New State Privacy Laws Taking Effect in 2023
By Valerie Nussenblatt
Comprehensive data privacy laws are going into effect in five states in 2023. Businesses operating nationwide should take steps to ensure that they comply with these new state laws that will regulate the collection, use and sharing of personal information. The legislatures in Virginia, Utah, Colorado and Connecticut have passed new privacy laws and California passed new legislation amending the existing California Consumer Privacy Act (“CCPA”). Companies that are already in compliance with the CCPA and the European Union’s General Data Protection Regulation (“GDPR”) will still need to make adjustments to comply with these new laws, such as updating privacy notices, extending additional rights to consumers and updating contracts with vendors.
The legislatures in Virginia, Utah, Colorado and Connecticut have passed privacy laws that will come into effect in 2023, and California passed new legislation amending the CCPA that also comes into effect this year. The Virginia Consumer Data Protection Act (“VCDPA”) and the California Privacy Rights Act (“CPRA”) went into effect on January 1, 2023. Later this summer, the Colorado Privacy Act (“CPA”) and the Connecticut Data Privacy Act (“CTDPA”) will come into effect in July 2023, and the Utah Consumer Privacy Act (“UCPA”) will come into effect at the end of the year in December 2023. These laws govern businesses that conduct business in the respective states or otherwise target consumers in such states and process and or profit from the sale of personal data. Each law provides rights to consumers to exercise rights over their personal data and enforce those rights.
Although these state privacy laws have some significant similarities, some requirements also deviate from state to state. Similar to the CCPA and the GDPR these state laws establish certain rights for their residents with respect to personal data and generally require certain disclosures to consumers regarding the processing of personal information. Each of these new privacy laws also give consumers the right to access, correct (except for Utah) and delete personal data, the right to obtain a portable copy of the data and the right to opt out of the use of data for targeted advertising purposes and the right to delete personal data. These laws also provide consumers with additional rights to control processing of their ‘sensitive personal data’, such as genetic, biometric or geolocation data, information revealing racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or medical information.
The new California Privacy Rights Act (“CPRA”) creates a California Privacy Protection Agency and extends rights already provided by the CCPA by creating an additional consumer right to correct inaccuracies in personal information and the right to limit how sensitive personal data is processed. Only the Virginia, Colorado and Connecticut laws require consent before a business may process sensitive personal data.
Other differences include the length of the cure periods that the laws provide businesses with after being notified of a violation by an enforcement agency, and only California allows for a private right of action to enforce privacy rights where consumers can enforce their rights directly against the business in the case of a data breach. Additionally, except for California, each of the new 2023 state privacy laws provide exemptions for personal information collected in employment and commercial context.
When taking steps to ensure compliance, companies should first determine whether they meet the thresholds in order to be subject to each of the new state privacy laws. These thresholds vary from state to state, where some for example include a business’s minimum annual revenue and others a minimum % of gross revenue derived from the sale of consumers’ personal information.
Each law has specific requirements for conducting a data protection risk assessment for ‘high risk’ processing activities. Businesses should make sure that data security safeguards and data breach preparedness are appropriate for the level of risk associated with the data collected and meet legal requirements.
Companies should determine whether they are engaging in certain activities that would trigger additional requirements under these laws. For example:
Are you processing sensitive personal information?
Are you sharing personal information with 3rd parties for cross-context behavioral advertising?
Are you conducting profiling activities?
Does your disclosure of personal information to 3rd parties constitute a ‘sale’ of personal information?
As a start, some questions to consider as businesses prepare for compliance with these laws include:
Have you identified the types, locations and uses of personal information collected or used by your business?
Have you updated and posted your privacy policies on your website?
Have you developed an administrative process to manage consumer data subject requests?
Have you identified service providers, contracts and third parties that collect or use personal information and have you ensured that the agreements with such parties comply with any state law requirements?
In the absence of a uniform federal privacy standard, companies operating nationwide should take steps to prepare for the new changes in the laws, if they have not yet done so, to make sure that they comply with the most stringent requirements.