Several states will start enforcing their data privacy laws in 2023. Find out which states and why your business needs to know about those laws.
Following California’s lead, Virginia and Colorado have passed state laws designed to protect the data privacy of their citizens. Virginia’s Consumer Data Protection Act will go into effect on January 1, 2023, whereas the Colorado Privacy Act will take effect on July 1, 2023.
While Virginia and Colorado were working on their data privacy laws, California was busy expanding its own. Just 11 months after the landmark California Consumer Privacy Act had gone into effect on January 1, 2020, the citizens of California approved Proposition 24 and the California Privacy Rights Act was born. Most of its provisions go into effect on January 1, 2023.
Different Laws, Different Requirements
Based on their names, the four data privacy acts might seem very similar, but important differences exist. For example, the criteria used to determine which businesses must comply with the laws varies. Table 1 shows the applicability criteria.
Table 1. Applicability Criteria Used for the Four Data Privacy Laws
| Law | Applies To … | … If They Meet One or More of These Criteria |
| Virginia’s Consumer Data Protection Act | Legal entities that conduct business in Virginia or produce products or services that target Virginia residents | A. Control or process the personal data of at least 100,000 residents in a calendar year
— OR — B. Control or process the personal data of at least 25,000 residents AND derive more than 50% of their gross revenue from the sale of personal data |
| Colorado Privacy Act | Legal entities that conduct business in Colorado, produce products or services that target Colorado residents, or deliver products or services that target Colorado residents | A. Control or process the data of at least 100,000 residents in a calendar year
— OR — B. Process or control the data of at least 25,000 residents AND derive revenue or receive a discount on the price of goods or services from the sale of personal data |
| California Consumer Privacy Act | For-profit entities that conduct business in California and that collect or process consumers’ personal information independently or jointly with others
|
A. Have an annual gross revenue in excess of $25 million
— OR — B. Annually buy, sell, or share personal information of 50,000 or more consumers or households — OR — C. Derive 50% or more annual revenues from selling personal information |
| California Privacy Rights Act | For-profit entities that conduct business in California and that collect or process consumers’ personal information alone or jointly with others
|
A. Have an annual gross revenue in excess of $25 million
— OR — B. Annually buy, sell, or share personal information of 100,000 or more consumers or households — OR — C. Derive 50% or more annual revenues from selling or sharing personal information |
Exemptions further refine which businesses must comply with the laws. These exemptions also vary among the data privacy acts. Sometimes, entire organizations are excluded. For instance, institutions that must adhere to the nation’s Health Insurance Portability and Accountability Act (HIPAA) might not be required to comply with a state’s data privacy act. Other times, only certain types of data are exempt. For example, organizations might not need to make sure that their HIPAA-covered data adheres to a state’s data privacy law, but all of their other data must comply to it.
There are other dissimilarities among the four data privacy acts as well. What is considered sensitive data, how long records need to be kept, and who enforces the laws are some of the areas where the laws differ.
More Laws Likely to Come So Be Ready
California, Virginia, and Colorado are not the only states interested in protecting their citizens’ data privacy rights. To date, the Massachusetts, Minnesota, New York, North Carolina, Ohio, and Pennsylvania legislatures are working on data privacy laws, according to IAPP’s US State Privacy Legislation Tracker.
It is important for businesses to keep track of data privacy acts in more than just their own state. As the California, Colorado, and Virginia laws demonstrate, companies do not have to be located within the state in which the law was passed to fall under its jurisdiction.
Knowing about applicable data privacy laws and their requirements is the first step toward complying with them — a practice that is often referred to as cybersecurity compliance. Complying with cybersecurity laws, regulations, and standards is good business sense. Besides reducing the risk of incurring a data breach or another type of cyberattack, it strengthens a company’s reputation of being able to protect its customers’ data and their privacy.
Contact Xantrion, we can help your business implement the systems and controls needed to adhere to one or more cybersecurity-related laws, regulations, or standards.