5 state data-privacy laws taking effect in 2023

Despite mounting concern over companies that amass and sell troves of information on consumers without their knowledge, the U.S. hasn’t yet developed federal data-privacy legislation. Data brokers are largely unregulated and free to do what they want with the data, unless a state enacts its own privacy law.

California was the first to do just that. The California Consumer Privacy Act (CCPA) of 2020 made headlines as state became the first state to regulate the use of consumers’ personal information. 

Now the popular saying “As California goes, so goes the nation” has seemingly come to fruition. Four more states are following its lead by enacting their own privacy laws.

Businesses subject to any of these new state data-privacy laws must understand what is required to be compliant. Even those not subject to these laws should pay attention, because similar laws will almost inevitably pass in more states in coming years.

New data-privacy laws by state

In addition to the Golden State, whose California Privacy Rights Act (CPRA) took effect on Jan. 1, 2023, the following states will initiate enforcement of privacy statutes this year: Colorado, Connecticut, Utah and Virginia.

These privacy laws don’t apply only to companies and websites located in that particular state. In general, they also apply to companies and websites that sell, gather or share the private information of the state’s customers, regardless of which state the entity itself is based in. 

Below is a rundown of state data privacy statutes going into effect in 2023.

California Privacy Rights Act

The CPRA amended the California Consumer Privacy Act (CCPA), which implemented an array of individual privacy rights and models elements of the EU’s General Data Protection Regulation. The CPRA also created a state agency tasked with enforcing California’s privacy laws. 

The CPRA has effectively replaced the CCPA as of Jan. 1, 2023, but government enforcement of the CPRA will not begin until July 1, 2023. It provides a 30-day cure for alleged violations. Noncompliance penalties range from $2,000 per violation to $2,500 for negligent violations to $7,500 for willful violations.

Scope. The CPRA applies to for-profit businesses that fulfill one or more of the criteria below:

• Yearly gross income exceeds $25 million.
• At least 50% of annual revenue is derived from selling or sharing customer information.
• Buys, sells or shares the personal information of at least 100,000 homes or customers per year, either alone or in combination.

Consumer rights. The CCPA now includes:

• A category of protected data called sensitive personal information, comprising information like driver’s licenses, Social Security numbers, state ID cards, passport numbers, biometrics and more.
• New and expanded consumer privacy rights.
• A broader scope of information subject to legal action in the event of a data breach.
• Some GDPR tenets, such as data minimization, and storage and purpose restrictions. 

The CPRA also broadens the CCPA’s private right of action by enabling individuals to file lawsuits after data breaches involving new categories of personal data. The set of actionable data types is expanded to include email addresses, in addition to security questions and answers or passwords.

Colorado Privacy Act

After California and Virginia, Colorado became the third state to enact state consumer privacy legislation when Gov. Jared Polis signed Senate Bill 21-190: Protect Personal Data Privacy into law on July 7, 2021.

Known as the Colorado Privacy Act (CPA), the law will take effect July 1, 2023. It provides a 60-day cure period for alleged violations through Jan. 1, 2025, after which the law no longer requires a cure period. Penalties can be up to $20,000 per violation.

Scope. The CPA applies to organizations that conduct business in Colorado or that produce or deliver commercial products or services aimed at Colorado residents and perform either of the following:

• Control or process the personal data of at least 100,000 consumers per calendar year. 
• Derive revenue from the sale of personal data or gain a discount on the cost of products and services while handling the personal data of at least 25,000 consumers.

Consumer rights. The CPA grants Colorado consumers the right to:

• Access their personal data.
• Correct inaccuracies in their personal data.
• Delete their personal data.
• Obtain a portable copy of their personal data.
• Opt out of the processing of certain personal data.

Connecticut Data Privacy Law

Connecticut became the fifth state to adopt full consumer privacy legislation when Gov. Ned Lamont signed Senate Bill 6 into law on May 10, 2022. 

Known as the Connecticut Data Privacy Act (CTDPA), the law takes effect July 1, 2023. It provides a 60-day cure period for alleged violations before Jan. 1, 2025, after which the cure period will sunset. Noncompliance is subject to penalties of up to $5,000 per violation. 

Scope. The CTDPA applies to organizations that either run a business in Connecticut or that create goods or services aimed at residents of Connecticut, and that perform either of the following:

• Control or process personal information of at least 100,000 consumers excluding any data used only to execute payment transactions.
• Control or handle at least 25,000 consumers’ personal data, and derive more than 25% of their total revenue from the sale of that data.

Consumer rights. Many of the CTDPA’s requirements, rights and limitations are analogous to consumer data privacy legislation provided in California, Virginia, Colorado and Utah. 

The CTDPA grants Connecticut consumers the right to:

• Access their personal data. 
• Correct inaccuracies in their personal data. 
• Delete personal data provided by or about themselves.
• Obtain a portable copy of their personal data.
• Opt out of certain data processing.

Utah Consumer Privacy Act

Utah became the fourth state — following California, Virginia and Colorado — to enact broad privacy legislation when Gov. Spencer Cox signed Senate Bill 227 into law on March 3, 2022. 

Known as the Utah Consumer Privacy Act (UCPA), the law will take effect Dec. 31, 2023 and provides a 30-day cure for alleged violations. Noncompliance is subject to penalties of up to $7,500 per violation.

Scope. The UCPA applies to for-profit businesses with annual revenue of at least $25 million that perform the following:

• Conduct business in Utah or target their products and services to Utah residents.

• Annually process or control personal data for at least 100,000 Utah consumers; or derive more than 50% of their revenue from selling personal data of least 25,000 Utah consumers.

Consumer rights. The UCPA grants Utah consumers the right to:

• View their personal information.
• Delete their personal information.
• Know about and confirm processing activity.
• Request a copy of their personal information in a portable format.
• Nondiscrimination while exercising their UCPA consumer rights.
• Not participate in the sale of their personal information and targeted ads.

Virginia Consumer Data Protection Act

Virginia became the second state after California to officially enact comprehensive consumer privacy legislation when Gov. Ralph Northam signed Senate Bill 1392 on March 20, 2021. 

Known as the Virginia Consumer Data Protection Act (VCDPA), the law took effect Jan. 1, 2023 and provides a 30-day cure for alleged violations. Noncompliance is subject to penalties of up to $7,500 per violation.

Scope. The VCDPA applies to companies that conduct business in Virginia or that promote their products and services to citizens of Virginia, and that per the statute:

either (i) control or process personal data of at least 100,000 consumers; or (ii) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

Consumer rights. Under the VCDPA, Virginia consumers now have rights to personal data similar to those stipulated under California’s CCPA and CPRA, including the right to:

• Access, knowledge and confirm personal data.
• Correct inaccurate personal data.
• Erase personal information.
• Data portability.
• Refuse processing of personal data for targeted ads.
• Object to the use of personal data for profiling.
• Object to the sale of personal data.
• Nondiscrimination.

Conclusion

Complying with different state data-privacy laws in the U.S. poses a significant challenge for affected businesses. This has spurred more interest in a federal data-privacy bill, but so far those attempts have stalled. In the event a federal privacy framework is adopted, it would pre-empt state privacy laws.

Want more? Escalon provides startups and small to midsized businesses with taxes, accounting, strategic finance, CFO services and support. Talk to an expert today.