It doesn’t matter where you operate–these state consumer data privacy regulations apply to your business if your customers reside in any one of the states discussed in this article.
To protect consumer privacy, California, among other U.S. states and the European Union, has introduced legislation that defines how companies can gather, use, store, and manage customer data. It doesn’t matter where you operate–these regulations apply to your business if your customers reside in any one of the states discussed below. If you fail to comply with these privacy laws, you may face expensive financial penalties and possible damage to your brand reputation. But there are solutions that simplify compliance.
In this article, we provide information that can help business owners successfully navigate this complex topic:
Data privacy legislation defines the rights that consumers, also known as data subjects, have to review, access, delete, manage, and update their data. Five states have passed consumer data privacy legislation, and another six, Massachusetts, Michigan, New Jersey, North Carolina, Ohio, and Pennsylvania, are actively considering legislation. Current state legislation includes the:
The California Privacy Rights Act (CPRA), taking effect in January 2023, expands the California Consumer Privacy Act (CCPA) of 2020. Under CPRA, consumers, as well as employees and business contacts, have the right to:
The CPRA applies to firms that:
Companies that do business in Colorado have until July 1, 2023 to comply with the Colorado Privacy Act (CPA). The CPA imposes obligations on companies to protect the privacy of consumers’ personal data, defined as information that is linked or reasonably linkable to an identified or identifiable individual. Similar to the CPRA, the CPA grants consumers five key privacy rights, including the right to:
The CPA applies to any legal entity that conducts business in Colorado or produces or delivers “commercial products or services that are intentionally targeted to the residents of Colorado,” and that satisfies one or both of the following thresholds:
Unlike the CPRA, the Colorado statute does not impose a revenue threshold, so the CPA may apply to smaller, regional businesses.
The Connecticut Data Privacy Act employs the same general framework as privacy laws in Virginia and Colorado. Similar to the CPA, the Connecticut Data Privacy Act (CDPA) takes effect on July 1, 2023. The law explicitly excludes individuals “acting in a commercial or employment context” from protection.
The law defines a “consumer” as a Connecticut resident, providing them with rights similar to those enumerated in the CPRA and CPA, including the right to:
The CDPA applies to entities that conduct business in Connecticut or provide products or services to Connecticut residents and that during the preceding calendar year, either:
Passed on March 2, 2021, the Virginia Consumer Data Protection Act (VCDPA) applies to entities that conduct business in Virginia or provide products or services that target Virginia residents and that either:
The law defines a consumer as "a natural person who is a resident of the Commonwealth acting only in an individual or household context." It explicitly omits persons who are "acting in a commercial or employment context." The VCDPA provides consumers with six rights, including the right to:
The law mandates that a business that receives an authenticated request must comply, irrespective of the hardships or impracticable nature of the request language.
Taking effect on December 31, 2023, the Utah Consumer Privacy Act (UCPA) provides consumers with broad protection and rights concerning the collection, use, processing, sharing, and sale of their personal information. Businesses that fail to comply with the UCPA may be subject to significant fines and penalties.
The UCPA applies to controllers or processors that
The UCPA grants consumers the right to:
To comply with state data privacy laws like CPRA, businesses will have to manage and track consumers’ requests to opt-out, review, access, delete, and obtain their data.
Companies that share personal data for contextual advertising will likely see a doubling of the number of data subject requests (DSR) because of CPRA and other state laws. These requests will increase the cost of ensuring consumer privacy for organizations. Consumer opt-outs, also known as “do not sell” (DNS) requests, nearly doubled between 2020 and 2021. In 2021, 63 percent of all data requests received were DNS.
Companies that share personal data for advertising purposes will likely experience an increase in the number of privacy requests they receive. Gartner estimates that processing a single request costs $1,500. Some estimates project that DNSs could cost a company over $200,000 per year. The cost of processing DSRs jumped from $192,000 per one million identities to roughly $400,000 per one million identities between 2020 and 2021. Businesses–especially those that rely on targeted ads–will need to determine how the law applies to them, and they’ll need even tighter control and insight into their data processes.
In a business world heavily influenced by social media, reputation and brand are everything. Beyond potentially damaging their brand reputation, businesses that fail to comply with state privacy laws risk incurring financial penalties.
In California, a business may face the following penalties if it fails to protect consumers’ rights to data privacy:
Under the Connecticut Unfair Trade Practices Act, a violation of the law is considered an unfair trade practice with civil penalties up to $5,000 per willful violation. The attorney general may also seek to impose equitable remedies pursuant to the CUTPA, including restitution, disgorgement, and injunctive relief.
In Virginia, the attorney general’s office can fine businesses up to $7,500 per violation.
In Utah, the Office of the Attorney General can recover actual damages to the consumer in an amount not to exceed $7,500 per violation.
To cost-effectively ensure they are complying with privacy regulations, business owners and leaders need a system for tracking consumer requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, business owners risk costly penalties and damage to their reputations.
To strengthen and enhance customer loyalty, PrivacyCare offers a system that features:
For help with your data privacy compliance challenges, get started for free with PrivacyCare.
After failing to comply with the California Consumer Privacy Act (CCPA), Sephora, Inc., a beauty product retailer, settled with the office of the California Attorney General for $1.2 million.
September 27, 2022
The American Data Privacy and Protection Act (ADPPA) has been sent to the House of Representatives for consideration and would fundamentally change data privacy in the U.S. By partly replacing the current patchwork of state laws, companies would gain a clearer path to compliance.
September 27, 2022
Avoid costly fines, protect your customers personal data and protect your brand value by building customer trust. Jumpstart your consumer data privacy program and get started for free today.Get Started
No credit-card required