Many people dream of becoming entrepreneurs, and often the biggest...
Letting technology do the heavy lifting for certain monotonous tasks...
For many startups, the summer months can be...
Tax season often triggers stress and complexity—especially for...
January 19, 2023
Despite mounting concern over companies that amass and sell troves of information on consumers without their knowledge, the U.S. hasn’t yet developed federal data-privacy legislation. Data brokers are largely unregulated and free to do what they want with the data, unless a state enacts its own privacy law.
California was the first to do just that. The California Consumer Privacy Act (CCPA) of 2020 made headlines as state became the first state to regulate the use of consumers’ personal information.
Now the popular saying “As California goes, so goes the nation” has seemingly come to fruition. Four more states are following its lead by enacting their own privacy laws.
Businesses subject to any of these new state data-privacy laws must understand what is required to be compliant. Even those not subject to these laws should pay attention, because similar laws will almost inevitably pass in more states in coming years.
In addition to the Golden State, whose California Privacy Rights Act (CPRA) took effect on Jan. 1, 2023, the following states will initiate enforcement of privacy statutes this year: Colorado, Connecticut, Utah and Virginia.
These privacy laws don’t apply only to companies and websites located in that particular state. In general, they also apply to companies and websites that sell, gather or share the private information of the state’s customers, regardless of which state the entity itself is based in.
Below is a rundown of state data privacy statutes going into effect in 2023.
The CPRA amended the California Consumer Privacy Act (CCPA), which implemented an array of individual privacy rights and models elements of the EU’s General Data Protection Regulation. The CPRA also created a state agency tasked with enforcing California’s privacy laws.
The CPRA has effectively replaced the CCPA as of Jan. 1, 2023, but government enforcement of the CPRA will not begin until July 1, 2023. It provides a 30-day cure for alleged violations. Noncompliance penalties range from $2,000 per violation to $2,500 for negligent violations to $7,500 for willful violations.
The CPRA also broadens the CCPA’s private right of action by enabling individuals to file lawsuits after data breaches involving new categories of personal data. The set of actionable data types is expanded to include email addresses, in addition to security questions and answers or passwords.
After California and Virginia, Colorado became the third state to enact state consumer privacy legislation when Gov. Jared Polis signed Senate Bill 21-190: Protect Personal Data Privacy into law on July 7, 2021.
Known as the Colorado Privacy Act (CPA), the law will take effect July 1, 2023. It provides a 60-day cure period for alleged violations through Jan. 1, 2025, after which the law no longer requires a cure period. Penalties can be up to $20,000 per violation.
Connecticut became the fifth state to adopt full consumer privacy legislation when Gov. Ned Lamont signed Senate Bill 6 into law on May 10, 2022.
Known as the Connecticut Data Privacy Act (CTDPA), the law takes effect July 1, 2023. It provides a 60-day cure period for alleged violations before Jan. 1, 2025, after which the cure period will sunset. Noncompliance is subject to penalties of up to $5,000 per violation.
The CTDPA grants Connecticut consumers the right to:
Utah became the fourth state — following California, Virginia and Colorado — to enact broad privacy legislation when Gov. Spencer Cox signed Senate Bill 227 into law on March 3, 2022.
Known as the Utah Consumer Privacy Act (UCPA), the law will take effect Dec. 31, 2023 and provides a 30-day cure for alleged violations. Noncompliance is subject to penalties of up to $7,500 per violation.
Virginia became the second state after California to officially enact comprehensive consumer privacy legislation when Gov. Ralph Northam signed Senate Bill 1392 on March 20, 2021.
Known as the Virginia Consumer Data Protection Act (VCDPA), the law took effect Jan. 1, 2023 and provides a 30-day cure for alleged violations. Noncompliance is subject to penalties of up to $7,500 per violation.
either (i) control or process personal data of at least 100,000 consumers; or (ii) derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
Complying with different state data-privacy laws in the U.S. poses a significant challenge for affected businesses. This has spurred more interest in a federal data-privacy bill, but so far those attempts have stalled. In the event a federal privacy framework is adopted, it would pre-empt state privacy laws.
Our team is made up of seasoned professionals who bring years of industry experience to the table. You gain a trusted advisor who understands your business inside out.
Say goodbye to the hassles of hiring, training and managing in-house finance teams. You will never have to worry about unexpected leave of absence or retraining new employees.
Whether you’re a small business or a global powerhouse, our solutions scale with your needs. We eliminate inefficiencies, reduce costs and help you focus on growing your business.
For many startups, the summer months can be a dual-edged sword. On one hand, warmer weather and looming vacations can...
Tax season often triggers stress and complexity—especially for startups laser-focused on building products, acquiring customers, and scaling operations. Yet savvy...
The halfway mark of any given year is more than just a date on the calendar; it’s a valuable checkpoint...
For consumer goods companies, managing inventory efficiently is critical—not just for operations but also for financial health and risk management....
As more businesses transition to Software-as-a-Service (SaaS) solutions, data security and regulatory compliance have become top priorities. From handling sensitive...
For portfolio companies, whether backed by private equity, venture capital, or family offices, scalability is essential for maximizing value and...
Insights from a Consumer Goods Expert: Building Brands, Inventory Management, and the Power of Outsourcing In a recent conversation with...
Private equity deals are becoming larger and more complex, making financial preparation a critical part of the process. Take Novartis’s...
Biotech startups operate in a unique financial landscape, where securing grants, venture capital, and government funding is crucial for driving...