Securiti announces a $75M Series C Funding Round
ViewLeaders across the globe are tightening privacy laws in the midst of consumers’ growing concerns related to the privacy and security of their personal information. Most states in the US already have consumer privacy laws but with the emergence of a more stringent and extensive EU’s General Data Protection Regulation (GDPR), authorities across the US either amended existing consumer privacy laws or enacted new laws.
As an organization that collects, stores, shares, discloses or sells the personal information of consumers residing in any of the US states that have enacted privacy laws, it is critical for your organization to have a thorough understanding of the applicable laws, implement applicable data privacy and security measures, and meet compliance.
House Bill 1943 was proposed as an act to amend the Arkansas personal information protection act 2005 which was later passed into law in 2019.
The law applies to any individual or entity that acquires, owns, or licenses the personal information of Arkansas citizens.
The law doesn’t define any regulations for this section.
The applicable personal information protection act obligates organizations that own and maintain the personal information (PI) of consumers to ensure reasonable security measures.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The entity must inform the affected residents of Arkansas about the security breach, and the attorney general if the breach affects the PI of more than 1000 applicable businesses.
The state of Arkansas has vested the attorney general with the authority to enforce the law.
The California Privacy Rights Act (CPRA), amended from California Consumer Privacy Act (CCPA), was approved by ballot in 2020. It will enter into force in 2023.
The act applies to all for-profit businesses that do business in California and collect California consumers' personal information and either make annual gross revenue of $25 million or more or that buy, sell, or share the personal information of more than 100,000 California households or consumers or derive 50% or more of its annual revenues from selling or sharing California consumers' personal information.
Under CPRA, consumers have the right to access, rectify, delete, transfer (portability), and opt-out of selling or sharing their PI. Consumers also have the right to limit the use of or disclosure of their sensitive personal information (SPI), and also to opt-out of automated decision-making.
The act obligates businesses to place reasonable security measures to prevent unauthorized access to data, misuse, disclosure, and modification. The act further requires businesses to monitor the privacy and security risk to PI by conducting annual audits and risk assessments.
CPRA requires opt-out consent for the selling and sharing of a consumer’s PI or the disclosure of their SPI, whereas opt-in consent is required only for selling of a minor’s (below 16 years of age) PI.
Businesses are required to notify consumers at or before the point of collection about the categories of PI collected, the purpose of collection and intended use, whether it is sold or shared, and the retention period or the criteria which are used to determine the retention period as well as provide a privacy notice with additional information including rights of consumers and the mechanisms to enforce them.
CPRA doesn’t define any time period for storage limitation except that the storage period of PI should be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
Businesses are required to sign a written agreement with service providers, vendors, or third parties that ensures the transferred PI receives the same level of privacy protection as regulated under the CPRA.
CPRA doesn’t define any breach notification regulation, but under the California Civil Code, businesses are required to notify the affected consumers as soon as the breach is discovered.
The California Privacy Protection Agency (CPPA) is vested with the authority to enforce CPRA.
The Senate Bill ('SB') 21-190 was proposed and later signed into law in 2021 concerning the amendment of data protection under the Colorado Privacy Act (CPA). The CPA will go into effect in 2023.
CPA applies to data controllers (businesses) that are operating in Colorado or selling products and services that intentionally target residents in Colorado. Additionally, the data controller must control or process the personal data (PD) of more than 100,000 consumers or derive revenue or discount from the PD of 25,000 consumers. There are significant entities which are exempt from CPA requirements.
CPA gives consumers the right to access, rectify, confirm, delete, portability and opt-out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Businesses are further required to fulfill or deny consumers’ requests within 45 days.
CPA requires businesses to establish, implement, and ensure reasonable physical and technical security measures for the protection of data integrity and confidentiality during data storage and processing.
Businesses can’t process sensitive PD of consumers or PD of minors unless they have collected consent (consent of the minor’s parents or guardians in case of children’s PD).
The notice must outline the details regarding the categories of PD that the business shares or sells (including targeted advertising), and how consumers can exercise their rights provided under the act and appeal against the denial of their requests.
There are no specific regulations provided under this law, only that controllers shall not collect unnecessary personal data of consumers or process the personal data for purposes beyond what was disclosed to consumers without gaining their consent.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification but the Colo. Rev. Stat. § 6-1-716 mandates businesses to notify the affected residents of Colorado.
Under the CPA, only the District Attorney or the Attorney General can enforce the act or impose penalties in the event of any violations.
The Illinois Personal Information Protection Act (PIPA) was signed in June 2005 by the Illinois State and took effect on January 1, 2006. However, in 2017, PIPA was updated to account for up-gradation in technology and data collection methods, such as biometrics.
PIPA applies to government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and entities that handle, collect, disseminate, or otherwise deal with nonpublic personal information.
PIPA protects Illinois residents from the mishandling, misuse, or abuse of their personal information. The Act imposes various requirements on companies and other organizations that collect, handle or store non-public personal information.
PIPA requires data collector entities to implement and maintain reasonable security measures to protect records containing the personal information of customers from any unauthorized access, acquisition, destruction, use, modification, or disclosure.
The revised version of PIPA, known as the Biometric Information Privacy Act, requires entities to obtain written consent from consumers before collecting any biometric information, such as fingerprints, voiceprints, or scans of hand or face geometry.
The act doesn’t define any regulations for this section.
Under PIPA, entities must safely dispose of information that's no longer needed for ongoing services or business operations. This includes either paper or electronic documents containing the personal information of Illinois persons. Paper records must be properly burned, shredded, or otherwise disposed of, and electronic records must be rendered unreadable and unrecoverable.
The act doesn’t define any regulations for this section.
PIPA requires the data collector to immediately notify the Illinois resident(s) and the Attorney General of the data breach.
Illinois has empowered the state Attorney General to enforce the law.
The legislative document 946 was signed into law in 2019 and later came into effect in 2020 as an act to Protect the Privacy of Online Customer Information.
The law applies to providers providing broadband internet access services to customers physically located and billed in Maine.
The law doesn’t define any regulations for this section.
The law requires providers to take reasonable security measures for customers’ data protection against unauthorized access or disclosure.
A customer’s affirmative and express consent is required by the provider for the use, access, permit, or selling of customer’s personal information. A provider may use, disclose, sell, or provide access to information that 'pertains to a customer' but that does not fall within the above definition of 'customer personal information' unless and until a customer affirmatively opts-out of the use, disclosure, sale, or provision of access of his non-personal information.
Providers are required to provide customers with a clear, conspicuous and non deceptive notice at the point of sale or on the provider’s website, informing customers of the provider’s obligations and customers’ rights under the law.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification but 10 Me. Rev. Stat. § 1346 mandates businesses to notify the affected residents and the appropriate state regulators within the Department of Professional and Financial Regulation, or if the Entity is not regulated by the department, the state AG of Maine.
The law doesn’t define any regulations for this section.
The Massachusetts Data Privacy Law became notable in 2009. However, Massachusetts comprehensive privacy law act was filed in March 2021 and contains strict rules for employers from recording or monitoring employee data.
Massachusetts Data Privacy Law applies to any business that deals with the personal information of Massachusetts residents - thus it has an extraterritorial application.
The law protects Massachusetts residents from any misuse of their personal information and holds companies responsible in case of any misuse.
The law requires covered companies to implement a Written Information Security Program (WISP), under which they should consider "its scale, scope, amount of capital, nature, and quantity of data collected or stored, and the need for security" and all third-party service providers to covered companies need to maintain adequate security measures to protect the personal information.
The act doesn’t define any regulations for this section.
The act doesn’t define any regulations for this section.
The act doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification but under Mass. Gen. Laws 93H § 1 notification needs to be made by covered companies to affected state residents and the State Attorney General and the Director of Consumer Affairs and Business Regulation.
Massachusetts has empowered the state Attorney General to enforce the law. Penalties of up to $5,000 per violation (plus fair costs of prosecution and litigation).
A Senate Bill 260 was signed into law in June 2021 and later came into effect in October 2021 amending the Internet Privacy Act (Nevada Revised Statutes Chapter 603A).
The law applies to any operator who owns a website or an online service for any commercial purpose and collects certain personally identifiable information (PII) of consumers who live in the state of Nevada or to “data brokers” defined to include any person whose primary business is “purchasing covered information” about Nevada residents “with whom the person does not have a direct relationship”.
The law doesn’t define the extensive rights of consumers, except that the consumer can submit a verified request to the operator or data broker limiting them from making any sale of the covered PI of the customer.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
Covered entities are required to make available notice for customers with information detailing the covered PI that is collected, any process for the customer to make a request for changes to the collected PI, and the effective date of the notice.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification but under Nev. Rev. Stat. § 603A.010 there are requirements for Nevada based companies to notify residents in case of breach.
The Nevada attorney general has the right to enforce penalties against the violation of any provisions and can impose penalties of up to $5,000 per violation.
A Senate Bill 110 was signed into law in 2020 and later came into effect for an Act relating to Data Privacy and Consumer Protection.
The law applies to “operators” of websites, online services, or applications that are knowingly used and marketed for PreK-12 school purposes.
Operators are prohibited from engaging in targeted advertising or to amass a profile about a student based on any information the operator has acquired because of the use of its site, service, or application for PreK-12 purposes; nor sell, barter or rent student’s information or Disclose covered information to a third party, unless a specific exception applies.
The operator must implement and maintain reasonable security procedures and practices.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no breach notification obligations under this law but under 9 V.S.A. §§ 2430, 2435 notification must be made to affected residents of the state.
The Attorney General and the State’s Attorney have the right to assess violations against any provisions under this act.
The Senate Bill ('SB') 1392 and House Bill 2307 for the Virginia Consumer Data Protection Act (VCDPA) was signed into law in 2021. VDCPA will go into effect in 2023.
VCDPA applies to persons or entities (businesses) that are operating in the Commonwealth or offering products or services to residents of Virginia and control and process the personal data of at least 100,000 Virginia residents; or for an entity that derives over half (50%) of its gross revenue from the sale of personal data, of at least 25,000 Virginia residents.
VCDPA gives consumers the right to confirm, access, rectify, delete, port, and opt-out, while persons or entities are required to either fulfill or deny the consumers’ request within 45 days.
Persons or entities must establish technical, administrative, and physical security measures for data protection.
Consent is required for the processing of sensitive data of any consumer. In the case of minors, parental consent is required.
Covered entities are required to publicly disclose and provide the school with information about the operator’s collection, use, and disclosure of covered information.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
There are no regulations regarding breach notification under VCDPA but as per Va. Code §18.2-186.6. businesses are mandated to notify the affected residents of Virginia.
VCDPA empowers an Attorney General to enforce the provisions.
On February 1st, 2022, Indiana became the first US state to pass a consumer privacy bill outside of a chamber.
The bill covers entities processing the data of:
There is no explicit data protection law in New Jersey. However, the state lawmakers have proposed a bill to strengthen data privacy guidelines and inflict stricter limits on the tech industry, The Wall Street Journal reported on Monday (March 2).
The bill mandates that tech firms get authorization from New Jersey consumers before collecting and selling information to third parties.
The New Jersey bill mandates that any firms collecting personal data tell people how the information will be used in plain language. The measure also empowers consumers to ask companies to copy their personal data and request that the information be deleted.
The bill would establish specific security standards.
The bill would require businesses to explicitly obtain consent from consumers before their data can be collected and sold to third parties.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
Under the bill, entities must notify the breach to a customer who is a resident of New Jersey and whose personal information is believed to have been accessed by an unauthorized person. Additionally, entities must also disclose any breach of security of their computerized records.
New Jersey has empowered the Attorney General to enforce the law.
The North Carolina General Assembly introduced the Senate bill known as the Consumer Privacy Act (CPA) on April 6, 2021.
The proposed Act would apply to companies that provide products and services to North Carolina residents. As such, companies that gather, control, or process the personal data of the following would need to comply: have at least 100,000 consumers annually, or have at least 25,000 consumers, and Acquire over 50% of their gross revenue from the sale of personal data.
The proposed Act empowers consumers with the right to knowledge and access, right to correction, right to deletion, right to opt-out, and the privacy right to the action.
The proposed Act demands data controllers to employ data protection, such as cybersecurity measures for consumer data security.
The proposed Act demands data controllers to obtain the consumer’s consent before processing their data.
Under the proposed Act, data controllers are required to provide consumers with a clear and accessible privacy notice. The privacy notice must include the classification of personal data being processed, the purposes of such processing, how consumers may exercise their rights, and information regarding the sharing of personal consumer data with third parties.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
North Carolina has empowered the Attorney General to enforce the law.
The Ohio Personal Privacy Act (OPPA) or HB 376 was introduced in June 2021 by Ohio State.
The OPPA would apply to companies conducting business in Ohio or target Ohioans, and either: have gross revenue exceeding $25 million annually; controls or processes the personal data of 100,000 or more Ohio consumers yearly; or derives over 50% of its gross revenue from selling the personal data of Ohio consumers, and processes or controls the personal data of 25,000 or more Ohio consumers during a calendar year.
The OPPA would create various consumer rights, such as the right to: know what type of personal data is being collected about the consumer; gain unrestricted access to the consumer's personal data collected so far; request to the immediate deletion of their personal data; and decline or opt-out of the sale of the consumer's personal data.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The OPPA requires businesses to provide consumers with a notice about the personal data they process regarding a consumer. Additionally, businesses need to provide consumers with an easily accessible and clear privacy policy.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
Ohio State has empowered the Attorney General to enforce the law.
The recently introduced Oklahoma Computer Data Privacy Act (OCDPA) will be the State’s first opt-in proposed data privacy law.
The OCDPA would apply to businesses in Oklahoma that: conduct business in Oklahoma; collect the personal information of consumers or have that information collected by a third party on their behalf; alone or in conjunction with others determine the purpose for and means of processing consumers' personal information and satisfy specified financial and business thresholds.
The OCDPA empowers consumers the right to opt-in to the sale of their personal information. Additionally, consumers have the right to request deletion of their personal information, request a report containing the categories of personal information collected, sold, or disclosed about them for business purposes; and the categories of third parties to whom that information was sold or disclosed.
Under the OCDPA, businesses would be required to implement and maintain reasonable security procedures and practices to protect the personal information of consumers.
The OCDPA would also require businesses to obtain the explicit consent of the consumer before it begins collecting and selling the consumer’s personal information.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
Although the breach notification hasn’t been mentioned, violations of the act could seek monetary fines of $2,500 for each violation and $7,500 for each intentional violation.
The Oklahoma State has empowered the Attorney General to enforce the law.
On April 7, 2021, Pennsylvania legislators introduced a comprehensive consumer data protection bill (HB 1126). The bill takes inspiration from the California Consumer Privacy Act (CCPA).
The proposed bill applies to businesses that need to comply with any consumer access requests. Businesses must comply with any consumer request within 45 days after receiving a verifiable request from a consumer.
Under the proposed bill, Pennsylvania consumers would have a right to request disclosure of personal information collected by a business; have their personal information deleted; request information about any personal data sold or used for business purposes by a business, and outright decline or opt-out of the sale of personal information to third parties.
The law doesn’t define any regulations for this section.
The proposed bill would require companies to obtain the consumer’s consent before collecting and processing data.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The law doesn’t define any regulations for this section.
The Pennsylvania bill provides for a private right of action but only in cases of breaches where the personal data is unencrypted and non redacted.
Pennsylvania has empowered the Attorney General to enforce the law.
Utah Governor Spencer J. Cox signed the Utah Consumer Privacy Act (UCPA) into law in March 2022. By doing so, Utah became only the fourth state in the US to have an active data protection act in place after Colorado, Virginia, and California. The Utah Consumer Privacy Act will go into effect on December 31, 2023
All data processors and controllers that have annual gross revenue in excess of $25 million are subject to the UCPA if they have at least 100,000 customers during a calendar year or make 50% of their gross revenue from selling/sharing user data.
Like all other major data protection laws, the UCPA gives all consumers certain rights. These include the right to access, delete, or obtain a copy of their data, as well as the right to confirm processing of their data. Additionally, consumers can opt out of any targeted advertising and sale of personal information. Consumers also have a right to face no discrimination as a result of exercising their consumer rights under the Act. All such authenticated requests must be responded to within 45 days of their receipt, with the provision for 45 additional days if the request is of a complex nature and its completion would require more time.
The UCPA requires all organizations to establish, implement, and ensure reasonable physical and technical security measures to ensure appropriate security protocols are in place.
No organization can proceed with its data processing activities unless it gains the users’ affirmative and explicit consent for doing so. In case of minors, they must collect the minor’s parents' consent per the Children's Online Privacy Protection Act.
The organization must provide consumers with a reasonably accessible and transparent privacy notice that includes the following information:
There are no specific regulations provided under this law.
The law doesn’t define any regulations for this section.
The law does not outline breach notification requirements, however under, §13-61-301(1)(b) of the law, processors are required to assist the controller in meeting their obligations, including obligations related to the security of processing personal data and notification of a breach of security system under the Protection of Personal Information Act.
The UCPA's enforcement responsibilities are "shared" between the Utah Department of Commerce Division of Consumer Protection (the Division) and the Utah Attorney General’s Office. The Division if has “reasonable cause” to believe that substantial evidence of a violation exists will refer the complaint to the Attorney General. If such violation is not cured within 30 days of notice by the Utah Attorney General, the Utah Attorney General may seek actual damages for the consumer and civil penalties of up to $7,500 per violation.
While a comprehensive data protection law is absent within Puerto Rico, the Department of Consumer Affairs (DACO) did publish its draft regulation titled, Protection of Digital Privacy in March 2019. It aims to empower all users with privacy rights as well as give the DACO regulatory powers to enforce the proposed law and carry out relevant inspections, audits, and fines for non-compliance.
The proposed law will apply to all personal information registered in the databases of private sector companies. However, any protected information within the same databases is covered by other regulations such as the Gramm-Leach-Bliley Act, Law on the Protection of Driver's Privacy Act of 1994, Federal Fair Credit Reporting Act, Law of Availability and Portability of Health Insurance, etc.
Per the proposed law, users will have the right to access information collected on them, whether this information has been shared, sold, or transferred and to whom, deny permission for their information to be shared, sold, or transferred, access their personal information in the custody of third parties, request the deletion of all their collected personal information, and have any collected information rectified or modified.
All organizations that collect consumers' personal information are required to ensure they implement appropriate security measures and practices to prevent alteration, destruction, loss, or unauthorized access to this data. These measures must include security mechanisms suitable for current technological developments.
Organizations may only proceed with actions related to collecting, storing, treating, or transferring users' data after gaining their free, explicit, and informed consent.
The organization must maintain a privacy policy page, regularly updated on its website, containing all necessary mandatory disclosures related to its data processing practices.
The proposed law is unclear on storage limitations.
The proposed law is unclear on cross-border data transfer requirements.
In case of a data breach, the organization must notify the affected users of the security breach within 72 hours. The notification must include information related to what information was compromised, the contact information of relevant personnel at the organization the consumers can contact for further information, likely consequences of the breach, and what corrective measures are being undertaken.
The primary body responsible for enforcing this proposed law in its initial phases will be the Department of Consumer Affairs.
Senate Bill 6: 'An Act Concerning Personal Data Privacy and Online Monitoring' was passed by both the Senate and House of Representatives, leading to its being signed into law in May 2022. The Bill will formally come into effect on July 1, 2023.
The Bill applies to all businesses operating from Connecticut or offering goods and services to Connecticut residents. Additionally, they must have processed the personal data of at least 100,000 users or have processed the data of at least 25,000 users but derived 25% of their gross revenue from selling that data.
Per this Bill, users will have the right to access their information, correct this information, request deletion of this information, as well as obtain a machine-readable copy of this information.
The law doesn't define any regulations for this section.
Organizations collecting data will need all users' affirmative, freely given, informed, unambiguous consent before initiating any data processing activities. Similarly, the organization must provide an effective mechanism for the users to revoke their prior given consent easily.
All organizations must maintain an updated privacy policy on their website that contains detailed resources on the categories of personal data collected on them, the purpose of data processing, potential sharing/selling of personal data, how users can exercise their data rights, and updated contact details.
The law doesn't define any regulations for this section.
The law doesn't define any regulations for this section.
If an organization suffers a data breach that affects information related to users' social security numbers, driver's license numbers, financial information, taxpayer identification number, passport number, medical information, health insurance policy number, biometric information, IP address, full name, or their online username along with a password or security question and answer, they will be required to inform both the affected users as well as the primary regulatory authority.
Per the regulation, the Connecticut State Attorney General (AG) will be the primary regulatory authority enforcing the law within the state.
Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.
Watch the demoGet all the latest information, law updates and more delivered to your inbox
February 22, 2023
Suppose you own a luxury car. You wouldn’t just give its keys to anyone who asks, right? In fact, you would give your car...
February 20, 2023
No matter where you are, data is all around you and powers everything you do. Estimates suggest that a whopping 25,000 petabytes of data...
February 6, 2023
As your business grows, you'll undoubtedly need to outsource some tasks. Every expanding company needs third and even fourth-party suppliers, whether for purchasing supplies...
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
3031 Tisch Way Suite 110 Plaza West, San Jose,
CA 95128