Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
Data privacy is on everyone’s minds lately, including lawmakers. The result is an increasing number of new privacy legislation going on the books every year. While the adoption of privacy protections and safeguards is a good thing for consumers overall, it can be quite a headache for businesses to figure out which of the laws even apply to them, let alone how to navigate multi-jurisdiction compliance.
Here is a rundown on the five privacy laws that are most likely to be on your radar: the EEA/UK’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), and Utah Consumer Privacy Act.
There are two primary ways the GDPR could apply to a business. These are:
If the GDPR applies to your business, compliance will be very different depending on which of these two options describes your situation. If you have an establishment in the EEA/UK, then the GDPR applies to all the data processing activities of that establishment, not just those that relate to EEA/UK residents. If your business just offers its goods or services in GDPR territory, the law only applies to the processing of the data of EEA/UK data subjects.
The California law takes quite a different approach to defining which businesses must comply with it. Most importantly, it does not matter where your business is located. Whether you are based in Sacramento or Tokyo, the CCPA applies to your business if it meets the following criteria:
The CCPA has been enforceable since 2020, so if your business meets these criteria then you should get compliant as soon as possible to avoid large fines.
As more U.S. states pass their own privacy laws, it’s likely that many of them will be based on the “Virginia model,” and thus a similar analysis will apply. Your business will have to comply with the CDPA if it meets these requirements:
Notice that, unlike the CCPA, there is no annual revenue threshold. The Consumer Data Protection Act goes into effect on January 1, 2023.
Colorado’s data privacy law borrows a lot of its wording and structure from the CDPA, but it’s not always a 1:1 match. Regarding which businesses must comply with the CPA, it’s actually significantly broader than the Virginia law.
One more key factor to consider is that, unlike the California and Virginia laws, nonprofits are not exempt from the Colorado Privacy Act. There are other exemptions that may apply, such as for state institutions of higher education, but nonprofit organizations should look carefully at the CPA.
Utah’s privacy law was passed in 2022, and goes into effect on December 31, 2023. It bears a strong similarity to Virginia’s law, with slight differences that make it less stringent overall.
Here are the criteria to determine if the UCPA applies to your business:
The UCPA also contains a long list of categories of organizations that are exempt, so that it is largely restricted to for-profit entities. The exemptions include governmental entities, nonprofit corporations, institutes of higher education, and more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.