State Privacy Laws 2023: Is Your Business Prepared?

With stories of data breaches continuously making headlines, concerns about how personal data is processed and stored have led to the passage of regulations governing how companies handle consumer data. One of the most well-known international data privacy laws is GDPR, which was implemented across the European Union in 2018. The law states that individuals own their personal information and can decide who can use it. Any organization -- regardless of where it's headquartered -- that targets or collects data from people and businesses in EU member nations must comply with the GDPR law. The state privacy laws of 2023 apply to organizations that process personal data (controllers) as well as organizations that process personal data on their behalf (processors). Legal action can be taken against organizations found to be noncompliant with GDPR.

While more than 100 countries worldwide have enacted data privacy laws, the United States is not one of them. Until a federal privacy law is enacted, many states have stepped in to pass data privacy laws by state. According to the IAPP global information privacy community, there has been a rapid growth of U.S. privacy initiatives at the state level from 2018 through 2022. In 2023, state-level momentum for comprehensive privacy bills is at an all-time high. Each state law has different Compliance frameworks for how companies must allow consumers to exercise these rights. While there are some differences between the states’ laws, the structures are mainly similar, modeled after California’s Act.

What are the State Privacy Laws in 2023?  

Five states have enacted new state privacy laws that organizations have to comply with, from 2023.

California Privacy Rights Act of 2020 (CPRA): 

Took effect on January 1, 2023, and amends the California Consumer Privacy Act (CCPA), which gave residents the right to ask businesses to disclose the type of information they collect, why they are collecting the information and the source of the data. The updated CPRA copies the GDPR in creating a new state agency to enforce the rights of residents to prevent businesses from sharing their personal data, request that inaccuracies in their personal data be corrected, and prevent companies from using sensitive data, such as race and sexual preference.

Colorado Privacy Act (CPA): 

Takes effect July 1, 2023, and is patterned after the individual rights under GDPR. The law augments the existing privacy act by adding specific regulations such as data security laws for vendors and assessments for "high-risk" processing, as well as clarifications for how the law will be enforced.

Connecticut Data Privacy Act (CDPA): 

Takes effect July 1, 2023, and governs how personal data privacy is protected and how data is collected and processed – also similar to GDPR – and requires additional scrutiny for "high risk" processing. The CDPA applies to organizations that control or process the personal data of at least 100,000 customers; or organizations that hold the data of at least 25,000 customers and derive over 25% of gross revenue from the sale of personal data. Penalties for noncompliance are clarified in the Connecticut State Privacy Law. 

Utah Consumer Privacy Act (UCPA): 

Takes effect Dec. 31, 2023, and will provide some GDPR-like individual rights for protecting the collection, processing, and distribution of personal data, but falls short of requiring risk assessments. The UCPA applies to organizations with an annual revenue of $25M or more; and either control or process personal data of at least 100,000 consumers, or hold the data of at least 25,000 customers and derive over 50% of gross revenue from the sale of personal data. 

Virginia Consumer Data Protection Act (VCDPA): 

Took effect on Jan. 1, 2023, and provides GDPR-like guidelines and penalties regarding how personal data is collected, processed, and distributed. The law affects any organization that processes specific quantities of personal data each year, both government and non-government. The VCDPA applies to organizations that either control or process personal data of at least 100,000 consumers, or hold the data of at least 25,000 customers and derive over 50% of gross revenue from the sale of personal data.

More details about what each of these laws entails can be found here.

Key Takeaways of the 2023 State Privacy Laws

Examples of These Provisions

State regulations regarding collecting, processing, and distributing personal data can vary significantly. If your business handles personal data in one or some of the above states, here is a sampling of some of rules you need to know:

• Where data privacy rules mainly applied to B2C companies in the past, in 2023, HR and B2B data may now be in scope as well. That means that where you may already have taken steps to protect your customers’ data, you now need to ensure that you are protecting your employee data and your vendor information with the same vigor.
  
  
• The concept of “sensitive data” has been introduced in each state’s 2023 laws, requiring either opt-in consent or application of an opt-out right. Sensitive data includes health information; personal data revealing race, religion, and sexual orientation; political or philosophical beliefs; education records; or cardholder data.
  
  
• Data retention schedules may be required to be clarified on a category-by-category basis. That means that your business may be required to specify how long specific data is stored before it is archived, anonymized, or destroyed.
  
  
• Changes in the digital advertising industry may make it harder for your marketing departments to target and engage potential customers. The laws clarify how individuals can opt-out from having their personal data used for targeted advertising or sold to third parties.
  
  
• Profiling and automated decision-making will become regulated under each law. That means that individuals have the right to avoid being subject to a decision based solely on automated processing, including profiling. Think about online insurance quotes, mortgage approvals, and credit card applications.
  

Attaining Privacy Compliance 

Given the expansion of consumer rights and heightened business obligations with regard to data privacy and Compliance, companies should take the time to find out what is privacy Compliance and the new obligations these laws present. Keep in mind, data privacy guidelines will soon be expanding further. Whether Congress ultimately passes national legislation via the American Data Privacy and Protection Act or additional states introduce their own privacy laws, it is up to each business – and their IT and Compliance departments --  to ensure they are processing personal data correctly. By complying with these guidelines, companies minimize the chances of being sued or fined and avoid future negative customer fallout and reputational damage.