People Management & HR

5 state data-privacy laws taking effect in 2023

  • 7 min Read
  • January 19, 2023

Author

Escalon

Table of Contents

Despite mounting concern over companies that amass and sell troves of information on consumers without their knowledge, the U.S. hasn’t yet developed federal data-privacy legislation. Data brokers are largely unregulated and free to do what they want with the data, unless a state enacts its own privacy law.

California was the first to do just that. The California Consumer Privacy Act (CCPA) of 2020 made headlines as state became the first state to regulate the use of consumers’ personal information. 

Now the popular saying “As California goes, so goes the nation” has seemingly come to fruition. Four more states are following its lead by enacting their own privacy laws.

Businesses subject to any of these new state data-privacy laws must understand what is required to be compliant. Even those not subject to these laws should pay attention, because similar laws will almost inevitably pass in more states in coming years.

Schedule a call today

New data-privacy laws by state


In addition to the Golden State, whose California Privacy Rights Act (CPRA) took effect on Jan. 1, 2023, the following states will initiate enforcement of privacy statutes this year: Colorado, Connecticut, Utah and Virginia.

These privacy laws don’t apply only to companies and websites located in that particular state. In general, they also apply to companies and websites that sell, gather or share the private information of the state’s customers, regardless of which state the entity itself is based in. 

Below is a rundown of state data privacy statutes going into effect in 2023.

California Privacy Rights Act


The CPRA amended the California Consumer Privacy Act (CCPA), which implemented an array of individual privacy rights and models elements of the EU’s General Data Protection Regulation. The CPRA also created a state agency tasked with enforcing California’s privacy laws

The CPRA has effectively replaced the CCPA as of Jan. 1, 2023, but government enforcement of the CPRA will not begin until July 1, 2023. It provides a 30-day cure for alleged violations. Noncompliance penalties range from $2,000 per violation to $2,500 for negligent violations to $7,500 for willful violations.

Scope. The CPRA applies to for-profit businesses that fulfill one or more of the criteria below:

 

  • Yearly gross income exceeds $25 million.
  • At least 50% of annual revenue is derived from selling or sharing customer information.
  • Buys, sells or shares the personal information of at least 100,000 homes or customers per year, either alone or in combination.

Consumer rights. The CCPA now includes:

 

  • A category of protected data called sensitive personal information, comprising information like driver’s licenses, Social Security numbers, state ID cards, passport numbers, biometrics and more.
  • New and expanded consumer privacy rights.
  • A broader scope of information subject to legal action in the event of a data breach.
  • Some GDPR tenets, such as data minimization, and storage and purpose restrictions. 

The CPRA also broadens the CCPA’s private right of action by enabling individuals to file lawsuits after data breaches involving new categories of personal data. The set of actionable data types is expanded to include email addresses, in addition to security questions and answers or passwords.

Colorado Privacy Act


After California and Virginia, Colorado became the third state to enact state consumer privacy legislation when Gov. Jared Polis signed Senate Bill 21-190: Protect Personal Data Privacy into law on July 7, 2021.

Known as the Colorado Privacy Act (CPA), the law will take effect July 1, 2023. It provides a 60-day cure period for alleged violations through Jan. 1, 2025, after which the law no longer requires a cure period. Penalties can be up to $20,000 per violation.

Talk to us about how Escalon’s essential business services can help your business meet its compliance requirements.

 

Scope. The CPA applies to organizations that conduct business in Colorado or that produce or deliver commercial products or services aimed at Colorado residents and perform either of the following:

 

  • Control or process the personal data of at least 100,000 consumers per calendar year. 
  • Derive revenue from the sale of personal data or gain a discount on the cost of products and services while handling the personal data of at least 25,000 consumers.

Consumer rights. The CPA grants Colorado consumers the right to:

 

  • Access their personal data.
  • Correct inaccuracies in their personal data.
  • Delete their personal data.
  • Obtain a portable copy of their personal data.
  • Opt out of the processing of certain personal data.

Connecticut Data Privacy Law


Connecticut became the fifth state to adopt full consumer privacy legislation when Gov. Ned Lamont signed Senate Bill 6 into law on May 10, 2022. 

Known as the Connecticut Data Privacy Act (CTDPA), the law takes effect July 1, 2023. It provides a 60-day cure period for alleged violations before Jan. 1, 2025, after which the cure period will sunset. Noncompliance is subject to penalties of up to $5,000 per violation. 

Scope. The CTDPA applies to organizations that either run a business in Connecticut or that create goods or services aimed at residents of Connecticut, and that perform either of the following:

 

  • Control or process personal information of at least 100,000 consumers excluding any data used only to execute payment transactions.
  • Control or handle at least 25,000 consumers’ personal data, and derive more than 25% of their total revenue from the sale of that data.

Consumer rights. Many of the CTDPA’s requirements, rights and limitations are analogous to consumer data privacy legislation provided in California, Virginia, Colorado and Utah. 


The CTDPA grants Connecticut consumers the right to:

  • Access their personal data. 
  • Correct inaccuracies in their personal data. 
  • Delete personal data provided by or about themselves.
  • Obtain a portable copy of their personal data.
  • Opt out of certain data processing.

Utah Consumer Privacy Act


Utah became the fourth state — following California, Virginia and Colorado — to enact broad privacy legislation when Gov. Spencer Cox signed Senate Bill 227 into law on March 3, 2022. 

Known as the Utah Consumer Privacy Act (UCPA), the law will take effect Dec. 31, 2023 and provides a 30-day cure for alleged violations. Noncompliance is subject to penalties of up to $7,500 per violation.

Scope. The UCPA applies to for-profit businesses with annual revenue of at least $25 million that perform the following:

 

  • Conduct business in Utah or target their products and services to Utah residents.

  • Annually process or control personal data for at least 100,000 Utah consumers; or derive more than 50% of their revenue from selling personal data of least 25,000 Utah consumers.

Consumer rights. The UCPA grants Utah consumers the right to:

 

  • View their personal information.
  • Delete their personal information.
  • Know about and confirm processing activity.
  • Request a copy of their personal information in a portable format.
  • Nondiscrimination while exercising their UCPA consumer rights.
  • Not participate in the sale of their personal information and targeted ads.

Virginia Consumer Data Protection Act


Virginia became the second state after California to officially enact comprehensive consumer privacy legislation when Gov. Ralph Northam signed Senate Bill 1392 on March 20, 2021. 

Known as the Virginia Consumer Data Protection Act (VCDPA), the law took effect Jan. 1, 2023 and provides a 30-day cure for alleged violations. Noncompliance is subject to penalties of up to $7,500 per violation.

Scope. The VCDPA applies to companies that conduct business in Virginia or that promote their products and services to citizens of Virginia, and that per the statute:

 

either (i) control or process personal data of at least 100,000 consumers; or (ii) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

Consumer rights. Under the VCDPA, Virginia consumers now have rights to personal data similar to those stipulated under California’s CCPA and CPRA, including the right to:

 

  • Access, knowledge and confirm personal data.
  • Correct inaccurate personal data.
  • Erase personal information.
  • Data portability.
  • Refuse processing of personal data for targeted ads.
  • Object to the use of personal data for profiling.
  • Object to the sale of personal data.
  • Nondiscrimination.

Conclusion


Complying with different state data-privacy laws in the U.S. poses a significant challenge for affected businesses. This has spurred more interest in a federal data-privacy bill, but so far those attempts have stalled. In the event a federal privacy framework is adopted, it would pre-empt state privacy laws.

Want more? Escalon provides startups and small to midsized businesses with taxes, accounting, strategic finance, CFO services and support. Talk to an expert today.

Schedule a call today

Talk to our team today to learn how Escalon can help take your company to the next level.

  • Expertise you can trust

    Our team is made up of seasoned professionals who bring years of industry experience to the table. You gain a trusted advisor who understands your business inside out.

  • Quality and consistency

    Say goodbye to the hassles of hiring, training and managing in-house finance teams. You will never have to worry about unexpected leave of absence or retraining new employees.

  • Scalability and Flexibility

    Whether you’re a small business or a global powerhouse, our solutions scale with your needs. We eliminate inefficiencies, reduce costs and help you focus on growing your business.

Contact Us Today!

Tap into the latest insights from experts in your industry

People Management & HR

Benefits Administration, What Small Business Need to Know

Benefits administration can be a game-changer for small businesses aiming to attract and retain top talent. While salaries remain an...

Read More
Accounting & Finance

AAP vs. Cash Accounting: Which Method Is Best for Your Growing Business? 

Choosing the right accounting method can significantly impact how you track financial performance, manage taxes, and plan growth. Two common...

Read More
Accounting & Finance

Beyond Bootstrapping: Advanced Cash Flow Management for Scaling Companies 

Bootstrapping—financing growth through internal cash flow—is a hallmark of many successful startups. But as businesses mature past their initial stage,...

Read More
Technology & Security

Building a Scalable Tech Stack: How to Choose the Right Tools for Growth 

In today’s business landscape, technology is more than a convenience—it’s a strategic asset that can supercharge growth. But as you...

Read More
Accounting & Finance

How to Reduce Month-End Close Time Without Sacrificing Accuracy 

The month-end close can feel like a perpetual scramble—collecting invoices, reconciling accounts, fixing last-minute errors. A drawn-out close not only...

Read More
uncategorized

How to Reduce Overhead Costs Without Impacting Productivity 

Overhead costs—from utilities and rent to administrative staffing—can quietly swell until they erode profit margins and slow your ability to...

Read More
Accounting & Finance

How to Structure Your Finance Team as Your Business Scales

Growth triggers a tidal wave of financial complexity, multi-entity operations, new product lines, overseas expansion, or investor relations. If your...

Read More
Accounting & Finance

M&A Readiness: How to Prepare Your Financials for a Successful Acquisition or Sale 

Mergers and acquisitions (M&A) can dramatically alter a company’s trajectory—unlocking new markets, technologies, or customer bases. Yet, many deals stumble...

Read More
Accounting & Finance

Optimizing Working Capital: Strategies to Maximize Liquidity Without Raising Funds 

Working capital: The difference between your current assets and your current liabilities. It’s a key barometer of financial health.  While...

Read More