Data Privacy Laws 2024: A Short Guide

Content

Our Newsletter

Get Our Resources Delivered Straight To Your Inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
We respect your privacy. Learn more here.

In 2024, staying informed about new data privacy laws is crucial in a rapidly evolving digital world. This guide focuses on recent legislation impacting data handling globally, moving beyond established laws like the GDPR. 

Almost every country in the world is discussing data privacy and although the laws are similar, navigating the differences at a global level will remain a challenge for all businesses.

5 Reasons Data Privacy Laws Matter Beyond Compliance

While compliance is essential, data privacy laws offer far more than just legal protection. Here are 5 reasons why you should care about data privacy and why these laws could benefit your business in the long term.

  • Protecting Your Digital Identity: In a time where anyone can be mimicked by AI-powered deepfakes and picked up by facial recognition, strong data privacy laws safeguard your digital identity. Imagine your face, voice and mannerisms used to create hyper-realistic propaganda or commit online fraud. Data privacy laws limit unauthorised access to this sensitive information, giving you control over how your digital self is represented in the world.
  • Preventing Algorithmic Bias: These laws can combat discriminatory algorithms that unfairly impact individuals based on race, gender, or other factors. By promoting data transparency and accountability, they can shine a light on biased algorithms and force companies to develop fairer data practices. This can lead to greater equality and opportunity in areas like loan approvals, job offers and criminal justice.
  • Empowering Data Ownership: Data privacy laws are paving the way for data ownership rights, where individuals control how their personal information is collected, used and sold. Imagine opting to rent your anonymised search history to researchers for a fee, or choosing to monetise your social media data while maintaining privacy. This shift from data as a corporate asset to individual property can usher in a new era of personal data control and economic empowerment.
  • Fostering Responsible AI Development: Stringent data privacy regulations encourage ethical and responsible AI development. By restricting access to sensitive personal data, they force companies to build AI systems that rely on less invasive data while focusing on human accountability and oversight. This can lead to more trustworthy and transparent AI applications that benefit society without compromising individual privacy.
  • Creating a Level Playing Field: Data privacy laws are creating a level playing field for businesses, promoting competition based on innovation and value rather than access to vast amounts of user data. This fosters a more diverse and resilient digital ecosystem, encouraging smaller companies and new ideas to flourish without being suffocated by data-hungry giants.

New US State Data Privacy Laws for 2024

Throughout 2023, more laws passed through various state legislatures and many of these data privacy regulations will become enforceable in 2024. The majority of these regulations broadly align and mirror aspects of GDPR and CCPA but there are a few significant differences in certain states.. 

Montana Consumer Data Privacy Act (MTCDPA)

Signed into law on May 19th 2023, the MTCDPA became effective on 10/1/2024.

  • Scope: Businesses exceeding $1 million in gross revenue and processing data of 100,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising.
  • Business Obligations: Data minimisation, security measures, data breach notification (72 hours).
  • Exemptions: Non-profits, B2B data, health data.
  • Enforcement: Montana Attorney General, civil penalties up to $10,000 per violation.

Differences:

  • Shares similarities with Colorado's CPA, covering smaller businesses and offering similar consumer rights.
  • Requires 72-hour data breach notification.

Tennessee Information Protection Act (TIPA)

Signed into law May 11th 2023, the TIPA becomes effective on 07/01/2025.

  • Scope: Businesses with gross revenue exceeding $25 million and processing data of 40,000+ residents or controlling sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data (partially), health data.
  • Enforcement: Tennessee Department of Commerce & Industry, civil penalties up to $10,000 per violation.

Differences:

  • Similar to Virginia's VCDPA and Iowa's ICDPA in scope, consumer rights, and exemptions.
  • Enforced by the Department of Commerce & Industry, not the Attorney General.
  • Lower civil penalty maximum compared to some other states.

Oregon Consumer Privacy Act (OCPA)

Signed into law on June 22nd 2023, the OCPA became effective on 07/01/2024.

  • Scope: Businesses with gross revenue exceeding $25 million or processing data of 40,000+ residents (phased implementation, effective July 1, 2024 for large businesses, July 1, 2025 for non-profits).
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, portability, opt-out of sale and targeted advertising.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification (72 hours).
  • Exemptions: Non-profits (until July 1, 2025), B2B data, health data.
  • Enforcement: Oregon Attorney General, civil penalties up to $10,000 per violation.

Differences:

  • Similar to California's CCPA/CPRA in scope, consumer rights, and obligations, including 72-hour data breach notification.
  • Phased implementation with temporary exemption for non-profits.

Texas Data Privacy and Security Act (TDPSA)

Signed into law on June 18th 2023, the TDPSA became effective on 07/01/2024.

  • Scope: All businesses in Texas.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Right to explanation for automated decisions, limitations on data sharing.
  • Business Obligations: Transparency, reasonable security measures, data breach notification.
  • Exemptions: None explicitly stated.
  • Enforcement: Texas Attorney General, civil penalties up to $250,000 per violation.

Differences:

  • Unique approach focusing on transparency and control over data rather than offering explicit consumer rights for access, deletion, or opt-out.
  • Applies to all businesses regardless of size or revenue.
  • Highest civil penalty maximum among states with enacted laws.

Iowa Consumer Data Protection Act (ICDPA)

Signed into law on March 29th 2023, the ICDPA becomes effective on 01/01/2025.

  • Scope: Businesses with gross revenue exceeding $25 million and processing data of 40,000+ residents or controlling sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data (partially), health data.
  • Enforcement: Iowa Attorney General, civil penalties up to $20,000 per violation.

Differences:

  • Similar to Delaware's DPDPA and Virginia's VCDPA in scope, consumer rights, and exemptions.
  • Higher civil penalty maximum compared to Delaware.

Delaware Personal Data Privacy Act (DPDPA)

Signed into law on September 11th 2023, the DPDPA becomes effective on 01/01/2025.

  • Scope: Businesses with gross revenue exceeding $25 million and processing data of 40,000+ residents or controlling sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data (partially), health data.
  • Enforcement: Delaware Attorney General, civil penalties up to $5,000 per violation.

Differences:

  • Mirrored after Virginia's VCDPA, with similar scope, consumer rights, and exemptions.
  • Lower civil penalty maximum compared to Virginia.

Existing US Data Privacy Laws

Starting with the CCPA in 2020, several US states have already passed and begun enforcing data privacy laws. 

California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)

The CCPA was signed into law on June 28th 2018 and became effective on 01/01/2020.  It has since been amended and is now the CPRA which became effective on 01/01/2023 and will be enforceable from 03/29/2024.

  • Scope: Businesses with gross revenue exceeding $25 million or processing data of 50,000+ residents (CPRA expands the scope).
  • Data Types: All personal information.
  • Consumer Rights: Access, deletion, correction, portability, opt-out of sale and targeted advertising, private right of action.
  • Business Obligations: Data minimisation, security measures, data breach notification (72-hour reporting window for major breaches).
  • Exemptions: Non-profits (partially, under CPRA), B2B data, health data.
  • Enforcement: California Attorney General, civil penalties up to $7,500 per violation.

Differences:

  • Broader scope than most other states due to lower revenue threshold and resident data processing criteria.
  • Grants consumers the unique right to sue for privacy violations.
  • Imposes stricter data breach notification requirements.

Virginia's Consumer Data Protection Act (VCDPA)

Signed into law on March 2nd 2021, the VCDPA became effective on 01/01/2023.

  • Scope: Businesses with gross revenue exceeding $25 million and processing data of 40,000+ residents or controlling or processing sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data, health data.
  • Enforcement: Virginia Attorney General, civil penalties up to $10,000 per violation.

Differences:

  • Requires control or processing of sensitive data for smaller businesses to fall under the scope.
  • No private right of action for consumers.
  • Lower civil penalty maximum compared to California.

Colorado Privacy Act

Signed into law on July 7th 2021, the CPA became effective on 07/01/2023.

  • Scope: Businesses with gross revenue exceeding $1 million and processing data of 100,000+ residents or deriving profit from selling personal data.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, purpose limitation, transparency, security measures, data breach notification (72 hours).
  • Exemptions: Non-profits, B2B data, health data.
  • Enforcement: Colorado Attorney General, civil penalties up to $5,000 per violation.

Differences:

  • Applies to smaller businesses than most other states due to lower revenue thresholds.
  • Emphasises purpose limitation and transparency in addition to data minimization.
  • Requires 72-hour data breach notification.

Utah Consumer Privacy Act (UCPA)

Signed into law on March 24th 2022, the UCPA became effective on 12/31/2023.

  • Scope: Businesses that control or process personal data of Utah residents and derive more than 50% of gross revenue from selling such data.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, correction, opt-out of sale (no opt-out of targeted advertising).
  • Business Obligations: Reasonable security measures, data breach notification (72 hours).
  • Exemptions: Businesses not deriving profit from selling data, non-profits, B2B data, health data.
  • Enforcement: Utah Division of Consumer Protection, civil penalties up to $2,500 per violation.

Differences:

  • Narrows the scope to businesses that profit from data sales.
  • Only offers consumers the right to opt-out of data sales, not targeted advertising.
  • Has lower civil penalty maximums compared to most other states.

Connecticut Data Privacy Law (CTDPA)

Signed into law on May 10th 2022, the CTDPA became effective on 07/01/2023.

  • Scope: Businesses with gross revenue exceeding $3 million and processing data of 100,000+ residents or controlling or processing sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data (partially), health data.
  • Enforcement: Connecticut Department of Consumer Protection, civil penalties up to $5,000 per violation.

Differences:

  • Requires control or processing of sensitive data for smaller businesses to fall under the scope.
  • Does not grant consumers the right to opt-out of targeted advertising.
  • Enforced by the Department of Consumer Protection, not the Attorney General.

European Data Privacy Regulations

While GDPR remains the primary data protection law that governs Europe, the EU has passed several notable laws since 2018 including the Digital Services Act and the Digital Markets Act.

The Digital Services Act (DSA)

The Digital Services Act (DSA), introduced by the European Union and effective from November 2022, represents a significant shift in digital regulation. It targets digital platforms, notably online marketplaces, social media platforms, and other large online entities, aiming to address the spread of illegal content and ensure the protection of users' rights online. The DSA is built on the principle that "what is illegal offline must be illegal online."

The law applies to various categories of digital services, including intermediary services like ISPs, hosting services like cloud providers, and very large online platforms. Each category faces specific requirements, such as engaging in transparency reporting, updating terms of service to reflect fundamental rights, and cooperating with national authorities.

For large platforms, the DSA mandates additional obligations. They must implement a notice-and-action mechanism for illegal content, establish complaint and redress mechanisms, and take measures against abusive notices. Additionally, the DSA prohibits targeted advertisements to children or based on special categories of personal data.

Significantly, non-compliance with the DSA can lead to fines of up to 6% of the annual global turnover, underscoring the importance of adherence to these regulations for businesses operating in or targeting consumers in the EU.

The Digital Markets Act (DMA)

The Digital Markets Act (DMA), set to be effective from March 2024, focuses on the largest digital platforms, known as "gatekeepers." This includes giants like Facebook, Apple, Microsoft, and Google. The DMA aims to ensure fair competition in the digital market, preventing gatekeepers from abusing their market power to disadvantage competitors.

Gatekeepers are defined by their strong economic position, significant impact on the EU market, and activities in multiple EU member states. The DMA imposes several obligations on these gatekeepers, such as prohibiting self-preferencing practices, ensuring consent for data reuse and tracking for targeted advertising, and facilitating interoperability with third-party technologies.

Violations of the DMA can result in fines up to 10% of the global annual turnover, and in cases of repeated violations, this could escalate to 20%. Moreover, repeated non-compliance may lead to severe non-financial penalties, like forced divestitures.

The EU-U.S. Data Privacy Framework

The EU-U.S. Data Privacy Framework, effective July 2023, is a critical response to the Schrems II ruling and the subsequent invalidation of the Privacy Shield agreement. It's designed to enhance transatlantic data transfer safeguards and address EU citizens' data protection concerns. 

This framework introduces strict security measures like encryption, breach notification requirements, and limited data retention to minimize unauthorized data access and misuse. It empowers EU citizens with new mechanisms for legal redress, including independent dispute resolution and a dedicated Data Protection Review Court. 

Additionally, it significantly revises U.S. intelligence agencies' surveillance practices, focusing on specific national security threats and bolstering transparency.

The EU Artificial Intelligence Act

The EU Artificial Intelligence Act (EU AI Act) is a groundbreaking initiative that builds upon and strengthens existing data privacy regulations like GDPR. It specifically targets high-risk AI systems, such as those used in facial recognition, employment decisions, or credit scoring, which raise significant privacy and ethical concerns.

By requiring developers to ensure transparency in algorithms and decision-making processes, the Act empowers users to understand how AI systems reach conclusions and helps mitigate risks associated with opaque AI. Additionally, it establishes clear responsibilities for those developing and deploying high-risk AI, including prohibiting manipulative behavior and discriminatory profiling.

While some concerns exist about the complexity of implementing transparency requirements or potential compliance burdens, the EU AI Act is poised to significantly influence global standards in ethical AI development. Its focus on data privacy and user control aligns with broader trends towards responsible innovation and building trust in AI technologies. As other regions consider similar regulations, the EU AI Act serves as a crucial step towards a future where AI benefits society without compromising individual rights and privacy.

Compliance Strategies

Compliance is not just a legal requirement but also a crucial component of trust and reputation management. Here’s a breakdown of a few ways businesses can manage their compliance with data privacy laws:

Go Beyond Legal Minimums

Forget the bare minimum. Integrate privacy-by-design principles throughout your company culture, not just as technical specs. Offer users control by default, letting them choose how their data is shared and collected. Go the extra mile in specific areas – exceeding compliance requirements becomes a badge of honour, showcasing your commitment to data protection.

Focus on User Empowerment

Make it easy for users to access, delete and move their data. Give them granular control over its use, beyond basic opt-in/out options. Explain your data practices and AI decisions clearly and easily. Empower them and they'll empower you with their trust.

Transparency as a Marketing Tool

Don't hide your data practices. Publish reports detailing how you handle and secure user data. Highlight your privacy certifications and achievements. Be open about data incidents (while respecting privacy) and your efforts to fix them. Transparency builds trust, trust builds reputation.

Foster a Culture of Privacy

Train your employees thoroughly on data protection and user privacy. Make ethical data practices part of performance evaluations and reward systems. Encourage open discussions about data ethics and responsible innovation. A privacy-conscious company culture is a strong foundation for compliance and trust.

Innovation Through Collaboration

Partner with privacy-focused tech vendors and consultants. Work with industry and regulators to shape responsible data governance. Collaborate with NGOs and consumer groups on privacy initiatives. Together, we can build a better future for data privacy.

Proactive Use of Privacy Enhancing Technologies (PETs)

When possible, anonymise or pseudonymise data. Use federated learning and differential privacy to protect sensitive information while gaining insights. Explore blockchain for secure and transparent data sharing. Embrace innovation to protect privacy and unlock its potential.

Businesses can establish effective compliance strategies by focusing on these key areas, which not only adhere to legal requirements but also build trust.

Conclusion

The emergence of new laws and the evolution of existing ones, such as the GDPR, CCPA/CPRA and LGPD signifies a global shift towards a more privacy-conscious world. Businesses must adapt to these changes to remain compliant and avoid fines, loss of reputation and loss of consumer trust.

Compliance with data privacy laws is more than a legal obligation; it's a commitment to ethical business practices and respect for the privacy rights of individuals. 

In 2024, data breaches and privacy concerns are increasingly common and a proactive approach to data privacy can be a significant differentiator and a testament to your organisation's values.

Zendata's innovative solutions offer a seamless integration of data security and privacy compliance across your entire data lifecycle. 

From real-time privacy assessments with our Website Scanner to the Privacy Mapper for identifying and protecting PII, Zendata is equipped to handle the complexities of data privacy for businesses of all sizes.

Start your journey towards robust data protection and compliance today with Zendata. Embrace a future where data security and privacy are not just obligations but integral parts of your successful business strategy.

Our Newsletter

Get Our Resources Delivered Straight To Your Inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
We respect your privacy. Learn more here.

Related Blogs

The Business Case For Privacy: Turning Data Privacy Into Profit
  • Data Privacy & Compliance
  • February 8, 2024
Discover How Data Privacy Drives Growth
Data Privacy Laws 2024: A Short Guide
  • Data Privacy & Compliance
  • February 1, 2024
A Summary Of Data Privacy Laws in 2024
More Blogs

Contact Us For More Information

If you’d like to understand more about Zendata’s solutions and how we can help you, please reach out to the team today.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.





Data Privacy Laws 2024: A Short Guide

February 1, 2024

In 2024, staying informed about new data privacy laws is crucial in a rapidly evolving digital world. This guide focuses on recent legislation impacting data handling globally, moving beyond established laws like the GDPR. 

Almost every country in the world is discussing data privacy and although the laws are similar, navigating the differences at a global level will remain a challenge for all businesses.

5 Reasons Data Privacy Laws Matter Beyond Compliance

While compliance is essential, data privacy laws offer far more than just legal protection. Here are 5 reasons why you should care about data privacy and why these laws could benefit your business in the long term.

  • Protecting Your Digital Identity: In a time where anyone can be mimicked by AI-powered deepfakes and picked up by facial recognition, strong data privacy laws safeguard your digital identity. Imagine your face, voice and mannerisms used to create hyper-realistic propaganda or commit online fraud. Data privacy laws limit unauthorised access to this sensitive information, giving you control over how your digital self is represented in the world.
  • Preventing Algorithmic Bias: These laws can combat discriminatory algorithms that unfairly impact individuals based on race, gender, or other factors. By promoting data transparency and accountability, they can shine a light on biased algorithms and force companies to develop fairer data practices. This can lead to greater equality and opportunity in areas like loan approvals, job offers and criminal justice.
  • Empowering Data Ownership: Data privacy laws are paving the way for data ownership rights, where individuals control how their personal information is collected, used and sold. Imagine opting to rent your anonymised search history to researchers for a fee, or choosing to monetise your social media data while maintaining privacy. This shift from data as a corporate asset to individual property can usher in a new era of personal data control and economic empowerment.
  • Fostering Responsible AI Development: Stringent data privacy regulations encourage ethical and responsible AI development. By restricting access to sensitive personal data, they force companies to build AI systems that rely on less invasive data while focusing on human accountability and oversight. This can lead to more trustworthy and transparent AI applications that benefit society without compromising individual privacy.
  • Creating a Level Playing Field: Data privacy laws are creating a level playing field for businesses, promoting competition based on innovation and value rather than access to vast amounts of user data. This fosters a more diverse and resilient digital ecosystem, encouraging smaller companies and new ideas to flourish without being suffocated by data-hungry giants.

New US State Data Privacy Laws for 2024

Throughout 2023, more laws passed through various state legislatures and many of these data privacy regulations will become enforceable in 2024. The majority of these regulations broadly align and mirror aspects of GDPR and CCPA but there are a few significant differences in certain states.. 

Montana Consumer Data Privacy Act (MTCDPA)

Signed into law on May 19th 2023, the MTCDPA became effective on 10/1/2024.

  • Scope: Businesses exceeding $1 million in gross revenue and processing data of 100,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising.
  • Business Obligations: Data minimisation, security measures, data breach notification (72 hours).
  • Exemptions: Non-profits, B2B data, health data.
  • Enforcement: Montana Attorney General, civil penalties up to $10,000 per violation.

Differences:

  • Shares similarities with Colorado's CPA, covering smaller businesses and offering similar consumer rights.
  • Requires 72-hour data breach notification.

Tennessee Information Protection Act (TIPA)

Signed into law May 11th 2023, the TIPA becomes effective on 07/01/2025.

  • Scope: Businesses with gross revenue exceeding $25 million and processing data of 40,000+ residents or controlling sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data (partially), health data.
  • Enforcement: Tennessee Department of Commerce & Industry, civil penalties up to $10,000 per violation.

Differences:

  • Similar to Virginia's VCDPA and Iowa's ICDPA in scope, consumer rights, and exemptions.
  • Enforced by the Department of Commerce & Industry, not the Attorney General.
  • Lower civil penalty maximum compared to some other states.

Oregon Consumer Privacy Act (OCPA)

Signed into law on June 22nd 2023, the OCPA became effective on 07/01/2024.

  • Scope: Businesses with gross revenue exceeding $25 million or processing data of 40,000+ residents (phased implementation, effective July 1, 2024 for large businesses, July 1, 2025 for non-profits).
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, portability, opt-out of sale and targeted advertising.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification (72 hours).
  • Exemptions: Non-profits (until July 1, 2025), B2B data, health data.
  • Enforcement: Oregon Attorney General, civil penalties up to $10,000 per violation.

Differences:

  • Similar to California's CCPA/CPRA in scope, consumer rights, and obligations, including 72-hour data breach notification.
  • Phased implementation with temporary exemption for non-profits.

Texas Data Privacy and Security Act (TDPSA)

Signed into law on June 18th 2023, the TDPSA became effective on 07/01/2024.

  • Scope: All businesses in Texas.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Right to explanation for automated decisions, limitations on data sharing.
  • Business Obligations: Transparency, reasonable security measures, data breach notification.
  • Exemptions: None explicitly stated.
  • Enforcement: Texas Attorney General, civil penalties up to $250,000 per violation.

Differences:

  • Unique approach focusing on transparency and control over data rather than offering explicit consumer rights for access, deletion, or opt-out.
  • Applies to all businesses regardless of size or revenue.
  • Highest civil penalty maximum among states with enacted laws.

Iowa Consumer Data Protection Act (ICDPA)

Signed into law on March 29th 2023, the ICDPA becomes effective on 01/01/2025.

  • Scope: Businesses with gross revenue exceeding $25 million and processing data of 40,000+ residents or controlling sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data (partially), health data.
  • Enforcement: Iowa Attorney General, civil penalties up to $20,000 per violation.

Differences:

  • Similar to Delaware's DPDPA and Virginia's VCDPA in scope, consumer rights, and exemptions.
  • Higher civil penalty maximum compared to Delaware.

Delaware Personal Data Privacy Act (DPDPA)

Signed into law on September 11th 2023, the DPDPA becomes effective on 01/01/2025.

  • Scope: Businesses with gross revenue exceeding $25 million and processing data of 40,000+ residents or controlling sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data (partially), health data.
  • Enforcement: Delaware Attorney General, civil penalties up to $5,000 per violation.

Differences:

  • Mirrored after Virginia's VCDPA, with similar scope, consumer rights, and exemptions.
  • Lower civil penalty maximum compared to Virginia.

Existing US Data Privacy Laws

Starting with the CCPA in 2020, several US states have already passed and begun enforcing data privacy laws. 

California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)

The CCPA was signed into law on June 28th 2018 and became effective on 01/01/2020.  It has since been amended and is now the CPRA which became effective on 01/01/2023 and will be enforceable from 03/29/2024.

  • Scope: Businesses with gross revenue exceeding $25 million or processing data of 50,000+ residents (CPRA expands the scope).
  • Data Types: All personal information.
  • Consumer Rights: Access, deletion, correction, portability, opt-out of sale and targeted advertising, private right of action.
  • Business Obligations: Data minimisation, security measures, data breach notification (72-hour reporting window for major breaches).
  • Exemptions: Non-profits (partially, under CPRA), B2B data, health data.
  • Enforcement: California Attorney General, civil penalties up to $7,500 per violation.

Differences:

  • Broader scope than most other states due to lower revenue threshold and resident data processing criteria.
  • Grants consumers the unique right to sue for privacy violations.
  • Imposes stricter data breach notification requirements.

Virginia's Consumer Data Protection Act (VCDPA)

Signed into law on March 2nd 2021, the VCDPA became effective on 01/01/2023.

  • Scope: Businesses with gross revenue exceeding $25 million and processing data of 40,000+ residents or controlling or processing sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data, health data.
  • Enforcement: Virginia Attorney General, civil penalties up to $10,000 per violation.

Differences:

  • Requires control or processing of sensitive data for smaller businesses to fall under the scope.
  • No private right of action for consumers.
  • Lower civil penalty maximum compared to California.

Colorado Privacy Act

Signed into law on July 7th 2021, the CPA became effective on 07/01/2023.

  • Scope: Businesses with gross revenue exceeding $1 million and processing data of 100,000+ residents or deriving profit from selling personal data.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, purpose limitation, transparency, security measures, data breach notification (72 hours).
  • Exemptions: Non-profits, B2B data, health data.
  • Enforcement: Colorado Attorney General, civil penalties up to $5,000 per violation.

Differences:

  • Applies to smaller businesses than most other states due to lower revenue thresholds.
  • Emphasises purpose limitation and transparency in addition to data minimization.
  • Requires 72-hour data breach notification.

Utah Consumer Privacy Act (UCPA)

Signed into law on March 24th 2022, the UCPA became effective on 12/31/2023.

  • Scope: Businesses that control or process personal data of Utah residents and derive more than 50% of gross revenue from selling such data.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, correction, opt-out of sale (no opt-out of targeted advertising).
  • Business Obligations: Reasonable security measures, data breach notification (72 hours).
  • Exemptions: Businesses not deriving profit from selling data, non-profits, B2B data, health data.
  • Enforcement: Utah Division of Consumer Protection, civil penalties up to $2,500 per violation.

Differences:

  • Narrows the scope to businesses that profit from data sales.
  • Only offers consumers the right to opt-out of data sales, not targeted advertising.
  • Has lower civil penalty maximums compared to most other states.

Connecticut Data Privacy Law (CTDPA)

Signed into law on May 10th 2022, the CTDPA became effective on 07/01/2023.

  • Scope: Businesses with gross revenue exceeding $3 million and processing data of 100,000+ residents or controlling or processing sensitive data of 10,000+ residents.
  • Data Types: All personal information, excluding protected health information.
  • Consumer Rights: Access, deletion, correction, opt-out of sale and targeted advertising, data portability.
  • Business Obligations: Data minimisation, transparency, security measures, data breach notification.
  • Exemptions: Financial institutions, non-profits, B2B data (partially), health data.
  • Enforcement: Connecticut Department of Consumer Protection, civil penalties up to $5,000 per violation.

Differences:

  • Requires control or processing of sensitive data for smaller businesses to fall under the scope.
  • Does not grant consumers the right to opt-out of targeted advertising.
  • Enforced by the Department of Consumer Protection, not the Attorney General.

European Data Privacy Regulations

While GDPR remains the primary data protection law that governs Europe, the EU has passed several notable laws since 2018 including the Digital Services Act and the Digital Markets Act.

The Digital Services Act (DSA)

The Digital Services Act (DSA), introduced by the European Union and effective from November 2022, represents a significant shift in digital regulation. It targets digital platforms, notably online marketplaces, social media platforms, and other large online entities, aiming to address the spread of illegal content and ensure the protection of users' rights online. The DSA is built on the principle that "what is illegal offline must be illegal online."

The law applies to various categories of digital services, including intermediary services like ISPs, hosting services like cloud providers, and very large online platforms. Each category faces specific requirements, such as engaging in transparency reporting, updating terms of service to reflect fundamental rights, and cooperating with national authorities.

For large platforms, the DSA mandates additional obligations. They must implement a notice-and-action mechanism for illegal content, establish complaint and redress mechanisms, and take measures against abusive notices. Additionally, the DSA prohibits targeted advertisements to children or based on special categories of personal data.

Significantly, non-compliance with the DSA can lead to fines of up to 6% of the annual global turnover, underscoring the importance of adherence to these regulations for businesses operating in or targeting consumers in the EU.

The Digital Markets Act (DMA)

The Digital Markets Act (DMA), set to be effective from March 2024, focuses on the largest digital platforms, known as "gatekeepers." This includes giants like Facebook, Apple, Microsoft, and Google. The DMA aims to ensure fair competition in the digital market, preventing gatekeepers from abusing their market power to disadvantage competitors.

Gatekeepers are defined by their strong economic position, significant impact on the EU market, and activities in multiple EU member states. The DMA imposes several obligations on these gatekeepers, such as prohibiting self-preferencing practices, ensuring consent for data reuse and tracking for targeted advertising, and facilitating interoperability with third-party technologies.

Violations of the DMA can result in fines up to 10% of the global annual turnover, and in cases of repeated violations, this could escalate to 20%. Moreover, repeated non-compliance may lead to severe non-financial penalties, like forced divestitures.

The EU-U.S. Data Privacy Framework

The EU-U.S. Data Privacy Framework, effective July 2023, is a critical response to the Schrems II ruling and the subsequent invalidation of the Privacy Shield agreement. It's designed to enhance transatlantic data transfer safeguards and address EU citizens' data protection concerns. 

This framework introduces strict security measures like encryption, breach notification requirements, and limited data retention to minimize unauthorized data access and misuse. It empowers EU citizens with new mechanisms for legal redress, including independent dispute resolution and a dedicated Data Protection Review Court. 

Additionally, it significantly revises U.S. intelligence agencies' surveillance practices, focusing on specific national security threats and bolstering transparency.

The EU Artificial Intelligence Act

The EU Artificial Intelligence Act (EU AI Act) is a groundbreaking initiative that builds upon and strengthens existing data privacy regulations like GDPR. It specifically targets high-risk AI systems, such as those used in facial recognition, employment decisions, or credit scoring, which raise significant privacy and ethical concerns.

By requiring developers to ensure transparency in algorithms and decision-making processes, the Act empowers users to understand how AI systems reach conclusions and helps mitigate risks associated with opaque AI. Additionally, it establishes clear responsibilities for those developing and deploying high-risk AI, including prohibiting manipulative behavior and discriminatory profiling.

While some concerns exist about the complexity of implementing transparency requirements or potential compliance burdens, the EU AI Act is poised to significantly influence global standards in ethical AI development. Its focus on data privacy and user control aligns with broader trends towards responsible innovation and building trust in AI technologies. As other regions consider similar regulations, the EU AI Act serves as a crucial step towards a future where AI benefits society without compromising individual rights and privacy.

Compliance Strategies

Compliance is not just a legal requirement but also a crucial component of trust and reputation management. Here’s a breakdown of a few ways businesses can manage their compliance with data privacy laws:

Go Beyond Legal Minimums

Forget the bare minimum. Integrate privacy-by-design principles throughout your company culture, not just as technical specs. Offer users control by default, letting them choose how their data is shared and collected. Go the extra mile in specific areas – exceeding compliance requirements becomes a badge of honour, showcasing your commitment to data protection.

Focus on User Empowerment

Make it easy for users to access, delete and move their data. Give them granular control over its use, beyond basic opt-in/out options. Explain your data practices and AI decisions clearly and easily. Empower them and they'll empower you with their trust.

Transparency as a Marketing Tool

Don't hide your data practices. Publish reports detailing how you handle and secure user data. Highlight your privacy certifications and achievements. Be open about data incidents (while respecting privacy) and your efforts to fix them. Transparency builds trust, trust builds reputation.

Foster a Culture of Privacy

Train your employees thoroughly on data protection and user privacy. Make ethical data practices part of performance evaluations and reward systems. Encourage open discussions about data ethics and responsible innovation. A privacy-conscious company culture is a strong foundation for compliance and trust.

Innovation Through Collaboration

Partner with privacy-focused tech vendors and consultants. Work with industry and regulators to shape responsible data governance. Collaborate with NGOs and consumer groups on privacy initiatives. Together, we can build a better future for data privacy.

Proactive Use of Privacy Enhancing Technologies (PETs)

When possible, anonymise or pseudonymise data. Use federated learning and differential privacy to protect sensitive information while gaining insights. Explore blockchain for secure and transparent data sharing. Embrace innovation to protect privacy and unlock its potential.

Businesses can establish effective compliance strategies by focusing on these key areas, which not only adhere to legal requirements but also build trust.

Conclusion

The emergence of new laws and the evolution of existing ones, such as the GDPR, CCPA/CPRA and LGPD signifies a global shift towards a more privacy-conscious world. Businesses must adapt to these changes to remain compliant and avoid fines, loss of reputation and loss of consumer trust.

Compliance with data privacy laws is more than a legal obligation; it's a commitment to ethical business practices and respect for the privacy rights of individuals. 

In 2024, data breaches and privacy concerns are increasingly common and a proactive approach to data privacy can be a significant differentiator and a testament to your organisation's values.

Zendata's innovative solutions offer a seamless integration of data security and privacy compliance across your entire data lifecycle. 

From real-time privacy assessments with our Website Scanner to the Privacy Mapper for identifying and protecting PII, Zendata is equipped to handle the complexities of data privacy for businesses of all sizes.

Start your journey towards robust data protection and compliance today with Zendata. Embrace a future where data security and privacy are not just obligations but integral parts of your successful business strategy.