Privacy & Consumer Protection

Data Privacy Laws, Explained

There's no single US privacy law. There are twenty — and counting. Here's what actually applies to a South Florida business, and what it means for your IT.

The Short Version

Unlike Europe, the United States has no comprehensive federal privacy law. Instead, you have a patchwork of state laws, each with its own rules, thresholds, and enforcement mechanisms. If you have customers or employees in multiple states, multiple laws apply to you simultaneously.

The practical impact: the law where your customer lives often matters more than the law where your business lives. A Florida law firm with California clients answers to California's privacy regulator.

The Laws That Matter Most

  • Florida Digital Bill of Rights (FDBR): Effective July 2024. Applies to businesses with over $1B in gross revenue that meet additional criteria — narrow in scope, but a signal of where Florida is heading.
  • Florida Information Protection Act (FIPA): Requires notification within 30 days after a breach of personal information affecting Florida residents. Applies to any business handling personal data.
  • CCPA / CPRA (California): Applies to businesses meeting revenue or data thresholds that process California residents' data. Consumer rights to access, delete, and opt out. Enforced by the California Privacy Protection Agency.
  • VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah): Similar consumer rights frameworks, with state-specific thresholds.
  • State breach notification laws: All 50 states have them. Time limits vary — some as short as 30 days.
  • Sector-specific laws: HIPAA (health), GLBA (financial), FERPA (education), COPPA (children) each have their own data handling rules.

What These Laws Require From Your IT

Despite the differences between laws, they share common technical requirements:

  • Data inventory: Know what personal data you collect, where it lives, and who can access it
  • Reasonable security: "Reasonable" is defined by regulators as effectively the NIST or CIS baseline — encryption, access control, MFA, patching, logging
  • Access control: Role-based permissions, unique user accounts, MFA on sensitive systems
  • Encryption: Data at rest (disk, database, backups) and in transit (TLS)
  • Data minimization: Don't collect what you don't need. Don't keep it longer than required.
  • Vendor management: Data processing agreements (DPAs) with every vendor handling personal data
  • Consumer request handling: Ability to find, export, and delete an individual's data on request
  • Breach detection: Monitoring and logging sufficient to know when data has been accessed improperly
  • Incident response plan: Notification procedures, legal contacts, and timelines documented in advance

What Happens When You Don't Comply?

  • Florida (FIPA): Up to $500,000 in civil penalties for failure to notify
  • California (CCPA/CPRA): $2,500 per unintentional violation, $7,500 per intentional, plus private right of action for breached consumers
  • State AG enforcement: State attorneys general can sue for violations, including patterns of non-compliance
  • Class actions: Several states permit private lawsuits; damages scale with the number of affected consumers
  • Reputational damage: Breach notification letters are public — and memorable
  • Multi-state exposure: One breach can trigger notification obligations in every state where affected individuals reside

How Digital Armor Helps

We approach privacy from the technical side — the part that actually determines whether you can comply:

  • Data inventory — we map where personal data lives across your systems
  • Encryption across disk, database, email, and backups
  • Role-based access controls and multi-factor authentication
  • Audit logging and breach detection
  • Data minimization and defensible retention policies
  • Vendor security review and DPA tracking
  • Incident response plan — written, tested, and coordinated with legal counsel
  • Breach notification playbook covering the states where your data lives

Do You Know Where Your Customer Data Actually Is?

Most small businesses don't — not because they're careless, but because data spreads across email, cloud drives, CRMs, and spreadsheets over time. We map it, then secure it. That's how privacy compliance starts.

Book Your Assessment