Article

The tip of the iceberg: California leads pack of new privacy requirements

New privacy laws and regulations require a fresh look at compliance practices

March 22, 2023

Key takeaways

More companies that do business in California are now subject to CCPA and CPRA regulations.

These requirements are only the start of a new wave of privacy laws and regulations.

Instead of managing requirements jurisdictionally, companies should develop an anticipatory privacy approach.

A proactive stance helps companies manage compliance obligations and reduces stress on stakeholders and enterprise processes.

#
Risk consulting Cybersecurity consulting Cybersecurity Regulatory compliance

The recent expiration of exemptions in the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) requires more companies that do business in California to meet stricter privacy requirements. California has started a cascade of copycat or new state-level privacy laws and regulations that organizations may also need to comply with. With the privacy landscape becoming more complex, companies need to evaluate how they address privacy and consider taking a more comprehensive approach.

New California privacy laws go into effect

The CCPA, signed into law in 2018, is designed to give Californians control over their personal data and has served as a blueprint for privacy requirements in additional states. The requirements have provided Californians with several privacy rights, including the right to access their personal data, have businesses delete their personal data, prevent the sale of their personal data, and initiate lawsuits following personal data breaches.

As of Jan. 1, 2023, these rights extend to job applicants and employees, and may apply to the personal data of employees’ spouses, spousal equivalents, dependents and beneficiaries. The provisions also protect personal data collected in business-to-business (B2B) transactions. California residents are the first to be covered under such a comprehensive privacy law and regulation at the state level.

In addition, the CPRA came into effect Jan. 1, 2023, serving as an amendment and extension of the CCPA, and includes additional consumer rights, such as the right to ensure a business corrects inaccurate personal data, the right to opt out of automated decision-making, and the right to limit an organization’s use of sensitive personal data.

If these new rights are not incorporated into an existing privacy program and operationalized, then noncompliant organizations may face regulatory scrutiny from the California Privacy Protection Agency (CPPA), the agency responsible for enforcement. Such enforcement actions may result in fines or other financial impacts and immeasurable reputational harm.

Failure to comply with the CCPA/CPRA can result in monetary penalties of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation. Some settlements have already surpassed $1 million, and settlements are likely to become larger and more frequent. Additionally, consumers may decide to act if their personal data is exposed and not adequately protected or recognized by an organization, resulting in additional lawsuits, potential payouts and legal expenses.

While California is in the spotlight, many more privacy requirements are on the horizon. Companies cannot lose sight of other state laws and regulations that will go into effect soon and have similar consequences for noncompliance.

Only the beginning

While California is in the spotlight because it is the most recent state to enact a privacy law and regulation, many more privacy requirements are on the horizon. Companies cannot lose sight of other state laws and regulations that will go into effect soon and have similar consequences for noncompliance. In 2023 alone, new privacy requirements will commence in Colorado, Connecticut, Utah and Virginia in addition to California.

Other states are sure to follow suit due to privacy becoming a critical issue in recent years, and momentum is not slowing. For example, Indiana, Iowa, New Hampshire, and Texas have all introduced bills—some of which are already under committee review. The Texas law, in particular, leverages the language of the Virginia requirements, which appear to be the trend at the state level.

State laws and regulations

State

Effective date

California Consumer Privacy Act (CCPA)

California

Jan. 1, 2020, with the exception of personal data of California resident job applicants and employees and collected in B2B transactions, for which the effective date is Jan. 1, 2023

California Privacy Rights Act (CPRA)

California

Jan. 1, 2023

Colorado Privacy Act (CPA)

Colorado

July 1, 2023

Connecticut Data Privacy Act (CTDPA)

Connecticut

July 1, 2023

Utah Consumer Privacy Act (UCPA)

Utah

Dec. 31, 2023

Virginia Consumer Data Protection Act (VCDPA)

Virginia

Jan. 1, 2023

A consistent approach to privacy

Many of these state privacy requirements have a similar blueprint, with best-practice policies and procedures designed to protect a resident’s privacy. Instead of handling each of these requirements on an ad hoc, state-by-state basis as they go into effect, a more effective and efficient approach is to implement privacy requirements up front that can be anticipatory and future-proofed in their approach.

Taking a proactive privacy stance and focusing on the operationalizing of personal data governance helps companies stay ahead of compliance obligations, reducing stress on internal processes and personnel as new laws and regulations also commence. This “design and build once for many” framework can anticipate and meet the needs of rapidly evolving privacy frameworks both within the United States and globally.

RSM contributors

  • Jack Harding
    Senior Associate

Related insights

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.