Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityGovernment: Federal, State and Local

Navigating the new US data privacy regulations

By Kaus Phaltankar
red and green digital graphic

Image via Unsplash

August 4, 2023

In an era marked by rapid technological advancements and an ever-increasing dependence on digital platforms, data privacy has emerged as a critical concern. To address these concerns, several U.S. states have implemented strict data protection regulations. Starting in July 2023, Virginia, Connecticut, Colorado and Utah will enforce fines for non-compliance with these regulations, holding businesses accountable for mishandling sensitive information.

Currently, nine states (California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee and Montana) have comprehensive data privacy laws. Additionally, around 16 states introduced privacy bills during the 2022-23 legislative cycle, covering various issues such as biometric identifiers and health data. Proposed bills in other states (e.g., Illinois, Massachusetts, Minnesota, New York, Pennsylvania) offer similar rights but may differ in implementation and enforcement.

As new regulations come into effect, it is crucial for individuals and businesses to grasp their implications fully. Understanding the scope of these regulations and their specific requirements is essential for compliance. Let's understand what these regulations entail, who they apply to and what businesses need to do to avoid penalties and reputational harm.

Understanding the scope of the regulations

The upcoming data privacy regulations in VA, CT, CO and UT draw inspiration from the GDPR which are considered a global benchmark for data privacy protection and share similarities with the California Consumer Privacy Act (CCPA), one of the most comprehensive data privacy laws in the United States. Understanding the scope of these regulations is critical to creating an effective security and compliance strategy. Here's what security leaders need to know:

  1. Connecticut (CT): Connecticut's primary data privacy law (2022 S.B. 6/Public Act No. 22-15), establishes standards for companies to control and process personal data of Connecticut residents. It grants residents the right to access, correct and opt out of data processing. Effective from July 1, 2023, the law includes additional safeguards under Conn. Gen. Stat. § 42-471, ensuring personal information is protected from third-party misuse and properly disposed of. It also requires companies collecting Social Security numbers to publicly post privacy protection policies. The Attorney General must notify the controller of remediable violations, allowing a 60-day "right to cure." This provision expires on December 31, 2024. Willful violations can result in fines up to $5,000, along with attorney fees, actual and punitive damages. Violating restraining orders or injunctions can lead to penalties of up to $25,000.
  2. Virginia (VA): Virginia's Consumer Data Protection Act (2021 H.B. 2307/2021 S.B. 1392) regulates data control and processing for businesses, granting consumer rights to access, delete, correct and opt out of data processing for advertising. It applies to non-government companies handling data from 100,000+ consumers, earning over half their revenue from selling personal data from 25,000+ consumers. Enforced since January 1, 2023, the law carries penalties of up to $7,500 per violation for non-compliant companies, which means that for every 1000 customers a non-compliant organization can end up paying fines over US$7.5 million.
  3. Colorado (CO): Colorado's data privacy law, part of the Consumer Protection Act applies to businesses processing data from 100,000+ consumers or 25,000+ Colorado residents while earning revenue from data sales. It grants residents rights to opt out of targeted advertising and data sales, and access, delete, correct and obtain their data. Enforcement is carried out by the Colorado Attorney General and district attorneys, with penalties up to $20,000 per violation and a maximum of $500,000 lifetime for related violations.
  4. Utah (UT): Utah's Consumer Privacy Act (2022 S.B. 227) grants consumers rights to know and confirm processing activity, access, delete and obtain a portable copy of their data, opt out of sales and targeted advertising and avoid discrimination. Effective from December 31, 2023, it is enforced by the Utah Attorney General, who can impose fines of up to $7,500 per violation. The UCPA does not create a private right of action for consumers.
  5. California (CA): The California Consumer Privacy Act (CCPA), modified by the California Privacy Rights Act (CPRA), has undergone notable changes. On July 8, 2022, the California Privacy Protection Agency (CPPA), California's privacy regulator, unveiled proposed regulations for the updated CCPA, set to be effective from January 1, 2023. 

This includes forthcoming information on automated decision-making, cybersecurity audits and data processing risk assessments. Personnel and B2B contacts will be treated as consumers under the CCPA. Consumers can limit data collection and use, including geolocation data within 1,850 ft. Businesses must disclose data retention policies and avoid excessive retention. Data sharing for cross-context behavioral advertising can be prevented by consumers. The 30-day "cure" period for enforcement actions is removed. Penalties for mishandling children's information have tripled to $7,500 per incident, increasing non-compliance repercussions.

What businesses need to know

In order to prevent non-compliance, businesses need to proactively take measures to stay ahead of threats and violations. Here are some essential points that businesses should acquaint themselves with as the initial step towards ensuring compliance.

Decode regulations and remediation scope

Having a detailed knowledge of the changing regulations enables effective implementation for businesses navigating data privacy. Additionally, it is crucial to be aware of the opportunities for remediation in the event of unintentional violations. By promptly addressing non-compliant practices within specified timeframes, businesses can minimize potential penalties and maintain strict compliance with the regulations.

Conduct impact assessment

Assess the potential impact of these regulations on your business operations. Identify areas where personal data is collected, stored, or shared, and evaluate whether current practices align with the new requirements. Identifying gaps will facilitate the implementation of necessary changes. 

Consider cross-state implications

To comply with data privacy regulations in multiple states, businesses must be aware of implications in different jurisdictions. For example, if a business in Florida serves customers from Virginia, they must also meet Virginia's data privacy requirements. With privacy regulations in 22 U.S. states, businesses must conduct a thorough analysis of their customer locations to track and adhere to relevant privacy laws in each operating state.

Build comprehensive data privacy practices

To comply with data privacy regulations, businesses must update privacy policies, obtain explicit consent, ensure robust data security and provide accessible channels for consumers to exercise their privacy rights. Ongoing monitoring and automation are vital for tracking and reporting data privacy activities. Additionally, regular updates to applications and systems are crucial for evolving privacy requirements, despite associated costs (coding, updating app processes, etc.). Prioritizing a secure and privacy-conscious environment is essential for user trust.

The U.S. data privacy laws differ in their applicability to digital and paper records. While some laws, like HIPAA, apply to all types of records, others, such as Children’s Online Privacy Protection Act (COPPA), focuses on online data collection. California's previous laws focused on electronic data, including privacy notices and breach reporting. However, the CCPA extended its coverage to both electronic and paper records. The new US data privacy laws take inspiration from the CCPA. 

How to avoid fines and reputational damage

Invest in people, processes and technology to strengthen security, compliance and governance. Leverage technology for automated monitoring, threat detection and incident response. Implement encryption, multi-factor authentication and secure coding practices to protect data and prevent reputational damage. 

Key priorities for businesses include:

  • Transparency and consent: Prioritize transparent data practices, obtain proper consent, clearly communicate data collection purpose, provide access to privacy policies and offer opt-out options for individuals.
  • Continuous monitoring: Deploy a unified platform for continuous monitoring to identify and mitigate security and compliance risks effectively. Automating security, compliance and governance ensures comprehensive visibility, continuous assessment, prioritized mitigation and reduces risks for a better TCO.
  • Proactive approach: Take a proactive approach by conducting regular risk assessments, audits and implementing strong security measures to prevent breaches and compliance failures before they happen.
  • Building a framework and controls: Organizations must establish a framework, implement controls and adopt industry-recognized standards (e.g., ISO 27001, NIST Cybersecurity Framework) to protect sensitive data and ensure compliance. This involves defining policies, implementing technical measures like access controls, encryption and data loss prevention.
  • Timely reporting: Demonstrate regulatory adherence and industry alignment, supporting audits and investigations to verify compliance. Deploying an application-centric solution automates control mapping, artifact creation and audit report generation, enabling continuous monitoring and prompt compliance management.
  • Employee training and education: Invest in training and educating employees on privacy, security and compliance requirements to foster awareness and accountability, reducing errors. It is crucial for employees to understand the consequences of not following established processes, benefiting both themselves and the organization.
  • Process validation and documentation: Validate processes, ensure alignment with privacy regulations and security best practices, conduct internal audits, document procedures and maintain accurate records. Well-documented processes serve as training material and aid in implementing automation technologies.


KEYWORDS: data compliance data privacy government cyber security government regulations legislation

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Kaus Phaltankar is Co-founder and CEO of Caveonix.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • data center

    Navigating the US data privacy landscape in 2023

    See More
  • data privacy

    Comply with the new data privacy regulations now

    See More
  • 5mw Grewal

    5 minutes with Steve Grewal - Preparing for new data privacy regulations

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing