What’s the Latest Privacy Legislation Update in the U.S.?
Data privacy rules and regulations are constantly evolving. Some governments are enacting new legislation; others are revising their laws to be more strict. Let’s take a look at what is happening in the U.S. in 2021.
We’re all getting pretty familiar with the California Consumer Privacy Act (CCPA), the “granddaddy” of all U.S. privacy laws. If you haven’t dealt with it yet, we have a lot of info on it in this, the Insights section of our website. Just type “CCPA” in the search box. Here are just a few blogs to get you started:
- Is Your Data Ready? CCPA Wants to Know
- CCPA Jump Start
- Overwhelmed? Here’s a Quick CCPA Compliance Checklist
However, California isn’t done just yet. In November 2020 voters passed the California Privacy Rights Act (CPRA), which goes into effect in 2023. According to the Californians for Consumer Privacy (CCP), the sponsor of Proposition 24 (that became the CPRA):
The CPRA is the strongest consumer privacy law ever enacted in the United States, and achieves broad general parity with the most comprehensive laws in other jurisdictions including Europe (GDPR), Japan, Israel, New Zealand, Canada, etc. CPRA builds on existing California law passed in 2018 (the California Consumer Privacy Act or CCPA) … (CPRA)/Prop 24 safeguards our kids’ online privacy, reduces the threat of identity theft and gives us the important privacy rights that we need to take back control over our personal data.
The law itself outlines businesses’ responsibilities regarding customer data and lists a series of consumers’ rights around their data. This CCP website provides a great deal of useful information – check it out here.
Virginia passed HB 2307, the Virginia Consumer Data Protection Act (VCDPA), which will go into effect January 1, 2023. According to the legislators:
The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors… The bill grants consumer rights to access, correct, delete, and obtain a copy of personal data and to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling of the consumer.
A major difference in the VCDPA vs. the CCPA is that Virginians will not be able to sue a company if they feel the company has violated their rights. VCDPA enforcement will be handled exclusively by the state attorney general’s office.
Because of Virginia’s connection to Washington D.C., many feel VCDPA could be the springboard for a federal privacy law.
As far as other state legislation goes, Washington state’s Washington Privacy Act 2021 (SB 5062) is furthest along. It passed the state Senate in a 48-1 vote and is currently in the House committee. A brief summary of the bill says it:
- Provides Washington residents with the consumer personal data rights of access, correction, deletion, data portability, and opt out of the processing of personal data for specified purposes.
- Specifies the thresholds a legal entity must satisfy for the requirements set forth in this act to apply.
- Identifies controller responsibilities such as transparency, purpose specification, and data minimization. Requires controllers to conduct data protection assessments under certain conditions.
- Authorizes sole attorney general enforcement under the Consumer Protection Act.
- Regulates the processing of data collected for certain contact tracing purposes.
“Ultimately, the goal of this historic legislation is to make it as easy to get your data out of the black hole of the Internet as it is to get in,” said Sen. Reuven Carlyle (D-Seattle), the SB 5062 sponsor. “The Washington Privacy Act takes the best practices from leading evidence-based policies worldwide and creates explicit new rights.”
In many other states, bills have been introduced or are in committee in either the state senate or house. For easy comparison, visit the International Association of Privacy Professionals (IAPP), a not-for-profit association with a mission to define, promote and improve the privacy profession.
A holistic view
As more states edge toward data privacy laws, and with the prospect of a federal law possible, many of our clients are looking for a big picture approach that will help in totality, instead of addressing each state as it comes out. For example, check out The American Bureau of Shipping Navigates Data Privacy.
Prolifics is a global digital transformation leader with expertise in Data & AI, Integration, Business Automation, DevXOps, Test Automation, and Cybersecurity. We provide consulting, engineering and managed services for all our practice areas at any point our clients need them – giving them fast, complete solution delivery experiences that they’ll find nowhere else. Vision to Value. Faster. It’s not just the Prolifics’ tagline, it’s what drives us. Visit us at prolifics.com.