Compliance regulations are constantly changing, and 2023 is no exception. In fact, this year will see more changes than most as five new state-level laws go into effect. Like other state privacy laws after the rollout of the General Data Protection Regulation (GDPR), these laws have extraterritorial reach. This means the laws apply to businesses outside of these states whenever they conduct business with residents inside the states that have implemented these laws.
Your business will not only need to comply with these regulations, but with similar bills in consideration across the country, it is likely more laws will be coming in the near future. The best way to ensure compliance with state data privacy laws is to ensure your company has the flexibility to navigate an ever-changing regulatory environment.
Here’s what you need to know about the state privacy laws going into effect in 2023, and to set your business up for success.
Data privacy laws by state for 2023
Five state data privacy laws will go into effect in 2023:
- California Privacy Rights Act (CPRA) (Effective Jan. 1)
- Virginia Consumer Data Protection Act (VCDPA) (Effective Jan. 1)
- Colorado Privacy Act (CPA) (Effective July 1)
- Connecticut Data Privacy Act (CTDPA) (Effective July 1)
- Utah Consumer Privacy Act (UCPA) (Effective Dec. 31)
Each of these new laws are written as “rights-based” privacy laws, meaning that all individuals covered by the regulations are granted rights related to content and protection of their data.
General similarities between each of the laws include rules related to third-party data processing, cybersecurity requirements, and regular data risk assessments. Further, three of the laws require compliance with Global Privacy Control signals (CPRA, CPA and CTDPA). You can review more specifics of each of the new laws in this quick reference guide, which lists each of the data privacy laws by state.
In all cases, these laws are comprehensive and require organizations that collect, store and use consumer information to adhere to strict privacy and security guidelines. Additionally, there are penalties for noncompliance, further underscoring the importance of following the directives laid out in these regulations. While some leniency may be expected initially, an increasing trend towards more stringent regulation means the only way forward for businesses is by meeting compliance obligations.
How to comply with state data privacy laws
On top of this year’s state privacy laws, many more are still in the drafting and development phases throughout the country, including a much-debated federal privacy law.
With so many evolving regulations, organizations are increasingly finding complete compliance to be a challenge.
For this reason, the best approach to compliance is to take a data-centric approach to security and privacy. This means finding and classifying data wherever it lives. Only through this approach can an organization equip themselves to meet compliance requirements while remaining flexible enough to adapt to the changing regulatory environment.
Best compliance approach: Data discovery, classification and compliance
Data discovery is the process for locating sensitive data under your organization’s control. Data classification refers to the process of organizing and tagging data in a way that allows it to be easily found and secured. To be compliant with strict state regulatory guidelines, your organization needs to be able to perform both processes efficiently and effectively.
Context-rich classification allows your organization greater visibility into what data you’re collecting, why you’re collecting it, and how it will be used. It also gives you insight into when the data was collected and when it will be disposed of, which are both pieces of information necessary to be in compliance with many new regulations.
Why automated data classification is a necessity
Nearly 90% of all the information created in human existence was created in the last few years. That’s not hyperbole. It’s a reality your organization needs to contend with when considering how to comply with new state privacy regulations.
Every piece of sensitive information held by your organization needs to be accounted for and properly monitored. Unfortunately, many organizations still try to manage this data with a mix of automated and manual classification or worse, like manual tagging and organization. This is a recipe for failure. Not only are these processes not scalable for today’s regulatory environment, they’re untenable from a security perspective. This doesn’t even account for the dark data you may not even know you have.
Fortunately, there’s a solution to this problem. The answer is automated and persistent data classification.
How Spirion simplifies compliance
The first step in complying with new regulations is accurate data discovery and classification. To do that, you need a tool capable of locating all the data in your ecosystem. Only then can you fully comply with regulatory requirements like data subject access requests (DSARs).
Spirion’s Sensitive Data Platform offers a cutting-edge solution to meet new compliance requirements. With 98% accurate discovery, automated workflows and high-powered user controls, the Spirion SDP is the culmination of 15 years of industry-leading experience and provides your company with the powerful, scalable and flexible platform you need to survive in a modern business environment. Watch a demo now or contact us for more information.