7 Key Data Privacy Laws for 2023

Compliance with data privacy law doesn’t just protect end users’ personal data—it also provides critical cyber security defenses for organizations. Employees and customers now expect the freedom to safely sign on from anywhere and companies are adopting and managing more cloud-based tools; meanwhile, data breaches continue to escalate in frequency and severity. Any organization providing digital products or services needs to make sure the proper safeguards are in place for the sake of both the business and its patrons.

That is easier said than done when the global data privacy landscape is so complex (and ever changing). Is compliance on your radar? If so, here’s a primer that outlines some of the major data privacy laws you’ll want to take into account.

Global and regional regulations at a glance

It’s important to compare privacy legislation, because depending on the size of your organization, the type of user data you store and collect, and the markets you operate in, your compliance requirements will be unique. For many organizations, these markets will include parts of the United States (US) and European Union (EU), so let’s take a closer look at the types of privacy laws that organizations most often have to navigate.

United States privacy regulations

The US is an interesting case because there’s no overarching national privacy legislation for protecting consumers’ personal data. Instead, there is sectoral regulation that specifically governs privacy, such as the Health Insurance Portability and Accountability Act (HIPAA) as well as regulation that has been implemented at the state level in several jurisdictions. Comparing privacy laws in California, Virginia, and Colorado shows where these rules tend to align and where they tend to vary.

The California Consumer Privacy Act (CCPA)

The CCPA protects California residents. It applies to organizations that do business in California and meet one of the following criteria:

  • Have annual gross revenues greater than $25 million;
  • Process the data of 50,000 or more consumers; or
  • Derive at least 50% of revenue from the sale of personal information.

The California Privacy Rights Act (CPRA) updates some of the thresholds outlined above for businesses subject to the law, so it’s important to understand the amendment to the CCPA as well. 

Amending the CCPA with the CPRA

The CCPA didn’t tick all of the boxes that privacy watchdogs were advocating for, so the California voters passed the CPRA, which took effect on January 1, 2023. In some ways, it’s even stricter. It will be upheld by the California Privacy Protection Agency, a new privacy regulator consisting of a five-member board. The CPRA strengthens the CCPA by adding several elements, including: the right to rectification, the right to restriction, and sensitive personally identifiable information, to name a few.

The Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA)

The CPA and the VCDPA are similar in that they both protect “natural persons” who are residents of their respective states. They also both apply to organizations that do business in those states and meet one of the following criteria:

CPA

VCDPA

  • Collect personal data from 100,000 Colorado residents; or
  • Derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more consumers.
  • Control or process the personal data of 100,000 or Virginia residents; or
  • Control or process the personal data of at least 25,000 consumers and earn at least 50% of their revenue by selling that personal data.

 

Similar to California, Colorado has introduced a concept of sensitive data. The CPA includes other similar technicalities, including special protections for sensitive data and the rights to:

  1. Opt out of targeted ads, the sale of personal data,  and certain types of profiling.
  2. Access personal data that an organization has collected on them.
  3. Correct personal data that has been collected about them.
  4. Request that their personal data be deleted.
  5. Personal data portability.

HIPAA and GLBA

As a technical strategist here at Okta, I often work with organizations that are subject to industry-specific privacy laws regulated at the federal level, so it would be prudent to mention two of the main ones in the United States.

The Health Insurance Portability and Accountability Act (HIPAA)

Any organization that processes protected health information (PHI) has heard of HIPAA. It ensures the following:

  • Patients own their PHI and must receive a notice of privacy practices from the covered entity, typically their provider, detailing how their PHI will be used.
  • Providers can retain that information for purposes such as treatment and payment, but they require explicit authorization for any marketing activities.
  • Patients can request specific restrictions on how their PHI is disclosed and used by the healthcare provider.
  • Patients also have the right to request an update to their medical records.

And like any federal regulation, HIPAA will always be subject to additional regulatory guidance, enforcement, and amendments as healthcare and privacy continue to evolve.

The Gramm-Leach-Bliley Act (GLBA)

The GLBA applies to financial institutions that collect, use, or disclose personal information, and these are some of its main points:

  • Explaining how and why nonpublic personal information (NPI) is shared with third parties, and allowing their customers to opt out of sharing NPI.
  • Following established guidelines for the collection, use, disclosure, and protection of their customers’ personal data.
  • Implementing a written information security program that protects their customers’ personal data from unauthorized access.

Like HIPAA, GLBA is an ever-evolving legislation—for example, the Safeguards Rule was recently updated and with the new effective date for compliance to be on June 9, 2023. The ever-changing nature of the law is why organizations have a responsibility to keep tabs on the amendments that may be made in any given year, by any given administration.

Privacy regulations of Europe

Looking beyond US borders, here are some data privacy protections you should account for in your policies around if you participate in global markets.

The General Data Protection Regulation (GDPR)

The GDPR is an all-encompassing data privacy regulation which applies across the EU and extraterritorially to businesses that may target EU residents. The penalties for noncompliance with the GDPR are harsh: organizations found in noncompliance can be charged 4% of global turnover or up to €20 million—whichever is higher.

Data subjects also have many rights that must be expressly communicated to EU individuals, with some being:

  1. The right to be transparently informed about the processing of their personal data, including at collection from the individual and when the data is received from others;
  2. The right to access their personal data; 
  3. The right of rectification of personal data if is inaccurate or incomplete;
  4. The right of erasure of personal data;
  5. The right to restrict processing of personal data;
  6. The right to data portability;
  7. The right to object to processing of their personal data, including for direct marketing; and 
  8. The right to object to automated-decision making, including profiling. 

The Data Protection Act 2018

The United Kingdom’s (UK) Data Protection Act is the UK’s implementation of the GDPR. It includes many of the same protections, including the rights mentioned above, and holds organizations to comply with its “data protection principles” which, according to the UK government’s website, directs how information should be handled. Data must be:

  • used fairly, lawfully, and transparently
  • used for specified, explicit purposes
  • used in a way that is relevant and limited only to what is necessary
  • accurate and kept up to date
  • kept for no longer than necessary
  • secured and protected against unlawful and unauthorized access, processing, loss, destruction, or damage

In all cases, Identity is a critical component

Understanding which data privacy laws apply to your organization and your users is imperative, but ultimately, their shared purpose is to process data as permitted by the individual and to safeguard data—and identity. That’s why Identity and Access Management plays such an important role in meeting regulatory requirements. Organizations need to:

  • Ensure the right user is associated with the right data, and that the data is accurate.
  • Safeguard that data against those who want to obtain and use it without permission.
  • Allow users to have the final say over how their data is collected, used, and shared.

All of that requires secure, user-friendly Customer Identity. Here at Okta, our goal has always been to help organizations simplify complex challenges with streamlined solutions, ensuring safer, easier access without compromising security. And that’s why organizations across the globe trust Okta’s Customer First team for support in meeting their compliance needs, augmenting their security posture, and optimizing their customer experience.
 

 

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials.  Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements