New Privacy Laws in 2023

California Privacy Rights Act (CPRA)

The CPRA came into effect on January 1st and replaces and expands upon the California Consumer Privacy Act (CCPA). The CCPA, which was active from 2020, was the USA's first-ever state privacy law and was passed to protect the privacy rights of consumers who resided in the State of California.

In November 2020, Californian voters opted to extend the state privacy laws' scope by creating the California Rights Act and establishing the California Privacy Protection Agency to oversee its implementation. The “Agency” has full administrative power, authority, and jurisdiction for the CPRA, and is responsible for updating existing regulations and enforcing the new.

One of the most noteworthy differences between CCPA and CPRA is that the term “consumer” now also refers to a company's employees (if they are California residents). The extension now also means that there is more onus on businesses to ensure that their Californian consumers/employees are aware of their privacy rights from the point of data collection.

Other changes include:

• An additional right of rectification that enables consumers to correct inaccurate personal information.
• An update to the definition of “personal information”. Now, certain types of personal data such as Social Security numbers much be given special protection. In addition, consumers also have the right to limit the use/disclosure of such sensitive data (right to restriction).
• Fines for breaches of children's data have been tripled

You can read the full requirements and consumer rights as detailed by the CPRA here.

Virginia Consumer Data Protection Act (VCDPA)

The VCDPA has been heralded as a more succinct and straightforward version of the state privacy laws laid out in the CCPA (now CPRA) for the privacy rights of the residents of Virginia. It was the second privacy regulation to be passed in the States and has also recently come into effect on January 1st, 2023.

In much the same way as the CPRA, the VCDPA applies to companies that do business in Virginia, or that sell products or services to residents of Virginia. These companies don't have to be Virginia-based to be affected.

If they process the personal data of 25,000 or more Virginia residents and derive more than 50% of their gross revenue from the sale of personal data, then businesses need to be compliant with the VCDPA.

When it comes to collecting personal data or processing, consumer consent isn't required (unless that data is considered “sensitive”) and consumers must be given the option to opt out of data collection.

Businesses should note that under the VCDPA it's not enough to inform consumers about their rights, they should also notify them how to exercise them. It's worth it since non-compliance with VCDPA can result in fines of up to $7500 per violation. The fines are pretty much in line with California state privacy laws, but potentially much less than GDPR fines.

For consumers, if you believe a company has violated your VCDPA right, there is no private right of action, which means that you can't sue them. Instead, complaints can be directed to the Virginia Attorney General who would investigate and take any necessary legal action.

Click on the link for full details on what is included in the VCDPA data protection laws.

Colorado Privacy Act (CPA)

The third set of state privacy laws to come into effect in 2023 is in Colorado. Signed into law back in July 2021 the Colorado Privacy Act (CPA) will go into effect on July 1, 2023. Much like its predecessors, this comprehensive privacy law is meant to protect the rights of Colorado residents.

It applies to any legal entity conducting business in Colorado or those delivering products or services to Colorado residents that either:

• control or process the personal data of 100,000 or more consumers per annum, or
• control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data.

While CPA is pretty standard and in line with the other data protection laws, the one main difference is that there is no revenue threshold for businesses.

When it comes to non-compliance fines, there is no statutory framework. Instead, penalties for CPA violations are determined by the Colorado Consumer Protection Act and fines could be as high as $20,000 per violation.

Consumer rights under the CPA include the right to access the data collected, the right to delete, the right to correct, and the right to data portability. It also includes the right to opt out of the processing of personal data for targeted advertising, for the sale of personal data, or in certain instances of profiling.

Click the link to discover the full details of the Colorado Privacy Act.

Utah Consumer Privacy Act (UCPA)

Joining the ranks of the state privacy laws for 2023 is the Utah Consumer Privacy Act (UCPA) which will come into effect right at the end of the year on December 31st, 2023.

As you might expect, the UCPA is designed to protect the privacy rights of residents of Utah and to do so, has created a set of regulations for entities doing business in the state to abide by.

It applies to businesses (either in the state or those providing products or services to Utah residents) with an annual revenue of $25,000,000 or more, and meets one of the following thresholds:

• controls or processes personal data of 100,000 or more consumers per year, or
• derives over 50% of the entity's gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.

Having multiple criteria narrows the scope of applicability and excludes smaller SMEs, which is what makes the UCPA the most “business-friendly” data protection law in the country.

But what about the consumers and residents of Utah? Well, the UCPA consumer rights closely mirror the other state privacy laws. Individuals have the right to access the collected personal data, delete that data, request a portable copy of it, and opt out of the sale or processing of personal data for targeted advertising.

Click the link for more details about the requirements and the rights afforded by UCPA.

Connecticut Data Privacy Act (CTDPA)

Connecticut will bring in its own state privacy laws taking effect on July 1, 2023, with the Connecticut Data Privacy Act (CTDPA). Connecticut is the fifth US state to pass a state privacy law, and much of it is similar to the ones that have come before it.

The CTDPA protects the privacy rights of browsers and buyers in the Constitution State. It applies to companies conducting business in Connecticut or targeting their products or services to Connecticut residents that meet one of two criteria:

• they control or process the personal data of at least 100,000 consumers
• or 25,000 or more consumers and derive over 25% of gross revenue from the sale of personal data.

It also applies to service providers, otherwise known as “processors”. This includes any entity that provides services involving personal data on behalf of any other business.

As well as a clearly worded privacy notice, data controllers must also inform consumers how to exercise their rights as provided by the CTDPA, and provide an easily accessible opt-out link. The CTDPA will extend this to a universal opt-out as of January 1, 2025. Any non-compliant entity could face fines of up to $5,000 per violation.

To know more about the consumers' rights and businesses' obligations under the CTDPA, check out the FAQs on Connecticut's official state website.

Quebec Bill 64

Americans aren't the only ones getting on the state privacy laws bandwagon. Québec is the first jurisdiction in Canada to update its privacy legislation with Bill 64. The Bill leans much more toward the European Union's General Data Protection Regulation than it does toward any of its US neighbors.

Quebec Bill 64 was actually introduced in September 2022, but most of the new provisions will be brought in in September 2023, and more later in 2024.

Already in place is the requirement of an appointed privacy officer, and breach reporting. 2023 will see the implementation of numerous policies about data processing, assessments, and greater transparency. In terms of consumers' consent, businesses will have to obtain it explicitly and freely, with additional consent required for the secondary use of sensitive personal data. The right to data portability is set to be introduced next year.

For non-compliance, there are different categories of penalties, but an entity could face fines up to CAD 25,000,000, or 4% of the global turnover of the previous year, whichever is greater. Should a business not learn its lesson after the first offense, Bill 64 fines may be doubled.

Click the link to find out more about individual rights and business requirements under Quebec Bill 64.

Although there are many developments and new state privacy laws in 2023, many of them are based on the GDPR and are presented in the same way. But is it the best foundation? Read more: The Ugly Truth of GDPR.