People Management & HR

5 state data-privacy laws taking effect in 2023

  • 7 min Read
  • January 19, 2023

Author

Escalon Editorial Team

Table of Contents

Despite mounting concern over companies that amass and sell troves of information on consumers without their knowledge, the U.S. hasn’t yet developed federal data-privacy legislation. Data brokers are largely unregulated and free to do what they want with the data, unless a state enacts its own privacy law.

California was the first to do just that. The California Consumer Privacy Act (CCPA) of 2020 made headlines as state became the first state to regulate the use of consumers’ personal information. 

Now the popular saying “As California goes, so goes the nation” has seemingly come to fruition. Four more states are following its lead by enacting their own privacy laws.

Businesses subject to any of these new state data-privacy laws must understand what is required to be compliant. Even those not subject to these laws should pay attention, because similar laws will almost inevitably pass in more states in coming years.

Schedule a call today

New data-privacy laws by state


In addition to the Golden State, whose California Privacy Rights Act (CPRA) took effect on Jan. 1, 2023, the following states will initiate enforcement of privacy statutes this year: Colorado, Connecticut, Utah and Virginia.

These privacy laws don’t apply only to companies and websites located in that particular state. In general, they also apply to companies and websites that sell, gather or share the private information of the state’s customers, regardless of which state the entity itself is based in. 

Below is a rundown of state data privacy statutes going into effect in 2023.

California Privacy Rights Act


The CPRA amended the California Consumer Privacy Act (CCPA), which implemented an array of individual privacy rights and models elements of the EU’s General Data Protection Regulation. The CPRA also created a state agency tasked with enforcing California’s privacy laws

The CPRA has effectively replaced the CCPA as of Jan. 1, 2023, but government enforcement of the CPRA will not begin until July 1, 2023. It provides a 30-day cure for alleged violations. Noncompliance penalties range from $2,000 per violation to $2,500 for negligent violations to $7,500 for willful violations.

Scope. The CPRA applies to for-profit businesses that fulfill one or more of the criteria below:

 

  • Yearly gross income exceeds $25 million.
  • At least 50% of annual revenue is derived from selling or sharing customer information.
  • Buys, sells or shares the personal information of at least 100,000 homes or customers per year, either alone or in combination.

Consumer rights. The CCPA now includes:

 

  • A category of protected data called sensitive personal information, comprising information like driver’s licenses, Social Security numbers, state ID cards, passport numbers, biometrics and more.
  • New and expanded consumer privacy rights.
  • A broader scope of information subject to legal action in the event of a data breach.
  • Some GDPR tenets, such as data minimization, and storage and purpose restrictions. 

The CPRA also broadens the CCPA’s private right of action by enabling individuals to file lawsuits after data breaches involving new categories of personal data. The set of actionable data types is expanded to include email addresses, in addition to security questions and answers or passwords.

Colorado Privacy Act


After California and Virginia, Colorado became the third state to enact state consumer privacy legislation when Gov. Jared Polis signed Senate Bill 21-190: Protect Personal Data Privacy into law on July 7, 2021.

Known as the Colorado Privacy Act (CPA), the law will take effect July 1, 2023. It provides a 60-day cure period for alleged violations through Jan. 1, 2025, after which the law no longer requires a cure period. Penalties can be up to $20,000 per violation.

Talk to us about how Escalon’s essential business services can help your business meet its compliance requirements.

 

Scope. The CPA applies to organizations that conduct business in Colorado or that produce or deliver commercial products or services aimed at Colorado residents and perform either of the following:

 

  • Control or process the personal data of at least 100,000 consumers per calendar year. 
  • Derive revenue from the sale of personal data or gain a discount on the cost of products and services while handling the personal data of at least 25,000 consumers.

Consumer rights. The CPA grants Colorado consumers the right to:

 

  • Access their personal data.
  • Correct inaccuracies in their personal data.
  • Delete their personal data.
  • Obtain a portable copy of their personal data.
  • Opt out of the processing of certain personal data.

Connecticut Data Privacy Law


Connecticut became the fifth state to adopt full consumer privacy legislation when Gov. Ned Lamont signed Senate Bill 6 into law on May 10, 2022. 

Known as the Connecticut Data Privacy Act (CTDPA), the law takes effect July 1, 2023. It provides a 60-day cure period for alleged violations before Jan. 1, 2025, after which the cure period will sunset. Noncompliance is subject to penalties of up to $5,000 per violation. 

Scope. The CTDPA applies to organizations that either run a business in Connecticut or that create goods or services aimed at residents of Connecticut, and that perform either of the following:

 

  • Control or process personal information of at least 100,000 consumers excluding any data used only to execute payment transactions.
  • Control or handle at least 25,000 consumers’ personal data, and derive more than 25% of their total revenue from the sale of that data.

Consumer rights. Many of the CTDPA’s requirements, rights and limitations are analogous to consumer data privacy legislation provided in California, Virginia, Colorado and Utah. 


The CTDPA grants Connecticut consumers the right to:

  • Access their personal data. 
  • Correct inaccuracies in their personal data. 
  • Delete personal data provided by or about themselves.
  • Obtain a portable copy of their personal data.
  • Opt out of certain data processing.

Utah Consumer Privacy Act


Utah became the fourth state — following California, Virginia and Colorado — to enact broad privacy legislation when Gov. Spencer Cox signed Senate Bill 227 into law on March 3, 2022. 

Known as the Utah Consumer Privacy Act (UCPA), the law will take effect Dec. 31, 2023 and provides a 30-day cure for alleged violations. Noncompliance is subject to penalties of up to $7,500 per violation.

Scope. The UCPA applies to for-profit businesses with annual revenue of at least $25 million that perform the following:

 

  • Conduct business in Utah or target their products and services to Utah residents.

  • Annually process or control personal data for at least 100,000 Utah consumers; or derive more than 50% of their revenue from selling personal data of least 25,000 Utah consumers.

Consumer rights. The UCPA grants Utah consumers the right to:

 

  • View their personal information.
  • Delete their personal information.
  • Know about and confirm processing activity.
  • Request a copy of their personal information in a portable format.
  • Nondiscrimination while exercising their UCPA consumer rights.
  • Not participate in the sale of their personal information and targeted ads.

Virginia Consumer Data Protection Act


Virginia became the second state after California to officially enact comprehensive consumer privacy legislation when Gov. Ralph Northam signed Senate Bill 1392 on March 20, 2021. 

Known as the Virginia Consumer Data Protection Act (VCDPA), the law took effect Jan. 1, 2023 and provides a 30-day cure for alleged violations. Noncompliance is subject to penalties of up to $7,500 per violation.

Scope. The VCDPA applies to companies that conduct business in Virginia or that promote their products and services to citizens of Virginia, and that per the statute:

 

either (i) control or process personal data of at least 100,000 consumers; or (ii) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

Consumer rights. Under the VCDPA, Virginia consumers now have rights to personal data similar to those stipulated under California’s CCPA and CPRA, including the right to:

 

  • Access, knowledge and confirm personal data.
  • Correct inaccurate personal data.
  • Erase personal information.
  • Data portability.
  • Refuse processing of personal data for targeted ads.
  • Object to the use of personal data for profiling.
  • Object to the sale of personal data.
  • Nondiscrimination.

Conclusion


Complying with different state data-privacy laws in the U.S. poses a significant challenge for affected businesses. This has spurred more interest in a federal data-privacy bill, but so far those attempts have stalled. In the event a federal privacy framework is adopted, it would pre-empt state privacy laws.

Want more? Escalon provides startups and small to midsized businesses with taxes, accounting, strategic finance, CFO services and support. Talk to an expert today.

Schedule a call today

Talk to our team today to learn how Escalon can help take your company to the next level.

  • Expertise you can trust

    Our team is made up of seasoned professionals who bring years of industry experience to the table. You gain a trusted advisor who understands your business inside out.

  • Quality and consistency

    Say goodbye to the hassles of hiring, training and managing in-house finance teams. You will never have to worry about unexpected leave of absence or retraining new employees.

  • Scalability and Flexibility

    Whether you’re a small business or a global powerhouse, our solutions scale with your needs. We eliminate inefficiencies, reduce costs and help you focus on growing your business.

Contact Us Today!

Tap into the latest insights from experts in your industry

Financial Operations

Stock-Based Compensation Expense: How to Record It Correctly

Stock-based compensation is one of the largest non-cash expenses on most startup income statements and one of the most consistently...

HR & People Operations

Global Payroll: How to Pay a Distributed Team Compliantly

A company with 15 employees in 9 countries used to be unusual. In 2026, it is a normal Series A....

Tax Operations

QSBS Tax Exemption: How Founders & Early Employees Save on Taxes

QSBS is one of the most valuable and most overlooked tax provisions in the US tax code. A founder who...

Financial Operations

ASC 606 Revenue Recognition for SaaS: A Practical Guide

Every SaaS finance team has had the same argument at some point: when do we actually recognize this revenue? A...

Financial Operations

Web3 Accounting: How Token & Crypto Treasuries Change the Books

A Web3 company’s books look familiar at the top level: revenue, expenses, payroll, cash. The complexity starts where the cash...

Financial Operations

Cash Runway: How to Calculate It and Extend It

Cash runway is the simplest and most consequential metric in startup finance. It is the answer to one question: how...

Financial Operations

Nonprofit Accounting Basics: Fund Accounting vs Standard Books

Nonprofit accounting looks similar to business accounting on the surface but answers an entirely different question. A business asks: are...

Financial Operations

SaaS Rule of 40 Explained: How Investors Read Your Numbers

Growth or profitability? For most SaaS founders, the answer used to be growth at all costs. That changed when capital...

Financial Operations

ARR vs MRR: What Each Metric Tells You and When to Use It

Every SaaS founder has been asked the same question by an investor: what is your ARR? And almost every founder...