top of page

A New Era of Data Privacy: What to Expect and How to Prepare.

Updated: May 23, 2023


A new era of data privacy

Data privacy laws are changing rapidly with each passing day. Countries have their own paradigm when it comes to regulating data privacy.


In the United States, the United Kingdom, and most of the European Union, the concentration is on imposing procedural obligations on data processors.

  1. The US focuses on the notice and consent of the individual.

  2. In the EU (European Union), the focus is on the right to be forgotten and on limiting the use of personal information.

In recent times, we have seen a renewed focus on privacy and data protection. As the world of technology and data is growing rapidly, so are we.


The term "data privacy" can be broken down into two parts.


One, the concept of protecting the information of individuals or groups of people.

The second refers to laws or policies that regulate the collection, storage, and usage of personal data. So, to put it simply, data privacy laws are set up to protect people's personal information.


Data Privacy. It's not just for adults.


Privacy policies have become a new normal for users of all types of online services and apps. Many companies were caught off guard when they adopted a lax approach to privacy, telling themselves 'We’re not doing anything wrong' or 'no-one will complain', which unfortunately led to the disclosure of vast amounts of their users’ personal data.


In 2017, the General Data Protection Regulation (GDPR) was adopted by the European Union. This has been called a "sweeping overhaul" of data protection law throughout the EU.


In the United States today, there is not one federal law that solely governs data privacy. However, there are many laws at the state level that experts believe could be made redundant by the creation of federal law.


One Nation! One Law!

If the US had one federal law in place across the would certainly help things run more smoothly. However, we would need to consider the states and their respective laws and regulations when drafting any new legislation...


Although many states are in the process of drafting or passing their own privacy legislation, there are additional important considerations when moving forward with a new set of comprehensive rules across state lines.


The United States has a plethora of data privacy and security laws, which range from sector to sector. U.S. state attorney general oversees many of them, especially those related to the handling of personal information collected from residents. issues surrounding the safe storage and treatment of Social Security numbers are particularly significant for Americans.


California kicked off the Privacy-Trend!


Although no other state has been able to successfully pass a comprehensive law, they’re still trying.

The next legislative session is important for these bills as they serve as a reference point for Republicans and Democrats. Both can agree on what must be amended before any deal can reach its destination: the governor’s desk.


Here is a list of laws and regulations you should be aware of for the year 2021:


CCPA (California Consumer Privacy Act)


While many states have adopted their own data privacy legislation, California was the first state to pass a comprehensive data privacy law.  Effective January 1, 2020, the California Consumer Privacy Act established a baseline of rights and responsibilities for both consumers and businesses.   


Under the CCPA, all companies in California with annual revenue of $25 million USD or larger, buy, sell, or receive information for at least 50,000 Californians, or derive at least 50% of the revenue from users’ data are obliged to disclose what personal data they hold about their clients and users (anonymized or not) and allow individual customers to be provided with contextual information pertaining to why/how/who they are using this information for.


CPRA (California Privacy Rights Act)


The November 2020 California general election made several significant changes to the State’s privacy laws. The changes became official five days after the results were certified. Covered businesses will need to start making serious plans to adhere to these new rules if they

(a) Do business in California


(b) Collect, use or disclose certain types of personal information about consumers.

California is one of the most progressive states in the United States when it comes to implementing rules and regulations to protect consumers' privacy. The passage of the Consumer Privacy Act (CCPA) last year has helped bring even more attention to ensuring consumer information is guarded and kept private.


However, there were some issues with the original bill- so California lawmakers have revised and updated it by pushing through a second law:


The California Privacy Rights Act (CPRA). The CPRA goes into greater depth about how businesses should handle consumer information and maintains much of what was included in the CCPA.


2023!


Beginning January 1, 2023, California’s original legislation goes away and only the surviving legislation will be enforced. This means that businesses will only be covered by the CPRA if

(1) they (a) had $25M in annual gross revenues as of January 1 in the preceding calendar year or (b) buy, sell, or share the personal information of 100,000 California customers or households every year


OR


(2) derives 50% or more of its revenues from selling data.


Virginia Consumer Data Protection Act (CDPA)


At the beginning of March 2021, Virginia was one of the first states to enact a law pertaining specifically to consumer data and requiring businesses and other organizations who collect and store such information to comply with tighter regulations.


The Consumer Data Protection Act (CDPA) grants Virginia residents certain rights over their own data, including rules that apply to how that data can be handled as well as rules pertaining to how it is stored and shared with third parties.


The CDPA goes one step further and expands Virginian's attitudes towards personal data characterizations, to cover "sensitive data," which includes, among other classifications, race/ethnicity, education status, mental or physical health diagnosis, biometric information inputted into a system (e.g., retina scan), political affiliation using a verified government ID number, personal/legal caretaker relationship history for a minor.


Is it Applicable to You?


According to the CPDA, all businesses that collect data about Virginians, either online or offline, are required to adhere to strict privacy policies that protect these individuals.

(1) during a calendar year control or process personal data of at least 100,000 “consumers” or

(2) control or process personal data of at least 25,000 “consumers” and derive over 50% of gross revenue from the sale of personal data.


According to the law, a person is defined as a natural resident of the state while it does not consider an individual acting in a business context as a consumer.


Even though this may seem unfair for many mainstream businesses, especially those with a nationwide presence - this key distinction was created based upon careful consideration and consultation with legal scholars and relevant third parties.


Colorado Privacy Act (CPA)



Colorado has become the third U.S. state to adopt a cohesive and comprehensive data privacy law, joining California and Virginia. After Governor Jared Polis signed the Colorado Data Privacy Act (the "COPA") into law on July 8th, 2021, the new regulation is slated to take effect on July 1st, 2023.

This new law is set to protect individual rights regarding their online information or personal data from being collected, shared, sold, etc. Additionally, it gives people opt-out rights over commercial uses of their data.


The CPA law primarily draws most of its inspiration from the European Union's General Data Protection Regulation (“GDPR”), but also contains elements found primarily in both the California Consumer Privacy Act (“CCPA, including as amended by the California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA.”).


Here you can see some of the key provisions one will look for in the legislature across the various states with regards to protecting personal information like your social security number, credit card information, etc.


Who Is it for?


The CPA applies to you if you're a company or organization that either resides in Colorado or is pursuing consumers in Colorado with your product or service offerings. There are two ways to qualify under the statute:

  1. if your company's data of at least 100,000 people residing in the state during any given calendar year.

  2. if at least 25,000 people knowingly provide their personal data, and your business derives revenue from the sale of that information.


Do not forget to check out the other federal laws that govern the collection of information online.

  1. The Children’s Online Privacy Protection Act (COPPA) was created by the U. S. Federal Trade Commission and was passed in 2000 to protect the personal information of minors on the internet and their browsing activity.

  2. COPPA applies to websites or online services that know they are collecting, using, or disclosing personal information from minors under age 13.

  3. The Fair Credit Reporting Act (FCRA) is a law that protects against credit reporting agencies releasing information about you without your consent.

  4. There are multiple instances where they can, however. Such as if you default on a loan, a court has determined a judgment for this, or someone has committed credit fraud.

No Spying Here.


We've all heard about GDPR and how it impacts organizations that collect data on EU citizens. But what do you do if you collect data on U.S. citizens?


Do you need to worry?


Well, you may need to worry about complying with the U.S. Privacy regulations we listed above.

To be fully compliant with U.S. data protection laws, all data subjects should have the opportunity to consent to the collection of personal information.


When it comes to the collection of personal information, data controllers and data processors must abide by the U.S. Data Protection Act.


The Act states that you must get explicit consent from your data subjects, and that consent can be revoked at any time.


If you do not get consent from your data subjects, then the information you have collected may be considered illegal and you may be fined.


If you would like to learn more about how the U.S. Data Protection laws and how to slip through your way out? We would love to have a word with you!

bottom of page