which service providers are covered while exempting cross-contextual advertising services. They also institute explicit and specific requirements for contracts with service providers and contractors, such as listing the business purposes of data collection on agreements beyond a mere reference to the purpose of the contract.

Sensitive personal information

If your business manages sensitive personal information, you may need to present a notice about this type of processing. Companies that use or disclose this kind of personal data would have to propose two or more methods for requesting usage limits. At least one of these methods must correspond with how the customer typically interacts with the company — for example, by restricting processing through a “Limit the Use of My Sensitive Personal Information” link.

Learn about IBM Security Guardium Insights

How do other privacy laws compare to the CCPA?

While many current and proposed regulations surrounding the CCPA are unique to California, the law has served as a model for other states when crafting their own comprehensive data privacy laws.

Below, we’ll cover a few examples of how the CCPA has influenced other states:

Colorado Privacy Act 

On September 30, 2022, the Colorado Attorney General’s Office released draft regulations for the Colorado Privacy Act (CPA). The proposed rules are primarily consistent with the California Consumer Privacy Act regulations and do not contain too many new obligations beyond the plain language of the CPA itself. However, some key differences between the CCPA and CPA include the following:

  • The CPA requires disclosure of a new consumer right to appeal a data subject request decision of a company.
  • There is significantly more detail regarding how companies will be expected to acknowledge and honor opt out signal technology (as of 2024) compared to CCPA regulations.
  • Colorado is taking a more practical approach to loyalty programs than California, showing that companies are under no obligation to provide benefits through their programs if it is impossible to do so.

Virginia’s Consumer Data Protection Act

On March 2, 2021, Virginia passed the Consumer Data Protection Act (VCDPA), which gives Virginia consumers control over their data and introduced new regulations around how covered companies collect data, how they must protect it and with whom they can share it. The law, which applies to businesses that operate in Virginia or sell products and services to Virginia residents, has some aspects similar to the EU’s General Data Protection Regulation and California’s Consumer Privacy Act.

However, there are some critical differences between the VCDPA and the CCPA, including:

  • Unlike other privacy acts, the VCDPA stipulates that the use and collection of sensitive data “must” be opted in at the outset. Simply allowing an “opt out” feature is not sufficient.
  • Opt out features, while standard in other privacy acts, are not mandatory features in the CDPA.
  • Businesses can only collect and retain reasonably necessary data that requires disclosure to consumers.

Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023, and is similar to other laws put in place by other states. Companies with operations in Connecticut have up to two years to comply with the new data privacy rules set by the state’s legislature.

While the CTDPA shares similarities with other privacy acts in other states, it is associated with the laws set out by the VCDPA. The CTDPA applies to companies that do business in Connecticut or produce products or services targeted to Connecticut residents.

The main differentiators with this act relate to threshold requirements and levels of consent required to process collected information. These apply to companies that:

  • Have overseen or collected the personal information of 100,000 people or more for anything other than completing a payment transaction.
  • Reported gross revenue from the sale of personal data representing 25% of total income when controlling or processing the personal data of at least 25,000 consumers.

Utah Consumer Privacy Act

On March 24, 2022, Utah followed in the footsteps of California, Virginia and Colorado by enacting a consumer data privacy law known as the Utah Consumer Privacy Act (UCPA). The UCPA’s protections only apply to Utah residents acting as individuals and not in a commercial setting. There is an exception for employment or if you work on behalf of another business (B2B).

Similar to the regulations above, the UCPA provides Utah consumers with specific rights. These include the right to access their data, delete it if they please, receive a copy of their data in an accessible way and decline to have their “sale” data be used for targeted advertising purposes.

Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not necessitate controllers to do data protection evaluations before partaking in data processing ventures that could harm consumers. It also does not require controllers to conduct cybersecurity audits or risk assessments.

Notable dates companies should be aware of in 2023

With new regulations around the corner, companies must remain aware of upcoming deadlines to avoid penalties. Here are some notable dates companies should keep in mind:

January 1, 2023

  • The CPRA amendments to the California Consumer Privacy Act go into effect
  • Virginia’s Consumer Data Protection Act goes into effect.

July 1, 2023

  • Enforcement of consumer rights begins for the California Privacy Rights Act
  • Colorado Privacy Act goes into effect
  • Connecticut Data Privacy Act goes into effect.

July 1, 2023, to December 31, 2024

  • 60-day cure periods in effect for recorded Connecticut Data Privacy Act violations.

December 1, 2023

  • Utah Consumer Privacy Act goes into effect.

It is clear that the CCPA is having a ripple effect on other states’ data privacy laws. As more and more states enact their own data privacy laws, it is important for companies to be aware of changing compliance requirements. Failure to comply with these laws can result in significant penalties. By staying up-to-date on the latest developments in data privacy law, companies can ensure that they are in line with the latest requirements while also redefining how they approach data privacy.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today