California Consumer Privacy Act (CCPA)
Perhaps the closest US kin to GDPR is the California Consumer Privacy Act (CCPA). The law is designed to give consumers more control over the personal information that businesses collect about them, and outlines privacy rights that include:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
This year most provisions and several amendments came into effect on January 1, 2023. A new entity called the California Privacy Protection Agency has taken over non-compliance enforcement and rulemaking; the agency is currently working on revising CCPA regulations that will roll out over the coming years.
The Colorado Privacy Act (CPA)
Though signed into law in 2021, the CPA only came into effect on July 1, 2023, making it the third enacted state-level privacy law, behind California and Virginia. Compliance requires that businesses provide consumers with clear privacy notices and conduct data protection assessments for any personal data processing that presents a “heightened risk of harm” to consumers. The law also applies to an organization’s third-party vendors and contractors. If found to be non-compliant, organizations risk fines ranging from $2,000 to $20,000.
The Connecticut Data Privacy Act (CDPA)
CDPA emulates GDPR with requirements designed to protect individual rights, data minimization, and security. Law enforcement came into effect on July 1, 2023. The law applies to people who conduct business in Connecticut or who sell products and services to Connecticut residents. Non-compliance can cost up to $5,000 per violation and potentially other legal ramifications that could impact an organization’s ability to conduct business in the state.
The Utah Consumer Privacy Act (UCPA)
The UCPA was signed into law in 2022, making Utah the fourth state to introduce comprehensive consumer privacy regulations. Effective December 31, 2023, the law applies to controllers and organizations with an annual revenue of $25 million and that conduct business in Utah or sell goods or services to Utah residents. Unlike many other data privacy laws UCPA does not require consent for processing sensitive data. Rather, controllers and organizations are required to notify consumers about data collection and give them the opportunity to opt out of sensitive data processing. Law violation and non-compliance will cost organizations $7,500 per violation in civil penalties.
Regulators take data privacy seriously and recognize how vulnerable unclassified and orphaned personally identifiable information (PII) is, especially if it falls into malicious hands. While many regulations look and sound similar, they vary depending on the audience and purpose they serve. Some provide frameworks that help businesses stand up data privacy and protection policies and procedures, while other acts have audit cycles that come with noncompliance fines and legal measures.
Download the Guide to Data Discovery for Regulatory Compliance for a comprehensive overview of global, regional, and industry regulations.