2023 Updates to U.S. State Data Privacy Laws: What You Need to Know

Nyambura Kiarie
Nyambura Kiarie
2023 Updates to U.S. State Data Privacy Laws: What You Need to Know

The United States is trying to catch up with the global data privacy laws passed in recent years. While the European Union passed the General Data Protection Regulation (GDPR) which went into effect in 2018, the U.S. has struggled to pass its version called the American Data Privacy and Protection Act (ADPPA). In the meantime, California, Colorado, Connecticut, Utah, and Virginia have passed their own comprehensive consumer privacy laws that go into effect in 2023. Due to continuing state privacy legislative action, individual state laws will only multiply unless the ADPPA is passed, which seems unlikely given the current political climate in the U.S. and the competing priorities facing the government.

2023 U.S. State Privacy Legislation Map

Passing separate privacy laws is creating compliance issues for companies based or doing business in these states. The affected businesses must comply with a patchwork of different state privacy and cybersecurity laws. Figuring out how to comply with the laws requires such businesses to understand each state’s privacy laws and design a privacy and cybersecurity program to maintain compliance with the various state privacy laws at the same time. This article will help you understand what these regulations require from businesses and what action you need to take to comply with the new state laws.

Why Are We Discussing Privacy Now? 

Privacy regulations are coming into force over the course of 2023, and these regulatory changes expose organizations to numerous risks. First, non-compliance has the direct financial impact of regulatory fines that are calculated per violation (see the chart below). For example, Sephora was recently fined $1.2M by the California Attorney General for violating California privacy laws. The table below summarizes the five new U.S. privacy laws, their effective date, and potential fines. 

Second, consumers are increasingly choosing products and services that protect their personal data, even if they must pay a premium. While the fines can be substantial, the reputational damage from the negative news coverage can be even more costly in the long run if customers respond by taking their business elsewhere. With consumers paying more attention to privacy and cybersecurity issues and the effect that security breaches have on their personal lives, privacy- and cybersecurity-conscious companies increasingly distinguish themselves in the marketplace by using privacy and cybersecurity compliance as a brand differentiator.

Meeting the compliance requirements for the patchwork of laws is strenuous even for the most organized companies with well-funded privacy and cybersecurity programs. For any organization that has not made privacy laws a priority, implementing compliant processes quickly will be resource and time-consuming. This is because privacy compliance takes coordination and collaboration between compliance, legal, information security, human resources, executive, and operations departments in companies since installing compliance measures involves operations and functions across entire organizations.

2023 Updates to U.S. State Privacy Laws — What You Should Know

To help you understand the impact of each state’s privacy laws’ impact, we will explain each regulation’s basic provisions and how you may be affected by the law. 

What Is the Difference Between the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)?

In June 2018, the CCPA was signed into law, creating new privacy rights for Californians and significant new data protection obligations for businesses. The CCPA went into effect on January 1, 2020. California’s Office of the Attorney General has enforcement authority. The CPRA amends the CCPA and includes additional consumer privacy protections. The CPRA’s provisions entered into force on January 1, 2023, with a look back to January 2022. 

The CCPA affects businesses that process the personal data of individuals based in California and meet the following requirements:

  • Is a “business” (for-profit legal entity doing business in California that collects consumers’ personal information); and 
    1. has annual gross revenues of more than $25 million; 
    2. annually buys, receives for commercial purposes, sells, or shares for commercial purposes, “personal information of 50,000 or more consumers, households, or devices”; or 
    3. derives more than 50% of its annual revenues from selling consumers’ personal information.

How Will the California Consumer Privacy Act and California Privacy Rights Act Affect Impacted Businesses?

The primary impact of the regulation is related to personal data shared between businesses and personal data processed by businesses in the context of an employment relationship. Two types of personal information, B2B information and Employment-Related Information, are no longer exempt from regulation. In the past, business to business information (B2B information) — which is personal information of employees or business contacts that a business collected to aid in providing or receiving a product or service to and from another business — was exempt from the CCPA. Also, the employment information exception applied to Employment-Related Information — personal information processed by a business about a consumer acting as a job applicant or who is a past or current employee, owner, director, officer, medical staff member, or contractor of the business and their beneficiaries and dependents — so long as the business used the information solely in the context of the employment relationship. 

If you are a business-to-business company processing B2B information or Employment-Related Information, you are now required to: 

  1. Provide notices to affected individuals addressing the collection and use of Employment-Related Information and B2B information; 
  2. Provide the right to opt-out of the sale of the B2B or Employment-Related Information; 
  3. Provide the right to limit the use of sensitive personal information such as gender and race; and 
  4. Ensure that your contractors and service providers comply with the contractual requirements for service providers and contractors under the CCPA/CPRA.

What Is the Utah Consumer Privacy Act (UCPA)?

The Utah Consumer Privacy Act passed on March 24, 2022, and becomes enforceable on December 31, 2023. This law applies to businesses that: 

  1. Conduct business in Utah or produce products or services targeted to Utah residents; 
  2. Have annual revenues of $25 million or more; and 
  3. Either (A) process personal data of 100,000 or more Utah residents; or (B) derive more than 50 percent of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah consumers.

How Will the Utah Consumer Privacy Act Affect Impacted Businesses?

Affected businesses need to have contracts with their service providers (vendors): Like other general privacy laws, Utah requires a contract with entities engaged to “process” information on the company’s behalf. That contract should outline: 

  1. The nature and purpose of processing personal data; 
  2. That the information processed remains confidential; and 
  3. That subcontractors enter into an agreement with their vendors, with similar obligations.

Businesses must also provide reasonably accessible and clear privacy notices to consumers in Utah. Privacy notices must include: 

  1. The categories of personal data processed by the business; 
  2. The purposes for processing the data; 
  3. How consumers may exercise their rights; 
  4. The categories of personal data the business shares with third parties, if any; 
  5. The categories of third parties, if any, with whom the business shares personal data;  and 
  6. If personal data is sold to a third party or used for targeted advertising, the business must clearly and conspicuously disclose the means for consumers to exercise their rights to opt-out of their data being processed.

What Is the Virginia Consumer Data Protection Act (VCDPA)?

The Virginia Consumer Data Protection Act was passed on March 2, 2021, and becomes enforceable on January 1, 2023. The VCDPA affects businesses that meet the following requirements:

  1. They either conduct business in Virginia or produce products or services targeted to Virginia residents; and
  2. During a calendar year (i) control or process personal data of at least 100,000 consumers; or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.

How Will the Virginia Consumer Data Protection Act Affect Impacted Businesses?

Businesses are required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: 

  1. The categories of personal data processed by the business; 
  2. The purpose for processing personal data; 
  3. How consumers may exercise their consumer rights, including an appeal of a business decision; 
  4. Categories of personal data shared with third parties; and 
  5. Categories of third parties with whom the controller shares personal data.

Affected businesses are required to have contracts with their vendors, which include the following provisions: 

  1. Clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties; 
  2. Ensure that each business processing personal data is subject to a duty of confidentiality with respect to the data; 
  3. At the business’ direction, vendor should delete or return all personal data to the business as requested at the end of the provision of services, unless retention of the personal data is required by law; 
  4. Upon the reasonable request of the business, vendor should make available to the business all information in its possession necessary to demonstrate the vendor’s compliance with the obligations in the VCDPA; 
  5. Vendor is required to allow and cooperate with reasonable assessments by the business or arrange for a qualified and independent assessor to conduct an assessment of the vendor’s policies and technical and organizational measures, providing a report of such assessment to the business upon request; and 
  6. Vendor is required to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the vendor with respect to the personal data.

What Is the Colorado Privacy Act (CPA)?

The Colorado Privacy Act was passed on July 7, 2021, and will become effective on July 1, 2023. The CPA affects businesses that meet the following requirements:

  1. Applies to a controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
  2. Controls or processes the personal data of 100,000 consumers or more during a calendar year: or
  3. Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

How Will the Colorado Privacy Act Affect Impacted Businesses?

Businesses must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  1. The categories of personal data collected or processed by a controller or processor;
  2. The purposes for which the categories of personal data are processed; 
  3. How and where consumers may exercise their rights; 
  4. The categories of personal data that the controller shares with third parties and; 
  5. The categories of third parties with whom the controller shares personal data.

Businesses should have contracts with their vendors that have the following terms: 

  1. Instructions, including the nature and purpose of the processing to which the processor is bound; 
  2. The duration of the processing and the type of personal data subject to the processing; 
  3. The requirement that each person processing the personal data is subject to a duty of confidentiality with respect to the data; 
  4. The requirement that a controller may only use a subcontractor pursuant to a contract requiring the subcontractor to meet the processor’s obligationswith respect to the data; 
  5. The processor must also provide the controller with an opportunity to object; 
  6. The allocation of responsibility between the controller and processor for maintaining technical and organizational and technical measures to ensure appropriate security of data;
  7. Whether the controller requires the processor return or delete all personal data to the controller at the end of the provision of services unless that retention is required by law; 
  8. That the processor shall make all information necessary to demonstrate compliance with this law available to the controller; 
  9. The processor shall allow for and contribute to reasonable audits and inspections by the controller or auditor.

What Is the Connecticut Data Privacy Act (CTDPA)?

The Connecticut Data Privacy Act was passed on May 10, 2022, and goes into effect on July 1, 2023. The CTDPA affects businesses that meet the following requirements:

  1. Conduct business in Connecticut, or produce products or services targeted to CT residents; and 
  2. During the preceding calendar year, either (a) controlled/processed the personal data of at least 100,000 consumers (excluding for payment transactions), or (b) controlled/processed the personal data of at least 25,000 consumers and derived more than 25% of gross revenue from the sale of personal data.

How Will the Connecticut Data Privacy Act Affect Impacted Businesses?

The CTDPA requires businesses to provide privacy notices regarding the collection of personal data. Connecticut’s law requires controllers to provide consumers with a “reasonably accessible, clear and meaningful privacy notice.” Privacy notices must include: 

  1. The categories of personal data processed by the controller;  
  2. The purpose for processing personal data; 
  3. How consumers may exercise their rights and appeal; 
  4. The categories of personal data the controller shares with third parties if any; 
  5. The categories of third parties, if any, with which the controller shares personal data; 
  6. An active email address or other online mechanisms for consumers to contact the controller; and 
  7. If personal data is sold to third parties or processed for targeted advertising, controllers are required to “clearly and conspicuously disclose such processing” and how consumers may exercise their opt-out rights.  

Businesses should have also contracts with their vendors that meet the following requirements: 

  1. There be a contract between a controller and processor to govern the data processing performed by the processor on behalf of the controller; 
  2. Such contracts must clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing and the rights and obligations of both parties;  
  3. The contract must also require that the processor ensure each person processing the data is subject to a duty of confidentiality with respect to the data; 
  4. Delete or return the personal data at the controller’s discretion unless retention is required by law; 
  5. Make available any information necessary for compliance to the controller; 
  6. After providing the controller with an opportunity to object, engage any subcontractor with a written contract that requires adherence to the processor’s obligations; and 
  7. Allow and cooperate with reasonable assessments by the controller or the controller’s designated assessor.

Four Steps to Prepare for New U.S. State Privacy Laws 

For those organizations based in or doing business in the five states mentioned above, there are several key steps to take immediately.

  1. First, familiarize yourself and your teams with the new requirements to establish a basic understanding of the laws.
  2. Next, update your website privacy notices as they are the most immediately accessible and noticeable to customers, regulators, and stakeholders.
  3. Then you should coordinate with legal and purchasing teams to review your vendor contracts for the appropriate terms and conditions required by the various state laws.
  4. Finally, ensure you have a quick and efficient process for responding to and processing data subject requests since a report of non-compliance from an individual to a regulatory authority could bring your company’s privacy program under review by a regulatory authority.

Each of these steps can be time-consuming and should be performed simultaneously to reduce the time it takes to review and make changes. 

As you update your company’s website privacy notices, consider having layered notices to address the data subject rights of individuals in various states and having a separate privacy notice for employees to address the CPRA.

With regards to vendor contracts, ensure that they have the terms needed to provide coverage for vendor personal data processing activities. Update your vendor templates and customer contracts with CCPA/CPRA relevant terms. Also, note that most of the VCDPA, CPA, Utah Privacy Law, and CTDPA terms are met if your company already complies with the GDPR by including Article 28 GDPR terms.

One overall strategy for preparing for compliance with the new U.S. State privacy laws is to have a compliance program for privacy and data security that meets the GDPR requirements. For now, GDPR represents the highest data protection compliance threshold, so by meeting GDPR, you are certain to comply with most of the upcoming U.S. privacy laws. You can then tweak your internal program and contracts to meet individual U.S. privacy laws and regulations that apply to your company. 

The InfoSec Survival Guide: Achieving Continuous Compliance

What Are the Benefits of Compliance With the State Privacy Laws?

While non-compliance clearly includes the risk of fines and reputational business damage, compliance actually provides several benefits. Primarily, your customers will have confidence in your ability to protect their data and hence will be more open to business discussions – bear in mind that they are also facing the same regulations. They also need their downstream vendors to comply to avoid regulators’ fines. Compliance may speed up your contract negotiations with customers and vendors when you have all the required terms in your contracts. If you update your public-facing notices, you will have more time to work on internal processes and build a robust compliance program. Finally, if you are not fully compliant, regulators will see that you have put effort into your compliance program, which can reduce fines if you are found to be non-compliant.

Take Action on Privacy Laws Now

Privacy laws are taking effect now, and you need to move towards compliance immediately. Prepare your business by addressing the obvious and public-facing compliance items first, such as the website privacy notices, and ensure your vendor contracts have the required terms and conditions. Companies have an obligation to maintain data privacy and include a compliance program that can adequately address data subject requests from concerned individuals within the time limits set by the various laws. We live in a time when “data is the new oil”, and we cannot afford to leave this most valuable resource unprotected.

Nyambura Kiarie

Nyambura Kiarie is Commercial and Privacy Counsel at AuditBoard and is an experienced privacy, cybersecurity, and technology transactions lawyer who is also an IAPP-certified U.S. and E.U. Data Privacy Professional. Her experience entails building and supporting privacy and cybersecurity programs within organizations and companies with an aim of ensuring that the companies maintain robust compliance programs to differentiate themselves in their respective markets and build their brands by engendering greater trust, loyalty, and cooperation amongst their consumers and customers. Connect with Nyambura on LinkedIn.

Related Articles