New Data Privacy Laws and How to Leverage Technology to Address Them

The one constant about data privacy laws and regulations today is change. In the past few years, we have seen laws enacted that tighten data privacy compliance and demand protection of sensitive personal data. In this article, we provide an update on new US privacy laws that: 1) have been enacted and 2) are going into effect in 2023 and beyond. We also discuss how you can leverage technology to identify and protect sensitive personally identifiable information (PII) today to stay compliant within the continuously evolving data privacy landscape.

US Data Privacy Laws Update

At the end of 2022, there was only one state with an active comprehensive data privacy law in effect: California. The California Consumer Privacy Act (CCPA) passed in 2018 and went into effect January 2020. Today, there are two states with comprehensive data privacy laws in effect, and three additional states with similar laws taking effect later in 2023. Three more states enacted and passed comprehensive data privacy laws in 2023 and one additional state has passed a law that is waiting for governor signature as of this publication date. Moreover, there is a national comprehensive data privacy law gaining some traction.

New Data Privacy Laws Already in Effect in 2023

• Virginia: In 2021, Virginia passed its Consumer Data Protection Act (CDPA), which took effect on January 1, 2023.

• California: In 2020, Californians voted to replace the CCPA with the California Privacy Rights Act (CPRA), which is more stringent in protecting the data privacy rights of consumers than CCPA was. It also took effect January 1, 2023.

Data Privacy Laws Going into Effect in 2023

• Colorado: In 2021, Colorado passed the Colorado Privacy Act (CPA), which will go into effect July 1, 2023.

• Connecticut: Last year, Connecticut passed the Connecticut Data Privacy Act (CTDPA), which will also go into effect July 1, 2023.

• Utah: In 2022, Utah passed the Utah Consumer Privacy Act (UCPA), which will go into effect December 31, 2023.

New Data Privacy Laws Enacted and Passed in 2023

Four additional states have enacted a comprehensive data privacy law in 2023.

In March, Iowa became the sixth US state to enact comprehensive consumer privacy legislation, with Governor Kim Reynolds signing Senate File 262 after it was unanimously passed by the Iowa Senate and House. It will take effect on January 1, 2025.

In May:

• Indiana Senate Bill 5 was signed into law on by Governor Eric Holcomb as the Indiana Consumer Data Protection Act. It will take effect on January 1, 2026.

• Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (MTCDPA). It will go into effect October 1, 2024.

• Tennessee Governor Bill Lee signed the Tennessee Information Protection Act (TIPA). It will take effect on July 1, 2025.

Comprehensive Federal Data Privacy Law Update

The US is one of the only developed countries in the world without a comprehensive national data privacy law. However, the American Data Privacy and Protection Act (ADPPA) became the first American consumer privacy bill to make it out of committee, which it did with a vote of 53 to 2 in favor. Nonetheless, the bill has sparked concerns about how it could undermine protections from state data privacy laws, especially in California, which represented the two “no” votes in committee. So far, the bill has not progressed since the committee vote in July 2022.

Leveraging Technology to Comply with Data Privacy Laws

With continuous changes in the data privacy landscape, identifying and protecting sensitive PII through redaction is more important than ever. Yet, it can also be more challenging in the era of big data, not just in terms of the volume of data, but also the variety of data formats. Here are three ways to leverage technology to address those challenges and automate redaction of sensitive data:

• Automatic Redaction: This is a process of locating sensitive information via patterns and redacting it from documents. Automating the redaction process means creating and running jobs that identify and redact patterns you want redacted – such as phone numbers, email addresses, credit cards, social security numbers (or other national ID numbers), gender, dates, and IP addresses. Automatic redaction streamlines the process of identifying and redacting sensitive PII from a large collection of documents.

• Spreadsheet Redaction: Some document types have special needs or challenges, such as spreadsheets, which may often include lists of sensitive data for individuals. For spreadsheets, the ability to remove rows, columns, worksheets, formulas, cells (or partial cells) quickly and effectively is vital to protecting sensitive data when spreadsheets are shared, distributed, and produced.

• Audio and Video Files: With so many workforces distributed remotely and an increasing reliance on mobile devices to get work done, audio and video (A/V) files are significantly more prevalent in data collections today. The ability to efficiently review multimedia files and easily redact audio files is a “must have” to protect sensitive information contained within those files.

Because data privacy laws are continually changing, it is important to leverage auto redaction capabilities as well as the ability to efficiently redact non-standard file formats – such as spreadsheets and A/V files – for cost effective compliance. The stakes for not protecting sensitive data are higher than ever.

Visit KLDiscovery’s website to learn more about our and technologies, including our redaction capabilities.