Four years later and still following in the footsteps of GDPR

Elizabeth Schweyen

It’s hard to believe the General Data Protection Regulation (GDPR) came into effect only four years ago in the European Union. Many organizations had implemented privacy programs in preparation for GDPR thinking it would be a “set it and forget it” type of endeavor. Much to their surprise, many countries continue to follow the EU’s lead in prioritizing privacy and enacting laws to protect their citizens. In this blog, I’ve summarized a few of the most recent changes to the privacy landscape that are important to keep in mind as your privacy program evolves.

United States

With an increased focus on the importance of data protection and the rise of privacy advocacy groups, it’s no surprise that states across the U.S. are passing their own privacy laws. Currently, five states have signed privacy bills which all go into effect in 2023. I’ve described those laws below and anticipate seeing many more states follow their lead as the year progresses.

California Privacy Rights Act (CPRA) — Effective January 1, 2023. The CPRA is an extension of the California Consumer Privacy Act (CCPA) which went into effect on January 1, 2020. The CPRA clarifies existing provisions of the CCPA, creates new consumer rights, imposes additional obligations on businesses that collect personal information from California consumers, and creates a new enforcement agency called the California Privacy Protection Agency. Additionally, it expands requirements around how organizations handle “Sensitive Personal Data.”

Colorado Privacy Act — Effective July 1, 2023. The Colorado Privacy Act protects Colorado residents and grants them certain rights concerning their personal data. Specifically, the Colorado Privacy Act permits consumers to submit authenticated requests to data controllers to: opt out of the processing of personal data for targeted advertising, sale or profiling; confirm if a controller is processing their personal data and to access that data; correct inaccuracies in a consumer’s personal data; delete personal data concerning the consumer; and, if technically feasible, obtain a copy of their data in a portable manner. These rights are consistent with both GDPR and CCPA.

Connecticut Data Privacy Act (CTDPA) — Effective July 1, 2023. Similar to its predecessors, Connecticut Data Privacy Act grants consumers various rights including obtaining a copy of their personal data, correcting inaccuracies, and confirming whether an organization is processing their personal data. Where the CTDPA diverges from other laws is within the threshold requirements. The CTDPA applies to businesses that target residents of the state and control or process the personal data of either: 1) 100,000 or more Connecticut residents, not including residents whose personal data is processed solely for the purpose of completing a payment; or 2) 25,000 or more Connecticut residents, where the business derives more than 25% of its gross revenue from the sale of personal data. It’s the first state law to exclude payment transaction data from the threshold to alleviate concerns from small businesses, restaurants, convenience stores, etc.

Virginia Consumer Data Protection Act (VCDPA) — Effective January 1, 2023. Like Europe’s GDPR and California’s CCPA, the VCDPA expands consumer rights to access, correct, delete, and obtain a copy of personal data provided to or collected by a company, and to opt-out of the processing of personal data for purposes of targeted advertising, sale, or profiling of the personal data. It also expands Virginia’s definition of personal data to include “Sensitive Data,” which includes race, religion, sexual orientation, mental or physical health diagnosis, biometric data, personal data collected from a known child, and precise geolocation. Similar to GDPR, the VCDPA also uses the controller/processor designations when identifying an organization’s responsibilities.

Utah Consumer Privacy Act — Effective December 31, 2023. UCPA builds off privacy legislation in California, Colorado, and Virginia, but lightens some of the compliance burdens on businesses. The UCPA does not impose any new privacy obligations on businesses that are not already required by the California Consumer Privacy Act (CCPA), and businesses will be familiar with the UCPA’s requirements — all of which have appeared in existing and forthcoming state data privacy laws. In a welcome change for businesses, however, the UCPA is narrower in certain respects compared to other state privacy laws.


India is prepared to update its data privacy laws, replacing the Information Technology Act of 2000. This would include new policies for data governance and cyber security known as the “Digital India Act.” This will also replace the proposed Personal Data Protection Bill. The Indian Government believes that the internet and technology should be defined by openness, safety, trust, and accountability for those that use these platforms, services, and products. The new Digital India Act will be a step toward improving the internet landscape and redefining laws that are over two decades old.


The Council of the European Union has formally adopted the Data Governance Act, which aims to boost data sharing in the EU. This will hopefully provide smaller companies and start-ups with access to more data that they can use to develop new products and services. With guardrails in place, the EU will be able to establish data marketplaces that businesses and citizens can trust. Organizations that want to participate will likely have to go through a certification process to ensure they have proper data protection measures in place.

Looking ahead and next steps

I’ve highlighted only a few regions with privacy regulations which are being passed, but there are many others around the world worth keeping in mind as you build your privacy program. A common theme across different regions is an emphasis on securing personal data from unauthorized access or unintended loss as well as providing consumers with inherent rights when it comes to how you process their data. It’s important to create a culture that fosters being a good steward of data and understands the responsibility that comes with processing the personal data of consumers, employees, and partners alike. 

Organizations should work with vendors that prioritize data protection and ensure the security of one of their most important assets — their data. Druva was architected for enterprise data security, protecting your data in flight and at rest in the Druva Data Resiliency Cloud. Customers trust Druva to protect their information with end-to-end enterprise data security while proactively and automatically monitoring data compliance across all workloads. Our compliance monitoring solution provides pre-built policy templates to monitor and respond to violations of regulations like GDPR, CCPA, HIPAA, and more. When combined with our advanced data loss prevention features and remote device encryption, employees back up, quickly recover, and safely access data from anywhere.

Visit the Druva site to learn more about our leading enterprise security and explore our enhanced compliance monitoring features in the new video below.