Experiencing a cyber attack or security breach? Contact Incident Response Team!

February 15, 2023 Privacy

How to be Compliant With New State Data Privacy Laws in 2023

Lou Rabon CEO

In July 2022, The American Data Privacy and Protection Act (ADPPA) was voted to advance to the United States House of Representatives for approval. It is the closest U.S. attempt at a federal consumer data privacy law. 

But, it hasn’t passed yet. 

In the meantime, state legislatures are implementing their own separate consumer data privacy laws. 

So far in the U.S., California’s Consumer Privacy Rights Act (CPRA) is the most strict and comprehensive legislation for the collection of personal information online. However Colorado, Virginia, Connecticut, and Utah have signed into action their own privacy regulations that will go into effect in 2023. 

To boot, 17 states are hot on their heels in the process of activating proposed legislation as you can see in the map below from the International Association of Privacy Professional (IAPP).

And…all of them are different.

State Privacy Law Map IAPP

From IAPP resources

Federal laws, state laws, and regional laws

And if it isn’t confusing enough already to keep track of over 130 international privacy regulations, such as Europe’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL), now organizations have to take into consideration compliance with individual U.S. state privacy laws.

Throwing gas to the fire, California’s CPRA which just replaced the California Consumer Privacy Act (CCPA) on Jan. 1, 2023, is already in the process of reassessing and amending its terms.

Does your head hurt yet?

You might think an umbrella approach where complying with the sternest regulations, such as the CPRA and GDPR would cover compliance with all other state legislations but, sorry, no.

The legislations of the Colorado Privacy Act (CPA), Virginia Consumer Data Privacy Act (VCDPA), Connecticut Data Privacy Act (CDPA), and Utah Consumer Privacy Act (UCPA) vary just enough with things like age requirements for opt-in defaults and criteria by which businesses are exempt that a one-shot punch won’t necessarily ensure compliance categorically. 

18 states within the US have comprehensive consumer data privacy laws:

  1. California – California Privacy Rights Act (CPRA) (formerly California Consumer Privacy Act CCPA); effective 2/16/2020
  2. Colorado – Colorado Privacy Act (CPA); effective 7/1/2023
  3. Connecticut – Connecticut Data Privacy Act (CTDPA); effective 7/1/2023
  4. Delaware – Delaware Personal Data Privacy Act; effective 1/1/2025
  5. Florida – effective 7/1/2024
  6. Indiana – Indiana Consumer Data Protection Act; effective 1/1/2026
  7. Iowa – Iowa Consumer Data Protection Act (ICDPA); effective 1/1/2025
  8. Kentucky – Kentucky Consumer Data Act (KCDPA); effective 1/1/2026
  9. Maryland – Maryland Online Data Privacy Act (MODPA); effective 10/1/2025
  10. Montana – Montana’s Consumer Data Privacy Act; effective 10/1/2024
  11. New Hampshire – New Hampshire Privacy Act (NHPA); effective 1/1/2025
  12. Nebraska – Nebraska Data Privacy Act (NDPA); effective 1/1/2025
  13. New Jersey – New Jersey Data Privacy Act (NJDPA); effective 1/15/2025
  14. Oregon – Oregon Consumer Privacy Act (OCPA); effective 7/1/2024
  15. Tennessee – Tennessee Information Protection Act; effective 7/1/2025
  16. Texas – Texas Data Privacy and Security Act (TDPSA); effective 7/1/2025
  17. Utah – Utah Consumer Privacy Act (UCPA); effective 12/31/2023
  18. Virginia – Virginia Consumer Data Protection Act (VCDPA); effective 1/1/2023

Other states have tailored consumer privacy legislation while others introduced consumer privacy laws bills for 2023-2023. As you can see above, data privacy laws by state vary, with more laws adding to the mix in the future, making collecting processing personal data, health data, biometric data, sensitive data and more that much more confusing in terms of how to conduct business, especially considering most businesses have gone (at least partially) online.

Breaking down the data privacy laws

security, protection, tech

So, let’s break down some key similarities and differences state-to-state and what you can do to keep your business compliant and free of hefty fines, lawsuits, and loss of brand integrity.

Similarities

  • Mandatory formal and regular privacy risk assessments that assess privacy procedures and cybersecurity risks and vulnerabilities.
  • Transparent privacy and security practices that let consumers see plainly how organizations are handling their information.
  • Consumers’ right to access and delete their information from organizations handling their data is mandated in every state’s legislation except Vermont.
  • Consumers’ right to correct inaccurate personal information from a business is not mandatory across all states.

Differences

  • Consumers’ right to opt out of the sale and processing of personal information is not mandated in every state.
  • Only some states allow privacy right of action whereby individuals and individual entities may bring lawsuits against companies for mishandling of data.
  • Right to opt in age requirement defaults ― as opposed to having the right to opt out of the sale of personal information for adults, children under 13-16 (depending on the state) must opt into the sale of their personal information; otherwise, it is illegal without this consent.
  • Which organizations are exempt and which must be compliant varies based on what type of entity a business is, annual revenue, and the number of consumers.

What steps should you take in terms of cybersecurity?

1. Conduct a comprehensive professional privacy risk assessment

One thing that is a constant across all the state legislations is frequent and comprehensive risk assessments. If you haven’t had a thorough assessment of your data handling practices and security posture, do that sooner rather than later.

2. Create and enforce formidable privacy and security programs

By creating and enforcing formidable privacy and security programs, you are protecting consumer personal data as well as ensuring personal data privacy for yourself. This proves integrity and transparency in your handling of consumers’ data.

3. Don’t go at it alone

Keeping up with all the moving pieces of every state, country, and region’s comprehensive data privacy legislation is not something to entrust to a person or team unqualified to handle the scrutiny of these new and growing legislations. Bring in a team of security and privacy experts to ensure your compliance across the map.

Cyber Defense Group

If you’re looking for more guidance on how to move your cybersecurity program forward, Cyber Defense Group can help. We are shifting the cybersecurity consulting paradigm to address the needs of mid-market, cloud-native or cloud-reliant companies who are experiencing rapid growth.

Founded in 2016 by global security expert Lou Rabon, our nimble team draws on decades of experience and diverse technical expertise to deliver a full spectrum of information security advisory and implementation services on a fixed-cost basis. Our right-sized, results-driven approach will help you meet your immediate needs, but also ready you to navigate what’s ahead. Get in touch, and see what results are possible for your organization.

Take the first step towards cyber resilience.

Get a security assessment today!

Get in Touch