5 US State Privacy Laws taking effect in 2023

As privacy concerns continue to grow—and with a US federal privacy law still yet to pass—more and more states are taking matters into their own hands by passing their own comprehensive legislation to safeguard people’s data.

In 2023, five US states see new privacy laws go into effect, further strengthening data protection for individuals and imposing new rules on businesses of all kinds.

In this blog post, we’ll take a look at what these laws involve and consider how they’ll impact businesses operating in these states.

Jan 1, 2023: California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA), which was the first comprehensive US privacy law.

If you’re not already compliant with the CPRA, it’s past time to get to work, as the law also has a “look-back” covering data processed from Jan 1, 2022.

Among other changes to California’s privacy rules, the CPRA introduces a new concept of “sensitive personal information,” slightly amends the criteria for applicability, and brings new rules around the “sharing” of personal information.

Given that California announced its first CCPA enforcement action last August—a $1.2m settlement with French cosmetics company Sephora—compliance with the state’s new law should be a top priority.

Jan 1, 2023: Virginia Consumer Data Protection Act (VCPDA)

Virginia became the second US state to enact a comprehensive privacy law with the Virginia Consumer Data Protection Act (VCPDA), which is similar in scope to the CCPA but with some crucial differences.

The VCPDA applies to any business doing business in Virginia or targeting Virginia residents that (annually):

• Controls or processes the personal data of at least 100,000 consumers
• Controls or processes the personal data of at least 25,000 consumers and derives at least 50% of its gross revenues from selling personal data

The law provides Virginians with many of the same rights afforded to Californians under the CCPA. And the VCPDA specifically requires businesses to offer consumers the “right to opt out” of targeted ads, the sale of personal data, and certain profiling activities.

This means the VCPDA will have one particularly important impact: businesses covered by the law must offer some mechanism (such as a “cookie banner”) to enable Virginia-based users to opt out of ad-targeting.

Businesses engaged in targeted advertising must also conduct a “data protection impact assessment” (DPIA) to assess the possible impacts on consumers’ privacy.

July 1, 2023: Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) applies more broadly than the other laws on this list, affecting any business doing business in Connecticut or targeting Connecticut residents that (annually):

• Controls or processes the personal data of at least 100,000 consumers
• Controls or processes the personal data of at least 25,000 consumers, and derives at least 25% of its gross revenues from selling personal data

The CTDPA provides similar rights to Virginia’s law (above), which means businesses must provide a way to enable users in Connecticut to opt out of targeted advertising.

Businesses also have until 2025 to comply with a “universal opt out” mechanism, such as the Global Privacy Control (GPC), allowing consumers to automatically opt out of tracking at the browser level.

July 1, 2023: Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) applies in the same way as Virginia and Connecticut’s laws (above), with one important difference.

If a business processes the personal information of over 25,000 consumers annually, any amount of revenue generated from selling personal information will bring the business in scope (unlike Virginia and Connecticut, which set the threshold at 50% and 25% of revenues respectively).

The rules under the CPA are similar to those under Virginia’s new law (above), requiring businesses to offer an opt out of targeted advertising and facilitating consumers’ access to and control over their personal information.

Unlike with Virginia’s law, there’s no requirement for CPA-covered businesses to conduct an “impact assessment” before running an ad-targeting program.

But from July 2024, like under Connecticut’s law, covered businesses will have to respect “universal opt out” signals received from Colorado residents.

Dec 31, 2023: Utah Consumer Privacy (UCPA)

The Utah Consumer Privacy Act (UCPA) takes effect on New Year’s Eve. The law shares a lot with Virginia and Colorado’s laws (above), except for a few tweaks that make the UCPA arguably the least demanding state privacy law taking effect in 2023.

For example, Utah’s law is the most narrowly applicable of all five laws on our list. Thresholds are the same as Virginia’s new law privacy law, except it only applies to businesses with $25 million or more in gross annual revenues.

Utah has implemented the “right to opt out” of targeted advertising, which can also be found in Virginia’s and Colorado’s new laws. But unlike consumers in those other two states, Utah residents will not have the right to opt of “profiling”.

The UCPA also introduces rights of access and deletion—but it forgoes the right of correction, which is present in the other four state privacy laws being introduced in 2023.