The General Data Protection Regulation (GDPR) has become a globally recognized and emulated data privacy and security law. Its scope, scale, and non-compliance measures have inspired numerous regional and industry-based laws and regulations since its introduction in 2016.
GDPR effectively intertwines data protection and individual privacy through seven data protection principles that include lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Its requirements apply to any business around the globe that handles EU-citizen data.
Many US organizations are already familiar with the law’s components—and penalties. Yet while GDPR familiarity is helpful when it comes to understanding and addressing US data protection and privacy laws, keeping pace with new or amended industry, federal, and state-level laws can be tricky. Read on for a look at several GDPR-influenced laws and where they stand this year.
State-Specific Data Protection Laws
Virginia Consumer Data Privacy Act (VCDPA)
Effective January 1, 2023, the VCDPA gives consumers the right to access their data and request that their personal information be deleted by businesses. It also requires that companies conduct data protection assessments related to processing personal data for targeted advertising and sales purposes. Non-compliance permits the Virginia Attorney General to seek damages of up to $7,500 per violation.
California Consumer Privacy Act (CCPA)
Perhaps the closest US kin to GDPR is the California Consumer Privacy Act (CCPA). The law is designed to give consumers more control over the personal information that businesses collect about them, and outlines privacy rights that include:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
This year most provisions and several amendments came into effect on January 1, 2023. A new entity called the California Privacy Protection Agency has taken over non-compliance enforcement and rulemaking; the agency is currently working on revising CCPA regulations that will roll out over the coming years.
The Colorado Privacy Act (CPA)
Though signed into law in 2021, the CPA only came into effect on July 1, 2023, making it the third enacted state-level privacy law, behind California and Virginia. Compliance requires that businesses provide consumers with clear privacy notices and conduct data protection assessments for any personal data processing that presents a “heightened risk of harm” to consumers. The law also applies to an organization’s third-party vendors and contractors. If found to be non-compliant, organizations risk fines ranging from $2,000 to $20,000.
The Connecticut Data Privacy Act (CDPA)
CDPA emulates GDPR with requirements designed to protect individual rights, data minimization, and security. Law enforcement came into effect on July 1, 2023. The law applies to people who conduct business in Connecticut or who sell products and services to Connecticut residents. Non-compliance can cost up to $5,000 per violation and potentially other legal ramifications that could impact an organization’s ability to conduct business in the state.
The Utah Consumer Privacy Act (UCPA)
The UCPA was signed into law in 2022, making Utah the fourth state to introduce comprehensive consumer privacy regulations. Effective December 31, 2023, the law applies to controllers and organizations with an annual revenue of $25 million and that conduct business in Utah or sell goods or services to Utah residents. Unlike many other data privacy laws UCPA does not require consent for processing sensitive data. Rather, controllers and organizations are required to notify consumers about data collection and give them the opportunity to opt out of sensitive data processing. Law violation and non-compliance will cost organizations $7,500 per violation in civil penalties.
Stay Inline with Data Protection Laws
Regulators take data privacy seriously and recognize how vulnerable unclassified and orphaned personally identifiable information (PII) is, especially if it falls into malicious hands. While many regulations look and sound similar, they vary depending on the audience and purpose they serve. Some provide frameworks that help businesses stand up data privacy and protection policies and procedures, while other acts have audit cycles that come with noncompliance fines and legal measures.
Download the Guide to Data Discovery for Regulatory Compliance for a comprehensive overview of global, regional, and industry regulations.