The Digital Age has brought more data collection than ever thought possible. Despite this increase in consumer data collection, Congress has yet to pass any federal regulation governing collection. As a result, many state legislatures across the country are scrambling to enact legislation that will protect its citizens’ data privacy. Though Indiana has yet to pass its own comprehensive privacy legislation, the legislation of other jurisdictions has extensive implications for Indiana business owners as they become subject to contrasting data privacy laws of other states.
Business owners in all states should be aware of laws and initiatives as they develop to ensure they are in compliance and to avoid fines or lawsuits. California has proven to hold businesses to the strictest standard in the United States in protecting their citizens’ data privacy with the introduction of the California Consumer Protection Act (CCPA) in 2018, and the California Privacy Rights Act (CPRA), which will take effect January 1, 2023.
Businesses without a California presence may believe a law passed in California does not affect their operations, but the California laws regulate all entities that serve or employ residents of California and collect revenue from selling personal data, even if the business exists outside the state. Therefore, if your business serves even one California resident, it is subject to the requirements set in the forthcoming CPRA.
The CCPA and CPRA define numerous rights for California residents, including specific rights regarding access and restricting use of data collected. The CCPA, a revolutionary advancement in data privacy laws, defines personal information broadly to give citizens sweeping protection from data collection. Under the CCPA, personal information includes common identifications such as address and full name, but goes further to include email addresses, credit card transactions, IP addresses, household information, and biometric data.
The CPRA takes this legislation a few steps further. The CPRA builds on the foundation of the CCPA, expanding its scope to include more businesses and defining a new category of information: “sensitive personal information.” This category includes social security numbers, sexual health or orientation status, biometric data, and geolocation data. Finally, the CPRA bolsters existing rights under the CCPA and adds new consumer rights such as the right to opt out of automated decision making and the right to not only access, but also correct data.