The Weekly Breach Breakdown Podcast by ITRC - Don't Keep Your Comments To Yourself - S3E30

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 4, 2022. Each week, we look at the most recent events and trends related to data security and privacy. This week, we talk about five state privacy laws as we move closer to the day when those laws go into effect in 2023. All of these privacy laws by state have similar, but not identical, requirements to give consumers more access and control over their personal information that businesses collect, use, share, sell or store.

New Regulations for California Privacy Rights Act

This week, the California Privacy Protection Agency released the regulations required to make the new California Privacy Rights Act effective. The law is supposed to go into effect on January 1, 2023. However, the Agency is required to take 15 days of comments before finalizing a draft of the rules. That comment period is open until November 21 – so don’t keep your comments to yourself.

The Next Steps for the California Privacy Rights Act

Once those proposed rules are stamped final, they go to a different state agency – the California Office of Administrative Law (the OAL) that will approve or reject the rules. Once approved, the rules can go into effect, and the Privacy Agency can begin to enforce the law. Simple math – and history – tells us that it is highly unlikely the OAL will get that done before 12:01 a.m. on January 1. Count on a delay in the enforcement of the new law.

The proposed rules have not been significantly modified since they were originally proposed. However, the Privacy Agency has debated several important issues along the way, not the least of which is how aggressive they want to be when enforcing the law. Especially since businesses may have little to no time to conform to the regulations before they become effective. You can learn more about and comment on the proposed privacy regulations at CPPA.ca.gov.

Other Privacy Laws by State in 2023

California is not the only state with a new privacy law that takes effect on January 1, 2023 – so does Virginia. Unlike California, where the law will be enforced by a newly created state agency, Virginia’s law will be enforced by the Commonwealth’s Attorney General (AG). The Virginia AG has not released information on how they intend to enforce the law.

The other state laws go into effect later in the year: Colorado and Connecticut on July 1, 2023, and Utah on December 31, 2023.

More State Privacy Laws Could Be on the Way

Next year will be busy for privacy debates as all state legislatures begin a new session. Four states – New Jersey, Michigan, Pennsylvania and Ohio – already have state privacy bills filed. Twenty-two (22) other states considered state privacy laws in the last legislative cycle. Most, if not all, of those bills will be refiled in some form. We will continue to watch the movement of the possible privacy laws by state.

Meanwhile, Congressional supporters of a bipartisan federal privacy law will have to start over in 2023.

Contact the ITRC

If you want to learn how to protect your personal or business information or think you have been the victim of an identity crime, visit our website www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Be sure to listen to last month’s episode of our sister podcast, the Fraudian Slip, where we broke down the findings of our 2022 Business Impact Report, which looks at what happens when small businesses are victims of cyberattacks and data breaches. We will be back next week with another episode of the Weekly Breach Breakdown.