---

Privacy is a fundamental human right that is increasingly valued by consumers and regulators alike. In the absence of a federal privacy law in the U.S., several states have enacted their own laws to protect the personal data of their residents. These laws vary in scope, coverage, rights and obligations, but they all share a common goal: to give consumers more control and transparency over how their data is collected, used and shared by businesses.

In this blog post, we will provide an overview of the new state privacy laws that will take effect in 2023, and how IT companies can demonstrate their commitment to securing their customers’ data and complying with these laws.

What are the new state privacy laws?

As of December 2022, five states have passed comprehensive privacy laws that apply to businesses that collect or process personal data of their residents: California, Virginia, Colorado, Utah and Connecticut.

These laws are:

• California Consumer Privacy Act (CCPA):

Effective since January 1, 2020, the CCPA grants California consumers the right to access, delete, opt out of the sale and know the categories and sources of their personal information collected by businesses. The CCPA also requires businesses to provide notice of their privacy practices, implement reasonable security measures and honor consumer requests. The CCPA was amended by the California Privacy Rights Act (CPRA), which will take effect on January 1, 2023. The CPRA will create a new enforcement agency, expand consumer rights and business obligations, and introduce new definitions and concepts such as “sensitive personal information” and “contractors”.

• Virginia Consumer Data Protection Act (VCDPA):

Effective from January 1, 2023, the VCDPA grants Virginia consumers the right to access, delete, correct, port and opt out of the processing of their personal data for purposes such as targeted advertising, profiling and sale. The VCDPA also requires businesses to provide notice of their privacy practices, conduct data protection assessments for certain processing activities, enter into contracts with processors and honor consumer requests. The VCDPA applies to businesses that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either control or process the personal data of at least 100,000 consumers or derive over 50% of gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.

• Colorado Privacy Act (CPA):

Effective from July 1, 2023, the CPA grants Colorado consumers the right to access, delete, correct, port and opt out of the processing of their personal data for purposes such as targeted advertising, profiling and sale. The CPA also requires businesses to provide notice of their privacy practices, conduct data protection assessments for certain processing activities, enter into contracts with processors and honor consumer requests. The CPA applies to businesses that conduct business in Colorado or produce products or services that are targeted to Colorado residents and that either control or process the personal data of at least 100,000 consumers or derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25,000 consumers.

• Utah Consumer Privacy Act (UCPA):

Effective from December 31, 2023, the UCPA grants Utah consumers the right to access, delete, correct and port their personal data collected by businesses. The UCPA also requires businesses to provide notice of their privacy practices, implement reasonable security measures and honor consumer requests. The UCPA applies to businesses that conduct business in Utah or produce products or services that are targeted to Utah residents and that either control or process the personal data of at least 100,000 consumers or derive over 50% of gross revenue from the sale of personal data and control or process the personal data of at least 20,000 consumers.

• Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA):

Effective from July 1, 2023, the CTDPA grants Connecticut consumers the right to access, delete, correct, port and opt out of the processing of their personal data for purposes such as targeted advertising, profiling and sale. The CTDPA also requires businesses to provide notice of their privacy practices, conduct data protection assessments for certain processing activities, enter into contracts with processors and honor consumer requests. The CTDPA applies to businesses that conduct business in Connecticut or produce products or services that are targeted to Connecticut residents and that either control or process the personal data of at least 100,000 consumers or derive over 50% of gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.

How can IT companies show their commitment to securing their customers’ data and complying with these laws?

IT companies that collect or process personal data of consumers in these states should take the following steps to demonstrate their commitment to securing their customers’ data and complying with these laws:

• Conduct a data inventory and mapping exercise: IT companies should identify what personal data they collect, where they store it, how they use it, who they share it with, and how long they retain it. This will help them understand their data flows, classify their data according to its sensitivity and purpose, and document their processing activities.

• Update their privacy notices and policies: IT companies should review and update their privacy notices and policies to reflect their current data practices and the rights and obligations under the new state laws. They should also ensure that their notices and policies are clear, concise, transparent and accessible to consumers.

• Implement a consumer rights management system: IT companies should establish a system to receive, verify and respond to consumer requests to access, delete, correct, port or opt out of the processing of their personal data. They should also provide consumers with easy and secure ways to submit these requests, such as online forms, toll-free numbers or email addresses.

• Conduct data protection assessments: IT companies should conduct data protection assessments for processing activities that present a heightened risk of harm to consumers, such as profiling, selling personal data, processing sensitive personal data, and engaging in targeted advertising. These assessments should evaluate the necessity, purpose, benefits and risks of the processing, as well as the measures to mitigate the risks and protect the rights of consumers.

• Enter into contracts with processors and contractors: IT companies should enter into contracts with their processors and contractors that process personal data on their behalf. These contracts should specify the scope, purpose, duration and terms of the processing, as well as the obligations of the parties to comply with the applicable state laws and ensure the security and confidentiality of the personal data.

• Implement reasonable security measures: IT companies should implement reasonable security measures to protect the personal data they collect or process from unauthorized access, use, disclosure, modification or destruction. These measures may include encryption, pseudonymization, access control, logging, monitoring, backup and recovery.

• Train their employees and stakeholders: IT companies should train their employees and stakeholders on their privacy policies and practices, as well as the requirements and expectations under the new state laws. They should also foster a culture of privacy awareness and accountability within their organizations.

Conclusion

The new state privacy laws reflect the growing demand for more protection and control over personal data in the U.S. IT companies that collect or process personal data of consumers in these states should take proactive steps to secure their customers’ data and comply with these laws. By doing so, they can not only avoid potential penalties and litigation, but also enhance their reputation and trust among their customers and regulators.

---

Nexlogica has the expert resources to support all your technology initiatives.
We are always happy to hear from you.

Click here to connect with our experts!