In 2023, new state privacy laws will take effect in the US, which will have a significant impact on companies that collect and use personal data. The new laws are being introduced in response to growing concerns about data breaches, cyber attacks, and the misuse of personal data by companies. But what does this mean for companies outside the US, and how do these new laws compare to Europe’s privacy laws?
The new state privacy laws in the US are designed to give individuals more control over their personal data, and to provide greater transparency and accountability for companies that collect and use that data. Two of the most significant state privacy laws are California’s Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA), both of which took effect on January 1, 2023.
The CCPA is set to be replaced by the California Privacy Rights Act (CPRA), which will introduce new requirements for businesses that collect and use personal data. The CPRA will introduce a new category of sensitive personal information, and new rights for consumers to limit the use of their data. The CDPA applies to businesses that collect and process personal data from Virginia residents, and requires them to provide certain disclosures and rights to consumers, including the right to access, correct, and delete their personal information.
While the new state privacy laws primarily apply to companies that operate in the US, they may also have an impact on companies that work outside of the US. This is because companies that collect and process personal data from US residents may be subject to the new laws. This also means companies outside the US that have customers or clients in the US will need to take steps to ensure compliance with the new requirements.
In comparison to Europe’s privacy laws, the new state privacy laws in the US are still considered to be less strict. Europe’s General Data Protection Regulation (GDPR), which came into effect in 2018, is considered to be one of the strictest privacy laws in the world. The GDPR applies to all companies that collect and process personal data from EU residents, regardless of where the company is based. The GDPR provides individuals with greater rights over their personal data, such as the right to access, correct, and delete their data. It also requires companies to obtain explicit consent from individuals before collecting and using their data, and to implement appropriate technical and organizational measures to protect that data.
The new state privacy laws in the US are however moving in a similar direction to Europe’s privacy laws, and it’s possible that they may become stricter in the future. Other states in the US, such as New York, Colorado, and Washington, are also considering new privacy laws, which may have similar requirements to those in California and Virginia.
In conclusion, the new state privacy laws taking effect in the US in 2023 represent a significant change for companies that collect and use personal data in the US. While primarily designed for companies that operate in the US, there’s bound to be an impact on companies outside of the US too. Companies outside of the US with customers or clients in the US will need to take steps to ensure compliance with the new requirements. While the new state privacy laws in the US are still considered to be less strict than Europe’s privacy laws, they are moving in a similar direction, and it’s certainly possible they may become stricter in the future.
Will your businesses be impacted by these changing laws? If so, how and what are you doing now to prepare?