In the US, California has traditionally dominated the privacy conversation. This is changing. Now organizations doing business in Virginia, Colorado, Utah, and Connecticut all have new regulations to learn and comply with.
Adding a new dimension to the cost of data breaches, the explosion of regulations taking effect in 2023 can inflict real costs on non-compliant businesses. Read on to learn about existing and upcoming legislation and how your can protect your business and users through simple but effective changes, such as stronger password policies.
2023: The year of data privacy laws
Legislation moves slowly, but in 2023 almost all five of the below regulations will take effect, making it a huge year for state data privacy acts. Start implementing the necessary changes today and avoid problems down the road.
- California Privacy Rights Act (CPRA): amending the California Consumer Privacy Act (CCPA) previously passed in 2018, was passed on January 1st, 2023, and was supposed to take effect on July 1st, 2023. In a last-minute ruling, The Superior Court of California has delayed implementation until no earlier than March 29th, 2024. The CCPA is still in full effect.
- Virginia Consumer Data Protection Act (VCDPA): The second state privacy act, passed in March of 2021 and went into effect on January 1st of 2023.
- Connecticut Data Privacy Act (CTDPA): Passing in May of 2022, this legislation went into effect only recently, on July 1st of 2023.
- Colorado Privacy Act (CPA): Similar to Connecticut, it went into effect on July 1st, 2023. But, only on January 1st, 2024, does the requirement for a Universal Opt-Out Mechanism go into effect.
- Utah Consumer Privacy Act (UCPA): Brining up the rear, this finally goes into effect on December 31st of 2023. Despite not being the last of the state privacy acts to pass, the UCPA implementation date is the last of them all.
What do the regulations expect of organizations?
All the laws focus on protecting consumer information collected and used by organizations. However, understanding the different privacy laws is hard for businesses in the above states. It’s even more difficult for multi-state businesses.
Each regulation offers the right to access, delete, and opt out of data collection and storage. Almost all offer a right to correct existing information, except for the UCPA. Most laws do not allow an opt-out of sensitive data processing, with sensitive data definitions varying between states.
Thankfully, all regulations generally offer a cure period of at least 30 days to correct mistakes.
The differences in the regulations are how they apply to different organizations. Most apply to larger businesses or organizations that process large volumes of consumer data. Check the below table to see which data privacy laws apply to your organization.
California (CCPA & CPRA) |
Gross revenues of $25 million or more and process data of at least 100,000 consumers or derive at least 50% of gross revenue from sharing or selling data. |
Virginia (VCDPA) |
This applies to businesses processing data of at least 100,000 consumers or 25,000 consumers and deriving at least 50% of gross revenues from sales. |
Connecticut (CTDPA) |
Businesses processing data of at least 25,000 consumers and services at least 50% of gross revenues from selling data or 100,000 consumers, excluding purely patent transactions. |
Colorado (CPA) |
Businesses processing data of at least 100,000 consumers or 25,000 consumers and derive revenue or receive a discount from selling personal data. |
Utah (UCPA) |
Those businesses with $25 million in annual gross revenue and process data of at least 100,000 consumers or process data of at least 25,000 consumers and derive at least 50% gross revenues from sales. |
Consequences of a breach
Beyond the reputational damage, each privacy law has real monetary cost attached to failure. Though not all are the same, the per-violation penalties range from $5,000 in Connecticut to $20,000 in Colorado. Most states have civil penalties of $7,500, with minor differences.
There are more than a few examples of recent compromises from phishing attempts. Examples include the Activision Breach in late 2022, or the Norton LifeLock compromise in early January that used an employee’s previously compromised account to log in to Norton customer accounts, resulting in data loss.
If your IT systems are breached due to compromised user credentials and user data is stolen, the penalties can quickly add up, especially for larger companies spanning multiple states.
Crafting a strong defense can mitigate a breach’s reputational and real dollar costs. Most attackers look for low-hanging fruit such as easy-to-guess passwords, or previously leaked credentials.
Naturally, businesses may ask how they can best protect their customers through compliance, themselves from fines, and their reputation from bad press. A proactive company focuses on keeping its data protected.
One of the best ways to protect themselves is through a strong password policy, multi-factor authentication, and avoidance of compromised passwords.
Password security protects your business and customers
Compromised passwords can lead to potential infrastructure vulnerabilities and the loss of customer data, which may violate different state data protection regulations. Depending on the circumstances, non-compliance means potential liability and high costs across the different state data protection laws.
A two-pronged approach to securing your organization’s passwords goes a long way to avoiding security lapses.
First, audit the existing passwords used within your organization. Specops Password Auditor is a free download that scans your Active Directory for password vulnerabilities, including over 940 million compromised passwords.
Next, secure future password changes and comply with the latest legislation with a tool like Specops Password Policy with Breached Password Protection.
Specops Password Policy extends the function of Group Policy, has an easy to use interface that helps organizations enforce a stronger password policy, meet compliance standards and blocks over 3 billion known compromised passwords.
By blocking compromised passwords, you can protect your organization from potential data breaches and extensive fines from the recently passed data privacy legislation.
With more stats getting serious about data privacy, it’s never been more important to keep your organization secure.
Sponsored and written by Specops Software