Governance, Risk & Compliance: GRC
New U.S. GRC Regulations 2024: What You Need to Know
The U.S. Governance, Risk Management, and Compliance (GRC) landscape is evolving rapidly in 2024 with new regulations. These regulations require stricter data privacy protections and enhanced consumer rights. Organizations must strengthen their data security and consumer privacy commitment or face penalties.
Here are a few examples of new 2024 U.S. GRC regulations:
- Utah Consumer Privacy Act (UCPA): Effective December 31, 2023, this is a business-friendly data privacy law with high applicability thresholds. It requires only notice and opt-out for processing sensitive data, without needing consent or data protection assessments for high-risk activities.
- HB 2052: This is Oregon’s’ data broker registration law—which went into effect January 1, 2024. It is part of a broader trend in the U.S. towards tightening regulations on the handling and use of consumer data, with an emphasis on increasing transparency and accountability in the digital economy and enhancing consumer protection. Here, data brokers in Oregon are required to register with a designated state authority.
- California Privacy Protection Agency (CPPA): Starting January 1, 2024, data brokers in California must register with the California Privacy Protection Agency (CPPA) instead of the Attorney General’s Office, as mandated by the recent Delete Act.
- Colorado Universal Opt-Out Mechanisms (UOOMs): On December 28, 2023, the Colorado Attorney General’s Office released a list of recognized UOOMs, meeting the Colorado Privacy Act Rule 5.07’s deadline. The 5.07 deadline requires that by July 1, 2024, controllers must recognize the Universal Opt-Out Mechanisms (UOOMs) listed by the Colorado Attorney General’s Office to comply with the Colorado Privacy Act Rule 5.07. By July 1, 2024, controllers must recognize these UOOMs, with the Global Privacy Control being the primary one listed. The recognition is conditional on meeting requirements outlined in the statute and regulations. Here, the “controllers” (businesses or entities that determine the purposes and means of processing personal data) are required to meet the requirements outlined in the statute and regulations regarding the recognition of UOOMs as mandated by the Colorado Privacy Act Rule 5.07. In addition, the Federal Trade Commission (FTC) has announced its intent to propose new regulations aimed at enhancing consumer protections for biometric data collection, which will impact businesses across various sectors. These regulations are expected to be introduced by late 2024, signaling a significant shift in how biometric data is handled and protected.
Final Thoughts
The number of new U.S. GRC regulations related to data security and consumer privacy is only expected to grow. In addition to being aware of changing regulations, organizations need to develop flexible processes and strategies so when they are faced with new regulatory requirements they can quickly align.
Let’s Start a Conversation
Schedule a virtual coffee with a team member: