Emerging Privacy Regulations in the United States
Around the world, the demand for adequate data protection is ever increasing, and globally, action is being taken. With each new data protection compliance regulation that comes into effect, the way organizations do business is evolving. Regulations such as the GDPR, LGPD, POPIA, and the India Personal Data Protection Bill, to name a few, affect specified continents and countries, but in the United States, regulations regarding data privacy are currently enacted by individual states, and thus compliance requirements can vary state to state. Currently, there is only one state in the United States that has an active privacy regulation, but in the past year, more states are following suit and passing privacy regulations of their own.
Let’s take a deeper dive into which states are enforcing privacy regulations currently, or in the near future, and what you can do to make sure your organization is compliant.
The California Consumer Privacy Act
California was the first state in the United States to pass their privacy regulation, the California Consumer Privacy Act (CCPA), which went into effect on January 1st, 2020. The CCPA gives consumers more control over the personal information that businesses collect about them and applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices
- Derive 50% or more of their annual revenue from selling California residents’ personal information
Under the CCPA, California residents have rights when it comes to their data, which include:
- The “right to know” – Residents can request an organization disclose what personal information about them the organization has used, shared, or stored, and why. The organization must provide this information within 12 months of the request and must do so at no charge to the resident
- The “right to delete” – Residents may request that an organization delete collected personal information and have their services providers do the same. However, there are exceptions that allow organizations to keep personal data including, but not limited to, security practices, legal obligations or claims, and types of information exempt from the CCPA, such as consumer credit reporting information
- The “right to opt out” – Residents may request that organizations stop selling their personal information. After the request has been received, an organization may not sell the resident’s information unless the resident authorizes them to do so again
- The “right to non-discrimination” – Organizations cannot deny goods or services, charge different prices, or provide a different quality of goods or services just because a resident exercised their rights under the CCPA. However, if the business needs personal information to provide goods or services, the business may not be able to complete the transaction
Civil penalties imposed under the CCPA are limited to $2,500 per violation or up to $7,500 per each intentional violation. Additionally, violating entities can be subject to an injunction.
The Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act (VCDPA) is the second privacy regulation to be passed in the United States, and will come into effect on January 1st, 2023. The VCDPA applies to all persons that conduct business in Virginia and either:
- Control or process personal data of at least 100,000 Virginia consumers; or
- Derive over 50 percent of gross revenue from the sale of personal data from Virginia residents and control or process personal data of at least 25,000 Virginia consumers.
The VCDPA grants Virginia consumers the following rights:
- To know if a controller is processing their personal data and to have access to their personal data
- To correct inaccuracies of their personal data
- To delete their personal data
- To obtain a portable copy of their personal data
- To opt out of the processing of their personal data being sold, used for advertising, or profiling for decisions that would be significant to the consumer
The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law.
The Attorney General has exclusive authority to enforce the VCDPA, but before doing so, they must provide the organization 30 days written notice that identify the specific violations. If the violations are corrected within 30 days, no further action is taken. If the violation continues after this time period, under the VCDPA regulations, the Attorney General may invoke civil penalties up to $7,500 for each violation.
The Colorado Privacy Act
Colorado is the third state in the United States to pass their privacy regulation, the Colorado Privacy Act (CPA), which will come into effect on July 1st,, 2023. The CPA applies to legal entities that conduct business, or produce commercial products or services, that are intentionally targeted to Colorado residents and that either:
- Control or process personal data of at least 100,000 Colorado consumers per calendar year; or
- Derive revenue from the sale of personal data of Colorado residents and control or process the personal data of at least 25,000 Colorado consumers.
Unlike many other regulations, the rights under the CPA do not apply to all Colorado residents, and do not include individuals acting in a commercial or employment context, such as a job applicant, or beneficiary of someone in an employment context. However, the CPA does grant consumer rights, which include the following:
- The “right to opt out” – Consumers can opt out of a controller processing their data for targeted advertising, the sale of personal data, or profiling for decisions that would be significant to the consumer
- The “right of access” – Consumers have the right to know if a controller is processing their personal data and to have access to their personal data
- The “right to correction” – Consumers have the right to correct inaccuracies of their personal data
- The “right to deletion” – Consumers have the right to delete personal data concerning them
- The “right to data portability” – Consumers have the right to obtain a portable copy of their personal data
A non-compliant entity may be fined up to $20,000 per violation, and only the Attorney General and district attorneys can enforce the CPA. Before any action is taken, they must issue notice of violation and provide the non-compliant entity with written notice and a 60-day cure period to correct the violation. However, this cure period allowance will be going away come January 1st, 2025.
The Utah Consumer Privacy Act
The Utah Consumer Privacy Act (UCPA), cleared the Senate on February 25, 2021 and the bill has since been signed by Utah Governor Spencer Cox, making Utah the fourth state in the United States to set a state privacy regulation. The UCPA will come into effect December 31st, 2023, and will apply to data controllers and processors who:
- Conduct business in the state of Utah or produce a product or service that is targeted to consumers who are residents of the state of Utah,
- Has an annual revenue of $25,000 or more; and
- Satisfies one or more of the following thresholds:
- Processes or controls the personal data of 100,00 or more Utah consumers; or
- Derives over 50% of the entity’s gross revenue from the sale of personal data from Utah citizens or processes data or 25,000 or more Utah consumers.
Under the UCPA, Utah residents will have the following consumer rights:
- “Access” – The right to confirm if a controller is processing their personal data and access their personal data
- “Deletion” – The right to delete the personal data they provided to a controller
- “Portability” – The right to obtain a portable copy of their personal data
- “Opt out of certain processing” – The right to opt out of their personal data being sold or used for targeted advertising
Violations or non-compliance of the UCPA can only be enforced by the Attorney General’s office. Before any enforcement action is taken, the data controller must be provided with written notice of the issue and is entitled to a 30-day cure period, giving them a chance to correct it.
The Massachusetts Information Privacy and Security Act
The proposed Massachusetts Information Privacy and Security Act (MIPSA) has not been passed yet, but continues to advance in the state legislative process. If passed, it would come into effect 18 months from the day of passing. The MIPSA would apply to businesses in Massachusetts who:
- Earns $25 million or more in gross global annual revenue;
- Processes the personal information of 100,000 or more Massachusetts residents; or
- Is a data broker who collects and sells personal information of at least 10,000 Massachusetts residents.
Massachusetts state agencies, government bodies, national security associations, and register futures would be exempt from the proposed MIPSA.
The proposed MIPSA would protect the personal information of all Massachusetts residents, who would be given the right to know, access, port, delete, and correct their personal information. In addition, MIPSA would provide increased protection for sensitive information, such as an individual’s racial or ethnic origin or religious beliefs. Within this act, residents will also have the right to know about the collection and use of sensitive information, and organizations will be required to disclose to residents the necessary purpose of why that sensitive information is needed.
Under the proposed MISPA, if an entity was found in violation, the state Attorney General would conduct a civil investigation and notify the entity that they have 30 days to correct the violation. If the violation was not resolved within that time, the Attorney general could then seek restraining orders, preliminary or permanent injunctions, and civil penalties of up to $7,500 per violation.
The Consequences of Non-Compliance
It’s no secret that dealing with a violation of privacy regulations is costly in all aspects including monetary fines, time, and organizational reputation. Last year in July of 2021, Amazon was found in violation of the GDPR and fined $887 million. With the CCPA already in effect, the CPA and the VDCPA around the corner, and the UCPA and the MIPSA on the horizon, now is the time to start looking to implement a solution that will aid compliance and ensure your organization’s data is appropriately protected.
Strengthen Your Security Ecosystem To Stay Ahead
Organizations need a solution that works to ensure they are compliant with applicable regulatory mandates, while also allowing their business to run optimally. Data classification solutions combine visual and metadata labels to protect and control use. These labels enhance the performance of third-party technology solutions, such as DRM and DLP, among others, to determine how a piece of data should be treated, handled, stored, and if required, disposed of.
For example, a piece of data that contains a resident’s credit card information would be classified as “Financial PII/Confidential”. A DLP solution works with the metadata properties applied to the document to drive downstream protection, while an integrated DRM solution can use the metadata to then apply the appropriate encryption, ensuring the data is protected wherever it goes. This allows you to identify, categorize, and protect sensitive data, providing an all-encompassing security ecosystem that is adaptive and configurable to your organization’s policy requirements.
A flexible data classification solution helps organizations protect their sensitive data at any stage in their privacy journey, assisting adherence to regulatory compliance requirements. As the list of regulatory compliance legislations continues to grow, it is imperative that organizations protect their data by knowing what data they have and where it is located. In a world where non-compliance is costing organizations millions of dollars in fines, data classification should be at the top of your organization’s agenda.