Data Privacy Laws 2023: What You Need To Know If You Do Business with the U.S.
Data Privacy Laws govern the use of personally identifiable information (PII). These laws provide frameworks around how data can be processed, stored, and shared, and ensure a person’s rights are respected. Different countries have different laws and the end goal is to help protect consumers and keep businesses in check.
In this article, we cover privacy regulations you should know about in the U.S. and Europe.
Here Are 9 Important U.S State Data Privacy Laws to Get You Started
The United States does not have one federal data privacy law like the E.U. There are multiple laws for different industries like financial services, human resources, and healthcare.
1. American Data Privacy Protection Act (ADPPA):
This bill is under consideration and has gone further in the federal legislative process than any other data privacy regulations in the U.S. It protects children’s right to privacy and grants individuals the right to sue businesses for noncompliance. It also gives consumers the right to stay out of data transfers to third parties.
2. Health Insurance Portability and Accountability Act (HIPPA):
It is a federal law that governs the security and privacy of personal health information in the U.S. It covers health plans and health data privacy regulations.
3. Gramm-Leach-Bliley Act (GLBA):
Companies that offer financial services or products like investment advice, insurance, or loans must explain the data-sharing practices to their customers in order to protect sensitive data.
4. Fair Credit Reporting Act (FCRA):
Consumer credit report regulation imposes obligations on companies that provide personal data to consumer reporting agencies.
5. Children’s Online Privacy Protection Act (COPPA)
COPPA restricts online services and websites from collecting information from children under 13 or targeting them through marketing.
6. California Consumer Privacy Act (CCPA)
The CCPA was enacted in 2018 and it provides more control on the details that businesses collect about individuals. It secures the privacy rights for consumers in California.
Since July 1, 2020, the California Attorney General (AG) enforces CCPA by issuing the penalties of $2500 for each violation and $7,500 for any intentional violation.
7. California Privacy Rights Act (CPRA)
California Privacy Rights Act is an expansion and amendment of the CCPA by adding new privacy rights and requirements for the applicable companies.
The CPRA represents a significant step forward in the protection of privacy rights for California residents, giving them the right to bring lawsuits in the case of data breaches and providing a strong enforcement mechanism through the California Privacy Protection Agency
8. Virginia Consumer Data Protection Act (CDPA)
The Virginia Consumer Data Protection Act applies to companies that conduct business or market to Virginia residents and control or process the personal information of Virginia residents.
It provides several personal data rights to citizens, such as the right to access, delete, and opt out of processing for targeted advertising.
The CPDA will be enforced by the Attorney General of Virginia and civil penalties can reach up to $7,500 per violation.
9. Colorado Privacy Act (CPA)
The Colorado Privacy Act, which goes into effect on July 1, 2023, will provide Colorado residents with new protections for their personal data.
The CPA applies to businesses that process or control the personal data of 100,000 or more consumers per year, or those that earn revenue from the sale of data and process or control the personal data of at least 25,000 Colorado residents.
The CPA grants residents the right to opt out of targeted advertising, the sale of their data, and certain types of profiling, and gives them the right to access, delete, and correct their personal data, as well as the right to data portability.
Penalties for violations can reach up to $20,000 per violation, with the maximum penalty for a series of related violations being $500,000
Here is a list of the new state data privacy statutes slated to come online in 2023:
The provisions of the California Privacy Rights Act (CPRA) are effective from 1st Jan 2023. CPRA amended the California Consumer Privacy Act (CCPA) which was already created individual rights that are modeled after the DGPR. CPRA was created a new state agency that is almost similar to the data protection agencies in the European countries that are charged with the enforcing GDPR
The Colorado Privacy Act (CPA) becomes effective on 1st July 2023 which creates the rights that are patterned after the individual rights under GDPR, CPA requires data security and contract provisions for vendors and assessments for high-risk processing.
The Connecticut Data Privacy Act (CDPA), like Colorado’s new privacy law, comes into effect on 1st July 2023. CDPA creates a novel suite of GDPR-like data minimization, assessments, and security for high-risk processing.
The Utah Consumer Privacy Act (UCPA) is effective on 31st Dec 2023. It provides the GDPR individual rights which require data security and contract provisions.
The Virginia Consumer Data Privacy Act (VCDPA) is effective from 1st Jan 2023 and provides GDPR-like individual rights. In 2022, the right to delete has been replaced with the right to opt-out of processing.
Looking for some help to manage all these different regulations? Allendevaux and Company specialize in data protection and compliance and would be happy to assist you.