Data Privacy Laws: What You Need to Know
To avoid investigations, fines, and the legal implications of data security incidents, it’s critical for organizations to make data protection a top priority. Data protection laws have been around in some form for decades now and they have entered a new era. With an abundance of personally identifiable information (PII) being constantly shared, regulators are addressing the ethical implications of PII storage and use. The rights of individuals to dictate how their data is being used is of particular concern.
The first major data privacy law in more than 20 years, the General Data Protection Regulation (GDPR), changed the landscape by providing broad-scale protections for consumer data. Since then, new data protection laws have been established or proposed at the state, federal, and international levels. The number of laws will only continue to grow, and existing regulations will evolve quickly.
One of the biggest challenges in remaining compliant with any data privacy law is ensuring your organization has a full understanding of your data. Knowing the business purpose for collecting each data element and having a complete understanding of where your data is stored, where it comes from, and where it goes are all critical components of an implementation plan. Data mapping and advanced planning should be a focus for all organizations that are impacted by data privacy regulations.
At Kenway, we’ve worked with many companies to help them implement changes to their business processes and to their data management framework to ensure they have the infrastructure needed to support regulatory compliance. We thought it would be helpful to provide a running list of the most prominent and recent data privacy laws to help you stay informed. We’ll be updating this page regularly, so be sure to check back for updates as new regulations are passed and current laws are amended!
General Data Protection Regulation (GDPR)
As the first major data privacy regulation in the European Union (EU) since the 1990s, the General Data Protection Regulation (GDPR) serves as a model for other data privacy laws around the world and in the U.S. GDPR covers the data of all residents of the EU’s member states, regardless of where the entity collecting the data is located.
Some of GDPR’s most notable requirements include:
- Fines can reach up to €20 million or 4% of global revenue (whichever is higher) and individuals have the right to seek compensation for damages.
- Data controllers must demonstrate compliance by taking actions such as designating GDPR responsibilities to employees, maintaining documentation of data collection practices, or appointing a Data Protection Officer.
- Organizations must demonstrate “appropriate technical and organizational measures” to manage data security.
- Organizations can only collect or process personal information when they can justify the business needs as defined under the terms set forth by the law.
- Individuals must give consent for their data to be processed.
- Individuals are protected by eight privacy rights, such as the right of access and the right of erasure.
The Federal Trade Commission Act (FTC Act)
While there are currently no data protection laws specific to the U.S., the Federal Trade Commission (FTC) does hold broad authority to enforce consumer protections. As it relates to data privacy, the FTC Act gives the agency the right to prevent deceptive practices, seek monetary redress and relief for conduct that harms consumers, and conduct investigations on entities engaged in commerce.
Here are some of the instances in which the FTC may use this authority to investigate and take action against organizations:
- Violations of consumers’ privacy rights
- Misleading consumers by failing to maintain security for sensitive information
California Consumer Privacy Act (CCPA)
When it passed in 2018, the California Consumer Privacy Act (CCPA) was the first significant statewide data privacy law in the U.S. It provides consumers who are California residents with greater protections and rights in respect to their personal data. The CCPA applies to businesses that collect consumers’ personal data, do business in the state of California, and either meet certain revenue thresholds or sell personal information.
Some notable provisions are outlined below:
- Businesses that violate the CCPA may be liable for a penalty of up to $2,500 for each unintentional violation and $7,500 for each intentional violation.
- Consumers whose data “is subject to an unauthorized access and exfiltration, theft, or disclosure” as a result of a business’ violation of CCPA can recover damages of $100-$750 or the amount of actual damages, whichever is greater.
- Consumers may request that a business delete their personal information and/or provide details on the personal data they store.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA) expands the scope of the CCPA. One of its most notable provisions is the creation of an enforcement agency, the California Privacy Protection Agency, to take action against organizations that violate the CCPA. It also expands the definition of protected data to include employee and vendor information.
As of January 1, 2023, the CPRA also requires that:
- Any personal information on any California resident is subject to the law, not just consumers.
- Any California resident can request to change incorrect information, in addition to removing it.
- Companies may only retain personal information for the amount of time necessary and proportionate to the reason it was collected in the first place.
- Companies that use third party vendors must require those vendors to exercise the same level of data protection over the shared data as the first party.
- Companies must regularly perform privacy assessments.
For more guidance on the tools available to implement CPRA, read this guide.
Québec Privacy Law – Bill 64
The first set of requirements under Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, went into effect on September 22, 2022. The bill makes significant amendments to existing privacy rules covered by various existing laws, most notably the Private Sector Act and the Public Sector Act. It’s expected to have a drastic impact on privacy practices within Québec and may provide a clue to how federal legislation will take shape in Canada. Here are some of the most notable provisions by effective date.
Effective September 22, 2022
- Private entities can be fined up to $25,000,000, or an amount equaling 4% of worldwide turnover for the preceding fiscal year, whichever is greater, for failing to meet compliance requirements.
- Individuals can be fined up to $100,000 for noncompliance.
- Both public and private sector entities must report data breaches, notify those who were affected, and keep a register of confidentiality incidents.
- Organizations must designate an individual responsible for privacy legislation.
Effective September 22, 2023
- Regulators have up to five years after the date of infraction to take action against offenders.
- Under certain circumstances, individuals may request that entities delete some of their personal information or de-index any hyperlink attached to their name.
- Upon the collection of personal information, businesses must inform the individual of the purposes of the collection, the means by which the information is collected, the names of third parties that information will be shared with, and the person’s right of access, rectification, and withdrawal of consent.
Virginia Consumer Data Protection Act (VCDPA)
Effective as of January 1, 2023, the Virginia Consumer Data Protection Act (VCDPA) is the second statewide data privacy law in the U.S. Though it’s built on the same framework as the CCPA, it’s less expansive in scope.
- Residents are protected in an individual household context (such as home internet browsing), but not in a commercial or employment context (such as a job application).
- Businesses have a right to data that they believe was lawfully made available to the public, such as information posted on social media.
- The sale of personal data is defined solely as an exchange for monetary compensation. Businesses can still transfer personal data to an affiliated or controlled company, have a third party process personal data on their behalf, and disclose personal data if a consumer requests a product or service.
- Businesses can also retain the data of consumers who opt out for the purposes of measuring the effectiveness and reach of marketing efforts.
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) provides many of the similar rights and requirements as the CCPA and the VCDPA, however its approach is different. Covered entities are defined as controllers and processors instead of businesses and service providers. Controllers make the primary decisions to manage, collect, and utilize data. Processors maintain and process consumer personal data on behalf of a controller.
Here are some other ways the CPA differs from other state laws:
- District attorneys can enforce the law, in addition to the state’s attorney general.
- Businesses that process the personal data of 25,000 consumers and receive any revenue or discount from the sale of data are covered, regardless of whether that company derives less than 50% of its gross annual revenue from selling data.
- The law doesn’t contain a specific provision for fines. Since a violation is considered a deceptive trade practice, penalties are governed by the Colorado Consumer Protection Act. Under that law, noncompliance can lead to a potentially $20,000 fine per violation.
American Data Privacy Protection Act (ADPPA)
The American Data Privacy Protection Act isn’t the law of the land yet, but it’s the first comprehensive federal data protection law in the U.S. to gain significant bipartisan support. The sweeping legislation covers for-profit and nonprofit entities, with different obligations and exemptions for some organizations. Even if it doesn’t pass as currently written, it does give you a good idea of what federal legislators are focused on. The bill not only addresses data privacy protections, but it also addresses the potentially discriminatory impacts of algorithms.
Notable provisions of the proposed data privacy regulation are:
- Information that “identifies or is linked or reasonably linkable” to an individual or a device identifying an individual is protected.
- Employee data and publicly available information are excluded.
- Covered entities must adopt practices that ensure data security and prevent discrimination and harm by the use of data and algorithms.
- The FTC, state attorneys general, and state privacy authorities are granted authority to enforce the law.
- Individuals can sue for violations.
Compliance Isn’t Easy. We Can Help.
Because we’re in a new era for data privacy and protection, there’s a lot to learn about the nuances of each regulation and what it means for your business. Even when you understand the requirements of data protection laws, operationalizing compliance is a completely different challenge.
At Kenway, we help organizations get a clear view of their data ecosystem so they can properly identify and protect sensitive data, maintain practices needed for compliance, and report to regulators with confidence. We help you develop a strategic plan for compliance that incorporates data governance, data management, and business processes designed to empower your teams to handle information properly and avoid risks.
Contact our experts to make compliance less complicated.
Data Privacy Laws: FAQs
How long after a data privacy law is enacted does my company have to become compliant?
The amount of time you have to become compliant depends on the effective date defined by the data privacy law. For example, the Colorado Privacy Act (CPA) was signed into law on July 7, 2021 with a July 1, 2023 effective date. Therefore, organizations covered under the law were given roughly two years to put compliance measures in place.
What teams in my organization need to be involved with ensuring compliance with new data privacy law(s)?
The team involved in ensuring compliance should come from several departments throughout the company:
- Legal – Interpret the law and confirm that implemented solutions meet its requirements
- Data – Define the data lineage (the flow of the data) and the data map (a visualization of how data flows).
- Technology – Build process and procedures needed to be able to respond to requests.
- Project Managers – Help drive the project to become compliant. These projects span across all technical assets of an organization and involve multiple departments with cross team dependencies that have to be managed. Having someone keeping things organized and keeping the project on track is critical with a project of this scale.
How do I know if a data privacy law impacts my company’s practices? How can I ensure my company remains compliant, despite all the changes to these laws and new privacy regulations being implemented?
Assign someone in your legal organization with the task of keeping up with the data privacy regulations. Alternatively, you can engage an external legal advisor who understands your business and the data privacy landscape.
How much should my company budget for to meet new compliance regulations?
The budget needed to meet data compliance regulations is dependent on the number of technical assets a company has in its ecosystem and the maturity of an organization’s data management structure. If you have a complete understanding of data lineage, implementation can be as little as six months. A large organization that is lower on the maturity curve should plan for an 18-month implementation.
What are the 7 principles of GDPR?
GDPR was developed with the following principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
What acts are covered by the Data Privacy Act?
Because there is no single overarching federal legislation in the U.S. dedicated to data privacy, the proposed American Data Privacy Protection Act (ADPPA) may overlap with or override some current regulations. Depending on the language in the final passage of the bill, it may override existing privacy laws like the CCPA. It also may overlap with portions of the Children’s Online Privacy Protection Act (COPPA) and the Kids Online Safety Act (KOSA).
What are the key CPRA requirements for January 2023?
Some of the most notable aspects of the CPRA that go into effect in January 2023 include:
- Any business that shares personal information must comply.
- All California residents are now covered under the law, not just customers.
- People can request that their personal information is changed, not just removed.