In 2023, new consumer privacy laws will be effective in California, Colorado, Connecticut, Utah, and Virginia. These laws will come online throughout the year as follows:
At the end of this article is a link to a summary chart, comparing key components of these laws. Additionally, for a more in-depth discussion of California, Virginia, and Colorado’s laws, review our prior article here. As an overview, the laws of each state share high level similarities in consumer rights, but the various laws fall into three buckets, with Colorado, Connecticut, and Virginia’s laws being closely related, Utah’s law representing a slight deviation from those, and California’s off on its own. It is important to note that the California Consumer Privacy Act (“CCPA”) is currently in effect, but the comparisons below and the summary chart consider the California law after January 1, 2023, the effective date of CCPA amendments adopted through the California Privacy Rights Act (“CPRA”).
The Colorado, Connecticut, Virginia, and Utah laws adapt terminology of the European Union’s General Data Protection Regulation (“GDPR”) and apply to “controllers,” defined to include persons that determine the purposes for and means of processing personal data and that (i) conduct business or produce goods or services that are intentionally targeted to state residents, and (ii) either: (A) control or process personal data of more than 100,000 resident’s data per year; or (B) derive varying shares of total revenue from the sale of personal data of at least 25,000 residents. Utah also includes a revenue threshold of $25,000,000 or more, like California. Colorado, Connecticut, Virginia, and Utah, all include exemptions for personnel and business to business information, which is a major issue in California given that these exemptions will sunset on January 1, 2023, as we discuss briefly here. Notably, the states other than California exempt financial institutions subject to the federal Gramm-Leach-Bliley Act of 1999 (the “GLBA”) at the entity level; in California, only data collected subject to the GLBA (rather than the institutions themselves) are exempt from the CCPA.
2. Consumer Rights
The consumer rights provided by all of the state laws are similar. They provide rights of access, correction, portability and deletion, as well as rights to limit processing and to opt out of sales of data, profiling and targeted advertising.
3. Requirements for Processors/Service Providers
Although California uses different terminology, all five states also require controllers (or businesses in California) to enter into contracts (including specific terms) with processors (service providers or contractors in California), which are defined as third parties that process personal data on the controller’s behalf, and to protect the information they process with at least reasonable data security.
4. Data Protection Assessments
Colorado, Connecticut, and Virginia all require the performance of Data Protection Assessments (“DPAs”), prior to performing certain processing activities considered “high risk”. This includes processing of “sensitive data,” which includes health data, genetic or biometric data, children’s data, or data that would reveal an individual’s race, ethnicity, sexual orientation, sex life, or citizenship status. DPAs will also be required for targeted advertising or profiling if the processing could result in wide variety of otherwise reasonably foreseeable risks to residents following the processing activities. Notably, California includes two new types of assessments, one for processing similar to the DPA, and another for cybersecurity in the CPRA’s amendments to the CCPA. As we discuss briefly here, California has yet to provide any guidance on requirements for these new assessments.
Enforcement is one of the areas where the states have noticeably diverged. Colorado’s law is enforced by its Attorney General and District Attorneys, while the Attorneys General will be responsible for enforcement in Connecticut, Utah, and Virginia. In California, a newly formed agency, the California Privacy Protection Agency will be charged with enforcement. While all other states retained a right to cure for alleged violations, California removed its cure provision entirely. The lack of a cure period, in combination with its new, dedicated enforcement agency, may indicate higher enforcement risk in California than in other states.
Sign up for our newsletter and get the latest to your inbox.