Website operators are at a pivotal moment in history when it comes to consumer data privacy. Although this sounds a bit ominous, we cannot emphasize this point enough: companies that conduct business online must seriously consider the wave of new state privacy laws that will go into effect in 2023. The various laws, which we will expound upon below, regulate what information businesses may collect, use and share, as well how relative notice and consent must be conveyed and obtained. Readers of our blog know that these laws have been in the works for some time. Now is the moment to take a closer look as 2023 is just around the corner.
A Brief Synopsis of New State Privacy Laws
In order to be compliant with new state privacy laws, among other measures, website operators will certainly need to update their privacy policies. And to do that, businesses must be aware of the detailed new regulations, as well as when they go into effect. The laws all restrict the ways in which companies may collect, use, and share consumer personal information without regulatory repercussion. Of course, each state has enacted its own version of legislation to suit its constituency’s needs.
California’s State Privacy Law
In November 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act (“CPRA”). The CPRA expands the consumer data privacy protections present in the California Consumer Privacy Act (“CCPA”). The CPRA law creates numerous new obligations concerning the collection, use, sale, and sharing of personal information. For example, the CPRA, contains a new, regulated category of data, referred to as “sensitive personal information.” This covers biometric data, precise geolocation, and government identifiers, such as Social Security Numbers and drivers’ license numbers. Consumers will be able to prescribe how businesses use their sensitive personal information, including prohibiting the disclosure of sensitive personal information to third parties under certain circumstances. The CPRA will go into effect on January 1, 2023.
Colorado’s State Privacy Law
The Colorado Privacy Act (“CPA”) will apply to “legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents” and that also satisfy at least one of the following criteria: 1) control or process the personal data of more than 100,000 consumers in a calendar year; or 2) derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. The CPA includes several consumer privacy rights that are included in the CCPA. For example, the CPA affords consumers the right to: 1) opt out of the processing of their personal data; 2) access, correct or delete their data; and 3) obtain a portable copy of their data. The law goes into effect on July 1, 2023.
Connecticut’s State Privacy Law
The Connecticut privacy law follows Colorado’s example in many ways. Some notable provisions include: data subject rights and limits on targeted advertising. The Connecticut law applies to businesses that either: (1) process the personal data of at least 100,000 Connecticut State consumers per year; or (2) process the personal data of at least 25,000 Connecticut State consumers per year and make at least 25% in gross revenue from the sale of consumer personal data. The law also includes the following consumer privacy rights:
- Right to Access: the right to access a copy of personal data in a covered company’s possession.
- Right to Amend: the right to amend or correct any consumer personal information in a covered company’s possession.
- Right to Deletion: the right to request that a covered company delete personal data in its possession.
- Right to Opt-Out: the right to opt out of the processing of personal data for:
- Targeted Advertising; and
- Profiling in furtherance of automated decision making that produces legal or other significant effects on consumers.
Connecticut’s state privacy law goes into effect on July 1, 2023.
Virginia’s State Privacy Law
In 2021, Virginia passed the Consumer Data Protection Act (“CDPA”), marking the Commonwealth’s entry into the state data privacy law field. In this year’s legislative session, the Commonwealth passed important amendments to the CDPA. The CDPA will apply to people and businesses that “conduct business within [Virginia] or that produce products or services that are targeted to [Virginia] residents” and: 1) “control or process personal data of at least 100,000” Virginians during a calendar year; or 2) “control or process personal data of at least 25,000 [Virginians] and derive over 50 percent of gross revenue from the sale of personal data.” Please note that “personal data” is defined broadly in the CDPA to include any information that is linked to or could reasonably be linked to an individual, but excludes deidentified or publicly available information. The law goes into effect on January 1, 2023.
Utah’s State Privacy Law
The Utah Consumer Privacy Act (“UCPA” or the “Act”) was passed in March 2022 and will not go into effect until December 1, 2023. Utah was the fourth state to pass comprehensive consumer data privacy legislation. The Act applies only to companies that make over $25 million in annual revenue. Further, the Act will only regulate companies that conduct business within the State of Utah or target Utah residents and either: (1) control or process personal data of 100,000 or more consumers during a year; or (2) control or process personal data of 25,000 or more consumers and derive over 50% of gross revenue from the sale of this personal data.
The UCPA also contains standard consumer data protections, providing consumers with the right to:
- access and correct certain personal data;
- opt out of the collection and use of personal data for certain purposes;
- know what personal information a business collects, how the business uses this personal information, and whether the business sells the personal information;
- require a business to delete personal information; and
- prohibit a business from selling their personal information.
How to Comply with State Privacy Laws
Given that there are no comprehensive federal consumer data privacy regulations yet in effect which preempt the foregoing state laws, businesses must continue to monitor evolving state privacy law developments and work quickly to become compliant when relevant regulations are enacted.