The wave of privacy regulations continues to gain momentum, with five states enacting new laws this coming year. The 2023 privacy law changes will affect the data operations of thousands of organizations. And business owners should expect even more changes to come. Solid, adaptable data governance will help companies maintain compliance.
California 2023 Privacy Law Changes
The California Privacy Rights Act takes effect on January 1. It replaces California’s original privacy law, the CCPA, and grants additional rights to Californians. CCPA granted consumers the right to a privacy notice, the right to delete their data and the right to opt out of selling their data.
With the new law, Californians will also have the right to correct their information. They can also opt out of having their data shared for targeted advertising, and they can limit the use of their sensitive data. The law includes changes that apply to in-service providers and contractors. And it may require annual cyber security audits and regular risk assessments.
Companies need to comply with the California law if ANY of the following criteria apply:
- They process the data of over 100,000 California residents
- They derive 50 percent of their business revenue from the sale or sharing of California residents’ personal data
- They generate over $25 million in worldwide revenue
The Virginia Consumer Data Protection Act (CDPA) goes into effect on January 1. It allows individuals to access and correct their personal data. Consumers can also request that organizations delete their personal data. And companies that collect personal data for sale or targeted advertising must conduct periodic data protection assessments.
The Virginia law applies to organizations that:
- Control or process personal data for 100,000+ Virginia residents per calendar year, OR
- Control or process personal data for 25,000+ Virginia residents in a year and derive more than 50 percent of their gross revenue from the sale of personal data
The Colorado Privacy Act (CPA) takes effect on July 1, 2023. Like the Virginia law, it gives consumers the right to opt out of having their personal data sold or used for targeted advertising. It may also include a universal opt-out provision by the time it takes effect.
Organizations must comply with the Colorado law if they:
- Control or process personal data for 100,000+ Colorado residents in a calendar year, OR
- Sell, control or process personal data for 25,000+ Colorado residents
The Connecticut Data Privacy Act (CTDPA) also takes effect on July 1, 2023, and resembles the Virginia and California laws. Consumers can confirm whether a business is processing their personal data and request deletion of that data. They can also opt out of having their data sold or used for targeted advertising.
Businesses must provide a reasonably accessible and clear privacy notice indicating the categories of data they process or share, as well as how consumers can exercise their rights. They need to provide an effective mechanism for users to revoke their consent. And they need to implement reasonable data security practices.
The CTDPA applies to organizations that:
- Control or process personal data for 100,000+ Connecticut residents in a calendar year, OR
- Control or process personal data for 25,000+ Connecticut residents in a year and derive more than 25 percent of their gross revenue from the sale of personal data
Utah’s Consumer Privacy Act (UCPA) takes effect on December 31, 2023 and includes more business-friendly provisions. Consumers will not have the option to limit the use or disclosure of their personal data. However, businesses must give clear notice before processing personal data and give consumers the opportunity to opt out.
The UCPA applies to organizations that meet BOTH of the following requirements:
- Have an annual revenue of $25 million, AND
- Either process personal data for 100,000+ Utah residents or derive more than 50 percent revenue from the sale and processing of personal data of 25,000 Utah residents
Tips to Prepare for 2023 Privacy Law Changes
According to Gartner, privacy regulations will cover the personal data of 75 percent of the world’s population by the end of 2024. Thus, a proactive approach to data governance will prove critical.
To begin with, organizations need to assess their data environment. This involves conducting a data inventory to determine what data is being collected, where it lives, who manages it and what happens to it.
Next, the privacy laws all require some type of opt-in or opt-out process. Organizations will need to provide for those. And, particularly in the case of the California law, they will need to coordinate with their supply chain. They also need to establish practices for compliance monitoring and regular risk assessments.
The compliance experts at Messaging Architects can help, beginning with a comprehensive data audit. They will help you identify potential risks and put together a data governance strategy targeted to your business needs.