In the past, we’ve written about how the California Consumer Privacy Act (CCPA) impacts data privacy policies for companies doing business in California. Today, we’re looking beyond the Golden State to see how the CCPA and its associated legislation, the California Privacy Rights Act (CPRA), are impacting data privacy in the rest of the country.
Currently, the CCPA is the most comprehensive and far-reaching privacy regulation in the United States. It’s given rise to similar data privacy laws in a handful of other states, expanding consumer privacy protections and restrictions on data processing. It has also started to shape broader data privacy conversations in the country, and experts anticipate that it will influence our future federal privacy regulations.
The California Consumer Privacy Act is a comprehensive data privacy law that went into effect in January 2020. Designed to enhance the protection of consumers’ personal information, the CCPA grants California residents greater control over how their personal data is collected, processed, and shared by businesses.
Under the CCPA, consumers have the right to know about the personal information businesses collect about them and how that personal information is being used. Businesses are required to provide clear privacy policies, collect informed consent from consumers, and provide consumers with a copy of their personal data when requested. Furthermore, the CCPA gives consumers the right to request the deletion of their personal information and the right to opt-out of the sale of their data to third parties.
As the nation’s first comprehensive data privacy law, the CCPA has set a precedent for other states to begin safeguarding individuals’ data rights. It has already enabled California consumers to gain more control over their personal data, and its provisions on transparency, consumer rights, and business obligations mark a significant step towards bolstering privacy protection in an increasingly data-driven world.
First, let’s explore how the CCPA has already had a tangible impact on other states’ data privacy laws. Four states have now emulated California’s approach to consumer privacy legislation, enacting similar measures to enhance data protection and give their residents greater control over personal information. These laws typically grant individuals the right to know what personal data is being collected about them, the right to opt out of certain data sharing practices, and the right to request the deletion of their data.
The Colorado Privacy Act. This just-finalized privacy law is largely consistent with the CCPA. Originally passed in 2021, the Colorado Privacy Act (CPA) requires consent for data processing from data subjects, encourages data minimization practices, and mandates data protection assessments for data processing activities involving the personal data of Colorado residents. The CPA has also added its own unique measures, allowing consumers the right to appeal a data subject request decision by a company and giving technical specifications for universal opt-out mechanisms.
The Connecticut Data Privacy Act. Like the CPA, the CTDPA went into effect on July 1, 2023 and places a similar emphasis on individual data privacy. The act gives Connecticut consumers the right to access, correct, and request the deletion of their personal data. Like the Colorado Privacy Act, the CTDPA also gives consumers the right to opt out of having their personal data processed for sale or for targeted advertising.
The Utah Consumer Privacy Act. The Utah Consumer Privacy Act (UCPA) does not require data controllers to conduct cybersecurity audits, risk assessments, or data protection evaluations, making it weaker than the CCPA in some areas. However, like California’s legislation, the UCPA gives Utah consumers the right to access their data, request its deletion, and opt out from having their data used for certain purposes.
The Virginia Consumer Data Protection Act. This law has aspects in common with both the CCPA and the EU’s General Data Protection Regulation (GDPR). The Virginia Consumer Data Protection Act, or VCDPA, allows Virginia consumers to request that data controllers correct inaccuracies in their personal data, delete their personal data, and opt out of having their personal data processed for sale or for targeted advertising. The VCDPA goes a step further than the CCPA and other privacy acts by requiring that the use and collection of sensitive data is opted out by default, not just protected by an opt-out setting.
The lack of a comprehensive federal data privacy law has led to a complex and challenging regulatory landscape in the United States. But lately, the momentum generated by the CCPA has prompted discussions at the federal level about the need for a nationwide data privacy law. Policymakers are looking to the CCPA as a case study, drawing lessons from its requirements to inform the creation of a cohesive federal privacy framework.
At its most basic level, the CCPA has enshrined personal data rights for US consumers into law. Although the GDPR was the first regulation to center around this concept, the CCPA was the first in the United States. Its existence demonstrates that US consumers have a desire for privacy legislation and that US regulatory bodies have the ability to enact and enforce that legislation.
This shift in mindset has reshaped the data privacy landscape in the US and, critically, influenced how the federal government thinks about data privacy. Below, we’ll cover a few specific ways that the CCPA is shaping future national privacy laws.
The CCPA’s proactive approach to enhancing consumer data rights and establishing a comprehensive framework for businesses to manage personal information has prompted a broader conversation at the national level. Now, policymakers, lawmakers, and privacy advocates across the country are reevaluating the data protection landscape.
This effect can be seen most clearly in several proposed federal privacy bills that legislators have proposed to establish a unified data privacy standard and ensure consistent protections for consumers.
In 2019, for example, lawmakers proposed two pieces of legislation, the Consumer Online Privacy Rights Act and the Consumer Data Privacy Act. These two bills had similar frameworks that mandated individual privacy rights and organizational policies on how to collect, use, and share personal information. Neither bills were ultimately passed, but both clearly incorporated concepts from the CCPA.
One of the most promising pieces of data privacy legislation was the American Data Privacy and Protection Act (ADPPA), which was the closest the US Congress has ever gotten to passing comprehensive federal privacy legislation. This bill, which passed the bipartisan House Committee on Energy and Commerce in 2022 but never made it to a full vote, established clear requirements for how companies should handle personal data.
First, some experts argue that the CCPA has already been acting as a de facto national privacy standard by influencing businesses to apply CCPA policies to all US consumers.
Because of its size and economic significance — the state has a population of 40 million and the world’s fifth largest economy by GDP — California residents often make up a sizable portion of an organization’s consumer base. As a result, it’s become more cost-effective for some companies to apply CCPA principles to all consumers rather than maintain two or more separate data privacy policies for residents of different states.
As a result, tech companies like Microsoft announced after the CCPA passed in June 2018 that they would apply its principles to all US citizens, not just California consumers. This move signaled to federal policymakers that there is a real demand for comprehensive federal legislation to regulate data privacy in the United States.
The January 2023 amendment to the CCPA, the California Privacy Rights Act, established a state agency to oversee enforcement and rulemaking under the CCPA. This agency, the California Privacy Protection Agency (CPPA), took over from the Office of the Attorney General of California in an effort to focus more closely on ensuring data privacy rights for consumers.
At the federal level, privacy advocates have suggested the creation of a similar agency to take over data privacy enforcement from the Federal Trade Commission (FTC). Currently, the FTC only has limited authority to regulate data privacy and significant budget constraints that make enforcement difficult. A federal data protection agency has already been proposed by some lawmakers and would help ensure the successful implementation of future data privacy legislation.
In today’s regulatory landscape, companies must consider data privacy in every aspect of their operations. From IP to PII, from legal contracts to cloud technologies, business leaders need to work to weave data protection into the fabric of their organization.
The ShardSecure platform supports a privacy-by-design framework, which is central to the CPRA and to other regulations like the GDPR. Our innovative approach to file-level encryption ensures advanced data privacy and separates data from third-party access, helping to protect consumer data in on-prem, cloud, and hybrid- and multi-cloud environments.
With advanced data privacy, the ShardSecure platform also helps customers strengthen their privacy posture for regulatory compliance, including with the CCPA, GDPR/Schrems II, and SOC 2. To learn more about our technology, visit our resources page today.
Report State Laws Related to Digital Privacy | National Conference of State Legislatures
How the CCPA is Shaping Other State’s Data Privacy | Security Intelligence
Colorado Privacy Act Rules Finalized Ahead of July 1, 2023 Effective Date | White & Case LLP
SB022 | Utah State Legislature
The Virginia Consumer Data Protection Act | Office of the Attorney General of Virginia
California’s New Data Privacy Law Brings US Closer to GDPR | TechCrunch
US Federal Privacy Legislation Tracker | The International Association of Privacy Professionals
Game On: What To Make of Senate Privacy Bills and Hearing | Brookings
CPRA: Kicking Data Privacy Up a Notch | Georgetown Law Tech Review