United States of America: Implemented Consumer Data Privacy Act (HF 4757) including cybersecurity measures

On 31 July 2024, the Consumer Data Privacy Act (HF 4757) comes into effect. The Act is applicable to legal entities conducting business in the state or providing products or services aimed at state residents. Specifically, it pertains to entities that, within a calendar year, either control or process the personal data of at least 100’000 consumers or derive over 25% of gross revenue from the sale of personal data and process the personal data of at least 25’000 consumers. Small businesses, as defined by the United States Small Business Administration, are exempt from the provisions of the Act. The Act mandates that controllers establish, implement, and maintain reasonable administrative, technical, and physical data security practices to safeguard the confidentiality, integrity, and accessibility of personal data. This includes maintaining an inventory of the data necessary to fulfil these responsibilities. The data security practices have to be appropriate to the volume and nature of the personal data involved.