Cybersecurity is high on the agenda for US lawmakers in 2023, as California, Virginia, and a handful of other states crack down on data protection

Online activity has boomed in recent years as more of us rely on the internet to shop, bank, and do business. This surge in e-commerce has lawmakers worried. With more traffic comes more risk, and the legislatures of five US states are responding by adopting a European-style approach to consumer privacy and cybersecurity.

Following in the footsteps of the EU’s stringent General Data Protection Regulation (GDPR), Virginia, California, Colorado, Utah, and Connecticut are all set to revise their data protection laws in 2023

These are significant changes. Companies doing business in these states will need to be more transparent about how they collect, store, and share consumer information. For those not meeting the regulatory standards, harsh penalties will be enforced, potentially earning them thousands of dollars in fines and causing lasting reputational damage.

What to expect from the new data privacy regulations

Both the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) come into force January 1, 2023. 

Other states will follow their lead later in the year with the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) introduced in July, and the Utah Consumer Privacy Act (UCPA), which closely follows the VCDP, taking effect on December 31, 2023.

Some states have yet to release final guidance on the regulations, but early adopters California and Virginia have shared the provisions they’re enacting in the new year. 

The CPRA applies to any for-profit entity doing business in California that collects or processes consumers’ personal information, and meets at least one of the following criteria:

  • Annual gross revenues in excess of $25,000,000 in the preceding calendar year
  • Annually buys, sells or shares the personal information of 100,000 or more consumers or households; or
  • Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information

Virginia’s VCDPA applies to entities that do business in Virginia and produce products or services that are targeted to consumers, acting in an individual or household context, and meet at least one of the following criteria:

  • Control or process personal data of at least 100,000 consumers annually; or
  • Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.

Both the VCDPA and the CPRA are intended to strengthen consumer rights, giving them more control over their personal information and ensuring it doesn’t end up in the hands of opportunistic hackers. 

Consumer data should be collected and processed in a manner that’s consistent with the “reasonable expectations” of the consumer. This expectation is determined by evaluating a number of factors including the customer’s relationship with the business and the type, nature, and amount of data collected.

Key provisions include:

  • Consumers have the right to confirm whether a controller is processing their personal data and access such personal data, unless such actions would reveal a trade secret.
  • Consumers have the right to correct inaccuracies in their personal data (with some limitations).
  • Consumers have the right to delete personal data provided by or about the consumer.
  • Consumers have the right to obtain a portable copy of their personal data to the extent technically feasible and provided the controller will not be required to reveal any trade secret.
  • Consumers have the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data or profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer.

Companies that fall under the new privacy laws obviously need to ensure they’re fully compliant before the implementation grace period expires, but businesses all over North America should also be implementing these provisions as part of an effective cybersecurity strategy. As the US plays catch-up with the GDPR, it’s only a matter of time before every state takes a similar hardline approach.

How ion8 can help your business create an effective cybersecurity policy

As a full-cycle business consultancy, ion8 takes a holistic approach to cybersecurity planning. Our team of engineers, developers, and consultants work with clients to first assess their current capabilities and then develop a roadmap to get them where they need to go.

During the assessment phase, the team evaluates a company’s security architecture, looking for vulnerabilities and areas of improvement. This is used to set immediate goals, priority items, and long-term objectives. 

Developing a comprehensive roadmap in this way results in improvements at every level – ensuring compliance, maximizing internal resources, earning companies significant efficiency gains, and, in many cases, even cutting the cost of a firm’s cybersecurity insurance.

But we’re not just consultants, we’re cybersecurity partners. Our familiarity with digital business solutions means we are perfectly positioned to help our clients enact rigorous cybersecurity policies and procedures with the technology they need to support those efforts at scale.

The demand for data privacy isn’t going anywhere. Companies that evolve to meet the legal landscape with robust cybersecurity frameworks will be better prepared to stay compliant and avoid costly breaches.

Get ready for whatever the new year brings by being proactive, revising your policies, and consulting with cybersecurity experts to ensure your company has everything in place to avoid security shocks and legal action.