2022 brought a flurry of legislative activity regarding state data privacy with very little effective action being taken. Looking toward the new year – 2023 is kicking off with five laws set to go in to effect in California, Colorado, Connecticut, Utah, and Virginia.
As there is currently no federal privacy law from which to draw inspiration, the Washington Privacy Act of 2021 is being hailed as the preferred model for state privacy legislation. Following in the footsteps of these five states, an established model law would significantly streamline privacy legislation in other states by providing much needed continuity and mitigating the threat of interstate compliancy nightmares.
There are minor, but notable, differences between these new laws as outlined in the chart below:
Does your organization need to comply?
California Privacy Rights Act (CPRA)
- Have a gross annual revenue of over $25 million
- Buy, receive, or sell the personal data of 100,000 or more California residents or households
- Derive 50% or more of their annual revenue from selling or sharing California consumers’ personal information
Virginia Consumer Data Protection Act (VCDPA)
- Control or process personal data of at least 100,000 Virginia residents
- Derive 50% gross revenue from the sale of personal data and control or process personal data of 25,000 or
more Virginia residents
Colorado Privacy Act (CPA)
- Control or process personal data of 100,000 Colorado residents or more during a calendar year
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 or more Colorado residents.
Utah Consumer Privacy Act (UCPA)
- Controls or processes personal data of 100,000 or more Utah residents during a calendar year
- Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents
Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA)
- Controls or processes personal data of 100,000 or more Connecticut residents during a calendar year
- Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents
How to Prepare
Ideally at this point in the year, preparation for these new changes should simply boil down to “review and update”. Depending on your current infrastructure, executing the necessary processes required to align with these new state privacy laws may include anything from implementation of a full compliance program to amendments or improvements to existing policies and procedures.
Time is of the essence as we approach the end of 2022, and it is imperative to begin the process of preparation as soon as possible. Not only will this ensure compliance – but will act as a catalyst for establishing core values and best practices by incorporating the principles of data privacy, security, and information governance into every facet of your organizational culture.
Remaining Compliant in the New Year
The details from law to law may vary, but the overall foundation of compliance remains the same: establish a data inventory of personal information you collect, show how you use it, explain why you collect it, and be transparent about who you share it with.
Not sure where to start? Seek out a trusted third party that specializes in managing compliance for companies that are subject to a data privacy regulation. Schedule a consultation with Elevate today to find out how we can get your organization fully prepared and compliant with both the upcoming changes, and currently effective state privacy laws.
