11 min read

Are You Liable? California, Virginia, Colorado Data Privacy Laws Explained

Featured Image

In 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. Touted as the gold standard in global privacy regulation, the GDPR has since inspired states across the US to enact similar laws to protect personal data privacy.  

Get ready now if you’re doing business in California, Virginia, or Colorado! Privacy laws will come into effect in 2023. Remember, even if your business is registered in a different state, you’re still liable if you collect or process personal data from customers living in any of these three states. But don’t fret. We know how confusing legalese can be, so we’ll walk you through the California Privacy Rights Act, Virginia Data Protection Act, and Colorado Privacy Act in plain English. We'll help you understand what these laws cover so you can determine if your company faces any liabilities.

The California Privacy Rights Act (CPRA) 

Note: This will replace the California Consumer Privacy Act of 2018 (CCPA). 

When will it come into full effect?  

January 1, 2023 

Who needs to comply with the law?  

For-profit entities doing business in California that collect or process consumers’ personal information and meet one of the following thresholds: 

  • Annual gross revenues of $25,000,000 or more in the preceding calendar year 
  • Annually buys, sells, or shares the personal information of 100,000 or more consumers or households 
  • 50% or more of its annual revenues come from selling or sharing consumers’ personal information  

What do companies need to submit to the CPPA? 

  • An annual cybersecurity audit 
  • A risk assessment around how you are processing personal data  

Does the law provide Data Subject Access Rights (DSAR)?   

Yes. California residents have the following rights: 

  • Right to be informed 
  • Right to access  
  • Right to delete 
  • Right to opt-out of the sale of personal information 
  • Right to non-discrimination 
  • Right to correction 
  • Right to limit data use 
  • Disclosure of sensitive personal information 

What are the penalties if my business doesn’t comply with the law?  

  • Attorney General Enforcement

    Your organization will be subjected to an injunction and liable for a fine of: 
    • $2,500 maximum for each violation OR 
    • $7,500 for each intentional violation and each violation involving the personal information of minors 
       
  • Administrative Enforcement

    You, as an organization or as an individual, may receive an administrative fine of:  
    • $2,500 maximum for each violation OR 
    • $7,500 for each intentional violation and each violation involving the personal information of minors who are 16 years old and under 
       
  • Private Right of Action

    Consumers can also take legal action against you if your company suffers a security breach and their data is accessed or extracted from your databases. Suppose you fail to implement and maintain information security measures, such as encryption and redaction. In that case, you are liable and may need to pay damages of at least $100 and not more than $750 per consumer per incident, or actual damages, whichever is greater. 

Virginia Consumer Data Protection Act (CDPA) 

When will it come into full effect?  

January 1, 2023 

Who needs to comply with the law?  

For-profit entities that conduct business in Virginia, or produce products or services that are targeted to Virginia residents and that: 

  • Control or process personal data of at least 100,000 consumers annually. 
  • Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data 

What do companies need to submit? 

At any time, the Attorney General (AG) may request to review your company’s data protection assessment (must be completed before any request from the AG) when processing personal data for specific functions such as: 

  • Targeted advertising 
  • Selling personal data 
  • Profiling in certain circumstances 
  • Processing sensitive data 
  • Processing activities that present a heightened risk of harm to consumers 

Does the law provide Data Subject Access Rights (DSAR)?   

Yes. Virginia residents have the following rights: 

  • Right to be informed 
  • Right to access 
  • Right to correction 
  • Right to delete 
  • Right to object/opt-out 
  • Right to data portability  
  • Right not to be subject to automated decision-making 

What are the penalties if my business doesn’t comply with the law?  

Any data controller or processor will be subject to an injunction and liable for civil penalties of up to $7,500 for each violation. You may also need to pay expenses incurred by the Attorney General investigating and preparing the case, including attorney fees. 
 

Colorado Privacy Act (CPA) 

When will it come into full effect?  

July 1, 2023 

Who needs to comply with the law?  

Legal entities that conduct business in Colorado, or produce products or services that are targeted at Colorado residents and that: 

  • Control or process personal data of at least 100,000 consumers during a calendar year 
  • Control or process personal data of at least 25,000 consumers, and derive revenue or receive discounted goods or services from the sale of personal data 
     

What do companies need to submit? 

Data controllers must conduct a data protection assessment if your business is processing data in a way that presents a high risk to consumers, including: 

  • Targeted advertising where profiling presents a risk of: 
  • Unfair or deceptive treatment of, or unlawful or unequal impact on consumers 
  • Financial or physical injury to consumers 
  • Intrusion in the private affairs of consumers 
  • Selling personal data 
  • Processing sensitive data

Does the law provide Data Subject Access Rights (DSAR)?  

Yes. Virginia residents have the following rights: 

  • Right to access 
  • Right to correction 
  • Right to delete 
  • Right to object/opt-out 
  • Right to data portability  

What are the penalties if my business doesn’t comply with the law?  

$20,000 fine for each violation. 

What’s next? 

The clock is ticking, and the privacy compliance deadline will be here before you know it. If your company isn’t prepared for this significant shift in regulation, it may face serious financial consequences and risks to its brand and reputation. Consumers care about how companies handle personal data. If you’re unsure how to begin, look at our privacy compliance tips for SMEs, or check out our solutions if you want to get started right away. We can help you audit your current processes and guide you to achieving privacy compliance seamlessly and cost-effectively. One thing’s for sure, though: 2023 is just around the corner, so you need to get going now.