States’ momentum for releasing their own consumer privacy legislation is quickly picking up pace. So far this year, almost 200 consumer privacy bills have been introduced, roughly 70 of which (covering 25 states) were regarding establishing state-specific omnibus consumer privacy laws. Several states (e.g., Florida, Washington, and New York) tried passing similar bills to those proposed in prior years, but to no avail. However, Utah and Connecticut were both successful in their mission this year, passing the Utah Consumer Privacy Act (UCPA) in March and the Connecticut Data Privacy Act (CDPA) in May. Despite being only recently signed into law, these two regulations will go into effect in 2023, alongside California’s Privacy Rights Act (CPRA), Virginia’s Consumer Data Protection Act (CDPA), and Colorado’s Privacy Act (CPA).
For laws like the CPA, CTDPA, and UCPA, organizations will have more time to achieve compliance since their laws go into effect in either July or December 2023. For those in scope of the CPRA and the Virginia CDPA, the clock is quickly ticking down to that January 1, 2023, deadline. Although these regulations will go into effect soon, there is still time to get prepared! And, even if your organization does not need to comply with these laws today, they all share many similarities, so preparing for compliance now will help as the patchwork of state privacy laws grows in the U.S.
Since complying with several state data privacy laws can be a daunting task, we are focusing on the key requirements of the five passed and enacted privacy laws to help you streamline compliance.
The Five State Privacy Laws Coming in 2023
California
California Privacy Rights Act (CPRA) | January 1, 2023
In June 2018, the California Consumer Privacy Act (CCPA) was signed into law, creating the first comprehensive privacy law in the United States. After the CCPA went into effect in January 2020, a ballot initiative was introduced that amended the CCPA and provided additional privacy protections for California consumers. The California Privacy Rights Act (CPRA) was voted into law in November 2020.
Even though the CPRA was passed in November 2020, the CCPA will continue to be the governing privacy law of California until January 1, 2023 – the CPRA’s effective date. However, some provisions of the CPRA have already gone into effect, including its look-back provision that started on January 1, 2022.
Under the CPRA, California consumers are given the right to know, delete, and correction, as well as the right to limit the use and disclosure of sensitive personal information, the right of non-retaliation, and the right to opt-out of the sale or sharing of personal information and automated decision-making technology.
The CPRA expands the current CCPA private right of action to include additional categories of personal information (e.g., email addresses in combination with a password or security question and answer that would permit access to a consumer’s account). The CPRA creates the first government authority dedicated to privacy enforcement – the California Privacy Protection Agency (CPPA) – which has the administrative power, authority, and jurisdiction to implement and enforce the law. The Attorney General will continue to retain enforcement authority even after the CPRA goes into effect. Although there is a 30-day cure period implemented under the CCPA, the CPRA will remove this right.
Currently, the penalty for violating the CCPA can range from $2,500 per unintentional violation to $7,500 for each intentional violation. The CPRA will also include a new penalty of up to $7,500 for violations (even if unintentional) that involve minors under the age of 16, which is triple that of the CCPA.
The CPRA is set to go into effect on January 1, 2023, with enforcement of the law beginning on July 1, 2023.
Virginia
Consumer Data Protection Act (CDPA) | January 1, 2023
On March 2, 2021, the Consumer Data Protection Act (CDPA) was passed, making Virginia the first state to enact a comprehensive privacy legislation after California. Under the CDPA, Virginia consumers have the right to submit a request to access the personal data collected about them, correct inaccuracies in that data, and delete personal data they have provided or that has been obtained about them. Virginia consumers can also opt out of the sale of their personal data, targeted advertising, and profiling.
The CDPA does not provide a private right of action for consumers. Instead, the Virginia attorney general has investigative authority over the provisions of the CDPA and can impose civil penalties of up to $7,500 per violation, as well as any reasonable expenses incurred in investigating and preparing the case. Organizations will have 30 days to effectively address and cure any violations before the attorney general can take enforcement action. This cure period is not set to sunset.
On April 11, 2022, three amendments to the CDPA were passed, completing the amendment process for the CDPA and finalizing the text of the law. The three bills, respectively, add a new exemption to the right to delete, modify the law’s definition of nonprofits to include political organizations, and repeals the consumer privacy fund provision to direct penalties, expenses, and attorney fees into a preexisting state treasury fund.
These three new bills will go into effect on July 1, 2023, 6 months after the CDPA becomes effective on January 1, 2023.
Colorado
Colorado Privacy Act (CPA) | July 1, 2023
On July 7, 2021, Colorado joined California and Virginia’s footsteps by becoming the third state to pass an extensive consumer privacy legislation – the Colorado Privacy Act (CPA). The CPA gives Colorado consumers the right to access, correct, delete, and data portability, along with the right to opt out of the processing of their personal data for targeted advertising, profiling, and the sale of personal information.
The CPA does not provide for a private right of action, but it does give broad enforcement authority to both the Colorado attorney general and district attorneys. Prior to any enforcement of the CPA, organizations will be given 60 days to rectify any alleged violations, up until January 1, 2025. At that time, the right to cure will sunset, and organizations can request opinion letters and interpretative guidance from the attorney general’s office as an alternative. Violations of the CPA constitute as a deceptive trade practice under the Colorado Consumer Protection Act, which is punishable by civil penalties of up to $20,000 per violation and a maximum penalty of $500,000 for related violations.
The CPA is set to go into effect on July 1, 2023.
Utah
Utah Consumer Privacy Act (UCPA) | December 31, 2023
The Utah Consumer Privacy Act (UCPA) became the fourth state to pass a state privacy law on March 24, 2022. With its unique bifurcate enforcement process involving the attorney general and the Division of Consumer Protection and its unending right-to-cure provision, the UCPA is currently considered the most business-friendly of the five passed privacy laws. The UCPA does not have a private right of action, does not include a right to correction, and does not provide special rights or requirements for processing the data of children between 13 and 16, making its provisions less onerous and burdensome than some of the other state privacy laws. There is also no requirement for controllers to conduct a data protection assessment of processing activities.
Utah consumers are granted the right to access, deletion (only of the personal data that they have directly provided), and data portability; however, they are not given the right to correct inaccuracies in their data. Utah consumers can also opt out of the targeted advertising or sale of their personal data but cannot do so for purposes of profiling. Any violations of the Utah state law can lead to a fine of up to $7,500 per violation.
The UCPA is scheduled to take effect on December 31, 2023, the last of the five currently passed state privacy laws to become effective.
Connecticut
Connecticut Data Privacy Act (CDPA) | July 1, 2023
The Connecticut Data Privacy Act (CTDPA) is the fifth state privacy law to be passed, joining California, Virginia, Colorado, and Utah on May 10, 2022. Connecticut consumers are given the right to access, deletion, correction, and data portability, as well as the ability to opt out of the processing of their personal data for targeted adverting, profiling, and for the sale of their personal data. The CTDPA also grants consumers the ability to designate another person as an authorized agent to exercise the right to opt out on their behalf.
There is no private right to action in the CTDPA, giving the Connecticut attorney general exclusive enforcement over the law’s provisions. Compliance violations of the CTDPA will constitute as an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA), which can carry civil penalties of up to $5,000 per violation. Before any enforcement action can be taken, businesses will be given 60 days to cure any allegations. However, beginning eighteen months after the CTDPA’s effective date (January 1, 2025), the right to cure for businesses will sunset and the Connecticut attorney general will be given the ability to grant this right based on their discretion. Controllers must also conduct a data protection assessment for any processing activities that present a heightened risk of harm to consumers, which must be made available to the attorney general upon request.
Although the most recent law to pass, the CTDPA will go into effect on July 1, 2023.
Looking Ahead
In the absence of a federal privacy framework, many states are taking the necessary action to better protect consumers by passing their own comprehensive data privacy law. Since the five upcoming data privacy laws draw inspiration from each other, they all have considerable similarities, simplifying compliance. However, there are also subtle differences that can make compliance more challenging for organizations operating in multiple locations.
But, effectively preparing for the changes these privacy laws will bring and making privacy a priority throughout your organization will ensure you’re in a good position to adapt to local, state, and even federal privacy requirements in the future.
--------
All five of these privacy laws will be here before you know it. Don’t look back at the end of 2022 wishing you had started your compliance efforts sooner. Let Focal Point and CDW help you seamlessly achieve and maintain compliance with all new and upcoming consumer privacy laws.