A Busy Year for U.S. Privacy Laws
2023 is shaping up to be a significant year for data privacy in the U.S., with several notable developments. On January 1, the California Privacy Rights Act and the Virginia Consumer Data Protection Act came into effect, ushering in a new era of privacy regulations. Connecticut, Colorado, and Utah are set to implement their own privacy laws later this year, adding to the landscape of data protection measures. Indiana, Montana, Iowa, and Tennessee also adopted privacy acts, which are set to go into effect in 2024 to 2026. These developments demonstrate the increasing importance placed on safeguarding individuals’ personal information in the U.S. and reflect the ongoing efforts to enhance privacy practices across the nation.
The State of Privacy in the U.S.
Unlike the European Union, the U.S. lacks a comprehensive privacy framework to establish a universal standard for the processing of personal information (also called personal data). In the absence of such a law, various U.S. states have taken it upon themselves to enact their own privacy laws to safeguard the personal information of their residents.
Although these new laws present a significant advancement towards strengthening the privacy rights of individuals, they also introduce numerous complexities for businesses trying to navigate the varied obligations imposed by each law.
In this blog post, we’ll review the new privacy laws coming into effect in 2023, explain who is subject to and protected by those laws, and provide an overview of the future of the U.S. data privacy landscape.
The California Privacy Rights Act (CPRA)
The CPRA came into effect on January 1, 2023, amending certain provisions of the California Consumer Privacy Act (CCPA). The changes introduced by the CPRA and how they may affect your business were discussed in great detail in a previous blog post published by VeraSafe.
It is worth reiterating, however, that the January 1 effective date applies to the provisions regulating business-to-business and human resources personal information, which are now subject to the same privacy requirements as consumer personal information. The enforcement of these provisions will begin starting July 1, 2023.
Although businesses may already have made significant efforts to comply with the CCPA, further changes will be necessary to comply with the updated requirements of the CPRA. In certain cases, organizations will need to submit risk assessments and cybersecurity audits to the California Privacy Protection Agency. In addition, the CPRA introduced more detailed and stringent requirements regarding the privacy related notices that businesses must give to consumers. Some businesses must also update the “Do Not Sell My Personal Information” links on their websites to read “Do Not Sell or Share My Personal Information”.
The Virginia Consumer Data Protection Act (CDPA)
The CDPA also entered into effect on January 1, 2023, and, to a large extent, contains similar requirements to the CPRA. One difference is that it does not extend to the processing of personal data in a business-to-business or employment context.
The CDPA applies to for-profit companies that do business in Virginia or provide products or services to Virginia residents. To fall under this law, companies must either control or process the personal data of at least 100,000 Virginia residents in a calendar year, or control or process the personal data of at least 25,000 Virginia residents and make 50% or more of their gross revenue from selling personal data.
The CDPA imposes several obligations on controllers, such as the requirement to conduct data protection impact assessments (DPIAs), and confers numerous rights on consumers, including the right of access, correction, deletion, data portability, and the right to opt out of certain processing purposes.
Unlike the CPRA, the CDPA does not allow individuals to take legal action against businesses directly. Instead, the Virginia Attorney General handles enforcement. However, before taking legal action, the Virginia Attorney General must give businesses a thirty-day window to fix any violations. Essentially, if a business is found to be non-compliant with the CDPA, they have an opportunity to resolve the issue before facing potential legal consequences.
Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (CTDPA)
The CTDPA enters into effect on July 1, 2023, with an enforcement grace period until December 31, 2024. The act creates a requirement to establish mechanisms which recognize consumers’ opt-out preferences for targeted advertising and the sale of data, which will not be enforced until January 1, 2025. At which point organizations will need to clearly and conspicuously display a link to the opt-out mechanism on their website.
The CTDPA applies to persons that conduct business in Connecticut or produce products or services that are targeted to Connecticut residents, and that during the preceding calendar year either: 1. controlled or processed personal data of at least 100,000 Connecticut residents (excluding for the sole purpose of completing a payment transaction); or 2. controlled or processed the personal data of at least 25,000 Connecticut residents and derived more than 25% of their gross revenue from the sale of personal data.
The CTDPA offers protection to Connecticut residents acting in an individual or household context but does not extend to individuals in an employment context.
Similar to the privacy laws of California and Virginia, the CTDPA provides individuals with certain rights to their personal data and imposes various obligations on controllers, such as the requirement to conduct DPIAs for processing activities that present a high risk of harm to Connecticut residents.
The Connecticut Attorney General’s Office has exclusive authority to enforce violations of the CTDPA, and there is no private right of action. The CTDPA also provides for a sixty-day cure period, during which the controller will have the opportunity to rectify any violations. Notably, this “right to cure” will only be available until December 31, 2024.
The Colorado Privacy Act (CPA)
Similar to the CTDPA, the CPA enters into effect on July 1, 2023, and applies to organizations that conduct business in Colorado or produce or deliver commercial products or services to Colorado residents, and that, during a calendar year, either: 1. control or process personal data of at least 100,000 Colorado residents; or 2. derive revenue or receive a discount from the sale of personal data and control or process personal data of at least 25,000 Colorado residents.
Similar to the provisions of the Virginia CDPA and the CTDPA, the CPA does not apply to the processing of human resources personal data or business-to-business data.
The CPA provides Colorado residents with certain rights regarding their personal data, such as the right of access, correction, deletion, data portability, and the right to opt out of specific processing purposes. Notably, with effect from July 1, 2024, controllers will be required to provide consumers with a universal opt-out mechanism.
Enforcement of the CPA is assigned to the Attorney General and District Attorneys General of Colorado, and there is a sixty-day cure period for violations, which will fall away on January 1, 2025.
Utah’s Consumer Privacy Act (UCPA)
The UCPA comes into effect on December 31, 2023, and applies to companies that conduct business in Utah or produce goods or services targeted at Utah residents, have an annual revenue of at least twenty-five million dollars, and either: 1. control or process the personal data of at least 100,000 Utah residents; or 2. derive 50% of their revenue from the sale of personal data and control or process personal data of at least 25,000 Utah residents.
The UCPA also provides certain rights for consumers, although, notably, it does not include the right to opt out of profiling or to correct inaccurate data.
The UCPA allows a sixty-day cure period, but only until December 31, 2024. It also grants the Attorney General of Utah exclusive authority to enforce its provisions.
What’s Next for U.S. Privacy Laws?
Beyond 2023, privacy laws are due to come into effect in Montana, Indiana, Iowa, Tennessee, and Texas. Further, several comprehensive privacy bills are currently going through the lawmaking process in state legislatures.1
At a federal level, the American Data Privacy Protection Act (ADPPA) is currently making its way through Congress and aims to eliminate some of the complexity introduced by disparate state privacy laws. The ADPPA does not, however, create a uniform privacy standard as certain sector-specific privacy laws will continue to apply.
Also worth monitoring is the progress of the EU-U.S. Data Privacy Framework,2 a new transatlantic data transfer framework replacing the Privacy Shield Framework.3 The European Commission could reach a decision on it later this year.
While most of the U.S. state privacy laws are based on the same underlying principles, which align to some extent with the principles of the European Union’s General Data Protection Regulation (GDPR), the specific requirements and obligations differ significantly from state to state and require careful consideration and analysis to ensure effective compliance.
VeraSafe’s team of privacy professionals and cyber security experts are proficient in assisting organizations to comply with complex data privacy law requirements across the U.S. and beyond. If you would like to discuss how VeraSafe can assist your organization with its data protection compliance needs, please contact us at [email protected] or via our website.
This currently includes active bills in Delaware, Massachusetts, New Hampshire, New Jersey, North Carolina, Oregon, Pennsylvania, and Rhode Island.
The European Commission released its draft adequacy decision for the EU-U.S. DPF on December 13, 2022, which is available at https://commission.europa.eu/document/e5a39b3c-6e7c-4c89-9dc7-016d719e3d12_en. Subsequently, a majority of members in the European Parliament voted in favor of a resolution opposing the adoption of an adequacy decision under the Data Protection Framework.
The Privacy Shield Framework was an approved mechanism for the transfer of personal data from the EU and Switzerland to the U.S., meaning that companies would have “adequate” protections in place when transferring personal data to self-certified companies, as required by the GDPR. While the Privacy Shield remains operative, it cannot be used as a lawful mechanism to transfer personal data to the U.S.