Get Instant Access
to This Blueprint

Security icon

Comply With 2023 US Privacy Laws (Virginia, Connecticut, Utah, Colorado)

Establish an integrated and holistic program to streamline your compliance efforts.

  • While the legislation landscape is constantly changing, organizations are struggling to stay abreast of the new obligations and understand what the laws and regulations entail.
  • Companies, especially for-profit companies, are driven by sales and revenues. Data is considered a commodity. There is a long way to go with respect to changing the mindset and culture of data protection.
  • It is not uncommon that privacy programs are underfunded, de-prioritized, and understaffed due to the disconnection between business strategy and privacy program.

Our Advice

Critical Insight

The privacy legislation landscape is constantly changing in the U.S. and privacy protection will become more complicated before it is simplified. Your organization should implement an integrated and holistic privacy program to simplify and streamline the compliance effort.

Impact and Result

  • Organizations need to employ a systematic approach in establishing and operationalizing risk-based and right-sized privacy programs.
  • Building a strong foundation is key to success by focusing on fulfilling core obligations such as establishing a data inventory, performing DPIAs, responding to DSAR requests, etc.
  • Privacy and data protection can’t stand alone. Engaging with your stakeholder and getting buy-in as early as you can. Privacy principles should be embedded into business processes.

Comply With 2023 US Privacy Laws (Virginia, Connecticut, Utah, Colorado) Research & Tools

1. Comply With 2023 US Privacy Laws Deck – Research that helps you understand the privacy obligations, perform the readiness gaps, and implement privacy controls to be compliant with US privacy laws and regulations enacted by four states.

Compliance with privacy laws and regulations is essential for protecting personal information and maintaining the trust of customers and stakeholders. Organizations that are subject to privacy laws in the states of Virginia, Connecticut, Utah, and Colorado should take proactive perspectives to implement a holistic privacy framework and stay away from a fragmented, inconsistent, and ineffective approach.

2. US Privacy Law Scope and Readiness Assessment Tool – This tool provides you with a checklist to start assessing the applicability and privacy compliance readiness level for the privacy and data protection laws and regulations enacted by four US states.

This tool provides a scope assessment questionnaire for each of the following privacy laws. Each questionnaire consists of questions that are designed to help organizations determine whether they are subject to the applicable laws. It also establishes privacy controls to help organizations assess gaps and determine current privacy protection readiness levels.

3. Privacy Framework Tool – This tool provides you with a framework to start evaluating how to build your own privacy program.

This tool includes a gap analysis exercise in tab 2, which provides mapping to various privacy laws and regulations such as GDPR, PIPEDA, CCPA/CPRA, Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, HIPAA, GLBA, POPIA 2013, and NIST Privacy Framework etc. The additional tabs assist with the prioritization of these different projects.


Comply With 2023 US Privacy Laws

(Virginia, Colorado, Connecticut, and Utah)

Establish an integrated and holistic program to streamline your data protection compliance efforts.

Analyst Perspective

Be accountable, be proactive, be diligent.

Alan Tang

The development and usage of information technologies have drastically increased the collection and processing of personal information by organizations. With the rise of the internet and digital devices, personal information such as names, addresses, contact, geolocation, and financial information is being collected and stored by various entities.

The increasing amount of personal data being collected has made privacy and data protection a significant concern for individuals. For organizations, the implications of a data breach can be severe, including damage to reputation, loss of customer trust, and legal and financial penalties.

Although there’s limited protection for consumer data nationally, some states are taking the matter into their own hands. The Virginia Consumer Data Protection Act came into effect on January 1, 2023. The Colorado Privacy Act and Connecticut Data Privacy Act will be effective on July 1, 2023. The Utah Consumer Privacy Act will come into effect on December 31, 2023.

Compliance with privacy laws and regulations is essential for protecting personal information and maintaining the trust of customers and stakeholders. Organizations that are subject to those privacy laws should take proactive perspectives to implement a holistic privacy framework and stay away from a fragmented, inconsistent, and ineffective approach. Collaborating with business stakeholders and embedding privacy by design into business processes are imperative to drive compliance initiatives and programs.

Alan Tang

Principal Research Director, Security & Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

  • While the legislation landscape is constantly changing, organizations are struggling to stay abreast of the new obligations and understand what the laws and regulations entail.
  • Companies, especially for-profit companies, are driven by sales and revenues. Data is considered a commodity. There is a long way to go with respect to changing the mindset and culture of data protection.
  • It is not uncommon that privacy programs are underfunded, deprioritized, and understaffed due to the disconnection between business strategy and the privacy program.

Common Obstacles

  • Although there are various sectoral privacy laws such as HIPAA, FERPA, etc., to private companies that are not subject to those regulations, privacy protection is still a relatively new concept and may require significant cultural change.
  • For many organizations, privacy and data privacy have limited visibility to the senior management team to make risk-aware decisions.
  • Ineffective data management practices hamper data protection foundations such as understanding what data is being collected, where the data resides, how the data is being used, etc.

Info-Tech's Approach

  • Organizations need to employ a systematic approach in establishing and operationalizing risk-based and right-sized privacy programs.
  • Building a strong foundation is the key to success through core requirements (i.e. data inventory, data flow map). Conduct privacy impact assessments that enable your organization to assess the privacy risks and comply with applicable data subject rights.
  • Privacy and data protection can’t stand alone. Engage with your stakeholders and get buy-in as early as you can. Privacy principles should be embedded into business processes.

Info-Tech Insight

The privacy legislation landscape is constantly changing in the US and privacy protection will become more complicated before it is simplified. Your organization should implement an integrated and holistic privacy program to simplify and streamline the compliance effort.

Current landscape and effective dates

As of Feb. 6, 2023, five US states have enacted comprehensive privacy laws. Aside from that, 11 US states are working on 26 active privacy Bills.[1] At the federal level, 51 active privacy-related Bills have been proposed and 18 of them are consumer privacy laws.[2] Eighty-nine percent of companies surveyed have increased their budgets to prepare to meet the obligations set forth by the new consumer privacy laws.[3] This research will mainly focus on the following four privacy laws.

Effective Dates of the Four Privacy Laws

Effective dates of the four privacy laws for each State (Virginia, Colorado, Connecticut, Utah).  Shows Statute/bill, Act, Date into Law, Effective date and Civil fines.

Compliance Budget Increased in Complying With New US State Privacy Laws[3]

Forty-five percent of surveyed organizations increased their compliance budgets by 10%-20%, and nearly a quarter of respondents (24%) have increased them by 20% or more. Only 11% have not increased their compliance budgets.

Forty-five percent of surveyed organizations increased their compliance budgets by 10%-20%, and nearly a quarter of respondents (24%) have increased them by 20% or more. Only 11% have not increased their compliance budgets.

[1] US State Privacy Legislation Tracker, IAPP, Feb. 3, 2023.
[2] US Federal Privacy Legislation Tracker, IAPP, December 2022.
[3] State of US Data Privacy Law Compliance Survey Report, Womble Bond Dickinson, Jun 22, 2022.

Info-Tech Insight

A privacy program is not a one-and-done effort. The effective date is the start date not the end date of your privacy program. Don’t ask for a budget to barely get yourself across the effective date. You need the resources to operationalize and maintain the processes.

Applicability and exemptions

The four US state privacy laws provide quite a range of exemptions from both entity and data levels in addition to the traditional threshold approach. In general, the privacy laws aim to exempt the entities who are subject to other existing privacy laws such as HIPAA, GLBA, or FCRA.

Who is covered, Entity-level exemptions, Data-based exemptions for each of the four privacy laws.

Although there are options for some exemptions, it is important to note that each organization needs to do an analysis on each of their business areas to determine if they can qualify for any of the exemptions.

Comply With 2023 US Privacy Laws (Virginia, Connecticut, Utah, Colorado) preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Author

Alan Tang

Contributors

  • Sheila Fitzpatrick, President and Founder, FitzPatrick & Associates
  • Dr. Lisa McKee, Ph.D., CISA, CDPSE, CRISC, Founding Partner, American Security and Privacy
  • Teresa (T) Troester-Falk, CEO and Founder, BlueSky Privacy
  • Bill Schaumann, Independent Privacy Consultant, Practical Privacy LLC
  • Suzette Corley, CIPM, CDPP, Privacy Auditor and Practitioner, KirkpatrickPrice
  • Fritz Jean-Louis, Principal Cybersecurity Advisor, Info-Tech Research Group
  • Erik Avakian, Technical Counselor, Info-Tech Research Group
Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019