Advoke International

CONNECT
LOG IN

California Privacy Rights Act & Other Legislations (CPRA+), USA

In the absence of a comprehensive federal privacy law, several U.S. states have enacted their own regulations to protect consumer data. Among these, the California Privacy Rights Act (CPRA) is often considered the most stringent. Businesses frequently adopt a “California-first” compliance strategy to navigate the complexities of varying state laws.

Privacy Laws in the United States

California Privacy Rights Act (CPRA)

The CPRA, effective January 1, 2023, enhances the California Consumer Privacy Act (CCPA) by introducing:

  • Expanded Consumer Rights: Consumers can correct inaccurate personal information and limit the use of sensitive data, such as Social Security numbers and health information.
  • Sensitive Personal Information (SPI):A new category, Sensitive Personal Information (SPI), is introduced to provide additional protections for highly sensitive data, including Social Security Numbers, driver’s license and passport numbers, financial account details, precise geolocation, biometric and health data, and data about race, ethnicity or sexual orientation. Businesses are required to provide consumers with the ability to limit the use and disclosure of SPI.
  • Establishment of Enforcement Agency: The California Privacy Protection Agency (CPPA) is responsible for enforcing compliance, conducting audits, and imposing penalties.
  • Data Minimisation and Retention Limits: Businesses are required to collect only necessary data and retain it only for as long as needed for disclosed purposes.
  • No Cure Period for Violations: Unlike the CCPA, the CPRA removes the 30-day cure period, requiring immediate compliance once a violation is identified.
  • Global Privacy Control (GPC): Businesses must honour consumer opt-out preferences expressed through browser signals.

The CPRA applies to for-profit entities that meet any of the following criteria:

  • Annual gross revenues exceeding $25 million.
  • Buy, sell, or share the personal information of 100,000 or more California residents or households.
  • Derive 50% or more of annual revenue from selling or sharing California residents’ personal information.

Virginia Consumer Data Protection Act (VCDPA)

Effective January 1, 2023, the VCDPA grants Virginia residents rights over their personal data, including:

  • Consumer Rights: Access, correct, delete, and obtain a copy of personal data in a portable format.
  • Opt-Out Provisions: Consumers can opt out of targeted advertising, data sales, and profiling based on automated decision-making.
  • Controller Responsibilities: Businesses must conduct data protection assessments and implement reasonable security measures.

The VCDPA applies to entities that conduct business in Virginia or target Virginia residents and meet either of the following thresholds:

  • Process personal data of at least 100,000 consumers annually.
  • Process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Colorado Privacy Act (CPA)

Effective July 1, 2023, the CPA provides Colorado residents with:

  • Consumer Rights: Access, correct, delete, and obtain a copy of personal data.
  • Universal Opt-Out Mechanism: Consumers can opt out of targeted advertising, sales, and profiling through a unified mechanism.
  • Sensitive Data Protections: Explicit consent is required before processing sensitive information, such as biometric or health data.

The CPA applies to entities that conduct business in Colorado or target Colorado residents and either:

  • Process personal data of 100,000 or more consumers annually.
  • Derive revenue or receive discounts from selling personal data and process data of at least 25,000 consumers.

Connecticut Data Privacy Act (CTDPA)

Effective July 1, 2023, the CTDPA offers:

  • Consumer Rights: Access, correct, delete, and obtain a copy of personal data.
  • Protections for Children: Requires parental consent for processing data of children under 13.
  • Data Security: Mandates the implementation of reasonable security practices.

The CTDPA applies to entities that conduct business in Connecticut or target Connecticut residents and during the preceding calendar year:

  • Controlled or processed personal data of 100,000 or more consumers, excluding data processed solely for payment transactions.
  • Controlled or processed personal data of 25,000 or more consumers and derived more than 25% of gross revenue from the sale of personal data.

Utah Consumer Privacy Act (UCPA)

Effective December 31, 2023, the UCPA is considered more business-friendly and includes:

  • Consumer Rights: Access, delete, and obtain a copy of personal data.
  • Opt-Out Provisions: Consumers can opt out of targeted advertising and data sales.
  • Exemptions for Small Businesses: Applies to businesses meeting specific thresholds, providing relief for smaller entities.

The UCPA applies to entities that conduct business in Utah or target Utah residents and have annual revenue of $25 million or more, and either:

  • Process personal data of 100,000 or more consumers annually.
  • Derive over 50% of gross revenue from the sale of personal data and process data of 25,000 or more consumers.

Nevada Privacy Law and SB260 Amendment

Nevada’s privacy law, originally enacted in 2019 and amended as SB220 in later that way, grants consumers the right to opt out of the sale of their personal information. However, with the passage of SB260 in 2021, the law was significantly expanded to enhance consumer protections:

  • Broader Scope of Consumer Rights: SB260 added the rights for consumers to access and delete their personal data, in addition to opting out of the sale or sharing of personal information.
  • Data Broker Regulation: Businesses that qualify as data brokers must register with the Nevada Secretary of State, enabling consumers to opt out of data sales by these entities.
  • Enforcement Provisions: The Nevada Attorney General is authorized to enforce privacy violations, with fines of up to $5,000 per violation.
  • Privacy Policy Updates: Businesses must update their privacy policies to include instructions for consumers on how to exercise their rights.

This amendment brings Nevada’s privacy framework closer in scope to other state laws, although it remains narrower than the CPRA in terms of consumer rights and obligations for businesses.

Gramm-Leach-Bliley Act (GLBA)

The GLBA, enacted in 1999, is a federal law regulating the privacy of consumer financial information. It applies to financial institutions, including banks, insurance companies, and investment firms, and imposes obligations for safeguarding customer data.

  • Key Provisions:
    • Financial Privacy Rule: Requires institutions to inform customers about data-sharing practices and provide opt-out options for sharing data with non-affiliated third parties.
    • Safeguards Rule: Mandates financial institutions to develop, implement, and maintain robust security programs to protect consumer data.
    • Pretexting Provisions: Prohibits the use of deceptive practices to obtain personal financial information.

The California-First Policy

The CPRA has emerged as the gold standard for privacy compliance due to its rigorous requirements and broad consumer protections. Businesses adopting a “California-first” approach often find it easier to comply with other state privacy laws.

  • Comprehensive Protections: The CPRA includes rights and obligations (e.g., data minimization, sensitive data protections) that exceed those in most state laws.
  • Streamlined Compliance: By meeting CPRA standards, businesses generally align with the requirements of other laws like the VCDPA, CPA, UCPA, and Nevada SB260.

This strategy simplifies compliance for businesses operating in multiple states, especially as privacy laws continue to evolve. However, the CPRA does not replace federal laws like HIPAA (health data) or GLBA (financial data), so businesses must ensure sectoral compliance as well.

Penalties for Non-Compliance

REGULATIONCIVIL PENALTIESREMEDIES
California Privacy Rights Act (CPRA)Up to $2,500 (USD) per unintentional violation.
Up to $7,500 (USD) per intentional violation or violations involving minors.		Private Right of Action:
Consumers can seek statutory damages between $100 and $750 per incident for data breaches resulting from a business’s failure to implement reasonable security measures.
Virginia Consumer Data Protection Act (VCDPA)Up to $7,500 (USD) per violation, enforced by the Attorney General.Cure Period: Businesses have 30 days to cure alleged violations after receiving notice.
Colorado Privacy Act (CPA)Up to $20,000 (USD) per violation, enforced by the Attorney General and district attorneys.Cure Period: Businesses have 60 days to address alleged violations after notification.
Connecticut Data Privacy Act (CTDPA)Up to $5,000 (USD) per violation, enforced by the Attorney General.Cure Period: Businesses have 60 days to remedy alleged violations upon notice.
Utah Consumer Privacy Act (UCPA)Up to $7,500 (USD) per violation, enforced by the Attorney General.Cure Period: Businesses have 30 days to cure alleged violations after receiving notice.
Nevada Privacy Law and SB260 AmendmentUp to $5,000 (USD) per violation, enforced by the Attorney General.Cure Period: Businesses have 30 days to remedy non-compliance after being informed.
Gramm-Leach-Bliley Act (GLBA)Civil penalties of up to $100,000 (USD) per violation for institutions.
Individual officers and directors may face fines of up to $10,000 (USD) per violation and imprisonment for up to five years.

The CPRA’s stringent requirements and broad applicability make it the de facto standard for privacy compliance in the U.S. Businesses adopting a California-first approach can simplify their compliance efforts while ensuring they meet the highest privacy standards across states.

CPRA+ Solutions

Advoke International provides comprehensive solutions tailored to support your organization in achieving full compliance with the various US Privacy Laws.

Frequently Answered Questions

Which U.S. privacy laws apply to my business?

Which laws apply depends on your business’s location, the type of data you handle, and your consumers’ geographical locations. Common regulations include the CPRA (California), VCDPA (Virginia), CPA (Colorado), and UCPA (Utah). Sector-specific regulations like the GLBA may apply if your business handles financial information.

Do businesses need to comply with all state privacy laws?

Businesses must comply with privacy laws in every state where they have customers or operations. However, adopting a “California-first” policy often simplifies compliance since the CPRA includes strong consumer protections that align with many other state laws.

What is the “California-first” approach?

The “CPRA-first” approach means that businesses prioritize compliance with the CPRA as their primary privacy framework. Since the CPRA includes broad consumer rights and stringent requirements, meeting its standards generally ensures compliance with other state laws such as the VCDPA, CPA, and UCPA.

Does the GLBA apply to all businesses?

No, the GLBA specifically applies to financial institutions, including banks, insurance companies, and investment firms. It requires these institutions to safeguard consumers’ financial information, disclose privacy practices, and give consumers the option to opt out of certain data-sharing practices.

What is the enforcement mechanism for privacy violations under U.S. laws?

Enforcement of privacy laws in the U.S. is usually carried out by the state Attorney General. For instance, violations of the CPRA, VCDPA, CPA, and UCPA are subject to enforcement by the respective state attorneys general, who can impose civil penalties. In some cases, consumers may also have the right to take private legal action, especially in cases involving data breaches.