Throughout 2023, five new US state privacy laws take effect. These laws will change the privacy landscape of the US. They share many similarities—but they vary in important ways.
Here are 2023’s new US state privacy laws, together with the date on which they take effect.
- 1 January: California Privacy Rights Act (CPRA)
- 1 January: Virginia Consumer Data Protection Act (VCPDA)
- 1 July: Connecticut Data Privacy Act (CTDPA)
- 1 July: Colorado Privacy Act (CPA)
- 31 December: Utah Consumer Privacy Act (UCPA)
This article will explore these five US state privacy laws, looking at which businesses they cover and what those businesses must do to comply.
Application
Each of 2023’s new state privacy laws applies differently. But they all have “extraterritorial scope”. The laws cover entities based outside of their respective states if those entities conduct business or offer goods or services to residents inside the state.
Each law provides two or three tests to determine whether a controller (or “business” in California) falls within its scope. But the tests are slightly different in each state.
To be covered by a state’s law, a controller must meet one or more of the three thresholds in the table below.
NB: In Utah, Threshold 1 PLUS either Threshold 2 or 3 (or both) must be met.
For the preceding calendar year:
- Threshold 1: Minimum gross annual revenues.
- Threshold 2: Minimum number of consumers or households about whom the controller processed personal data.
- Threshold 3: Both of the following components:
-
- Component 1: Minimum number of consumers or households about whom the controller “controlled or processed” personal data.
- Component 2: Minimum proportion of annual revenues derived from selling consumers’ personal data.
Here’s how the thresholds work under each state law:
| Threshold 1: Annual Revenues | Threshold 2: Quantity of Data | Threshold 3: Data Selling | |
| California (CPRA) | $25 million or more | Data about 100,000 consumers or households bought, sold or shared | Component 1: Not applicable
Component 2: 50% of revenues (selling or sharing) |
| Virginia (VCPDA) | Not applicable | Data about 100,000 consumers controlled or processed | Component 1: 25,000 consumers
Component 2: 50% of revenues |
| Colorado (CPA) | Not applicable | Data about 100,000 consumers controlled or processed | Component 1: 25,000 consumers
Component 2: Any amount (including discounts on goods and services) |
| Connecticut (CTPA) | Not applicable | Data about 100,000 consumers controlled or processed | Component 1: 25,000 consumers or households
Component 2: 25% of revenues |
| Utah (UTCPA) | $25 million or more (this threshold plus at least one other must be met) | Data about 100,000 consumers controlled or processed | Component 1: 25,000 consumers or households
Component 2: 50% of revenues |
If a business meets any one of these three thresholds in a given state, and the business serves or targets consumers in that state, the business will be covered by the law (with the exception of Utah’s law, as explained above).
There are some exceptions, for example for businesses covered by other privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA) and Title V of the Gramm-Leach-Bliley Act.
Consumer Rights
Each of these new laws includes some version of the following consumer rights:
- Right of access
- Right to correct (except Utah)
- Right to delete
- Right to data portability
- Right to opt out
In all states, the deadline for responding to a consumer rights request is 45 days. This deadline can be extended by another 45 days if reasonably necessary.
The specific requirements and exceptions under each consumer right vary slightly between states, particularly in respect of the “right to opt out”.
Right to Opt Out
As mentioned, each state law provides consumers with a “right to opt out”. But the activities from which consumers can opt out vary from state to state.
Each state also requires controllers to offer consumers an opt-out—or obtain an opt-in—before processing “sensitive data”. We’ll explore this further below.
California is the outlier regarding the right to opt out, so let’s look at Virginia, Colorado, Connecticut and Utah first.
Right to Opt Out in Virginia, Colorado, Connecticut and Utah
In Virginia, Colorado, Connecticut and Utah, the following types of processing activity are covered by the right to opt out:
- Targeted advertising
- The sale of personal data
- Profiling with legal or similarly significant effects (except Utah)
These concepts all have the similar definitions across the four laws:
- “Targeted advertising”: Displaying an ad based on personal data obtained “over time” and from across unaffiliated” websites or apps.
- “Profiling”: Automated processing of personal data to “evaluate, analyze, or predict” things about an individual (not defined in Utah’s law).
Regarding the definition of a “sale”, there is one important exception (again, in Utah).
- Virginia, Colorado and Connecticut define a “sale” as an exchange of personal data for “monetary or other valuable consideration” (basically any benefit).
- Utah limits its definition of a “sale” to an exchange for “monetary consideration” (just money).
Right to Opt Out in California
In California, the “right to opt out” covers:
- The sale of personal data.
- Sharing of personal data for “cross-context behavioral advertising”.
California adopts a broad definition of “sale” that covers “monetary or other valuable consideration”. “Cross-context behavioral advertising” means “targeted advertising”.
Universal Opt Out
Three of the five states require controllers to enable consumers to opt out via a “universal opt-out mechanism” at the browser level, such as the Global Privacy Control:
- California (where this is already required)
- Colorado (from 1 July 2024)
- Connecticut (from 1 Jan 2025)
Sensitive Data
Each of these five laws includes a category of “sensitive data”.
With some small differences in wording, Virginia, Colorado, Connecticut and Utah all define “sensitive data” as information about:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions or diagnoses
- Sex life or sexual orientation
- Citizenship or immigration status
- Genetic or biometric data for the purpose of uniquely identifying an individual
- Precise geolocation data (except Colorado)
- Personal data collected from a known child
California’s law defines “sensitive personal information” as information about:
- Social security number, driver’s license number, state identification card number, or passport number
- Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- The contents of mail, email, and text messages unless the business is the intended recipient of the communication
- Genetic data
Each law provides some rules about sensitive data:
- Virginia, Colorado and Connecticut: Controllers may not process sensitive data without opt-in consent.
- Utah: Controllers may not process sensitive data without offering the consumer an opt-out.
- California: Consumers have the right to “limit the use or disclosure” of their sensitive personal information.
Regarding children’s data:
- Virginia, Colorado, Connecticut and Utah: Children’s data must be processed in accordance with the Children’s Online Privacy Protection Act (COPPA).
- California: Businesses must not sell or share children’s data without consent (if the child is under 16) or parental consent (if the child is under 13).
Privacy Notice
Each of the five new state laws requires controllers to post a privacy notice (or a “privacy policy” in California’s language).
Virginia, Colorado, Connecticut and Utah require the privacy notice to contain the following information:
- The categories of personal data collected or processed.
- The purposes for which the categories of personal data are processed.
- How and where consumers may exercise their consumer rights.
- The categories of personal data that the controller shares with third parties, if any.
- The categories of third parties, if any, with whom the controller shares personal data.
- A disclosure of whether the controller sells personal data to third parties or processes personal data for targeted advertising.
California is more complicated. Where relevant, all of the following information must relate to the business’s activities in the preceding 12 months:
- Information about the CPRA’s consumer rights and how to exercise them.
- A list of the categories of personal information the business collected.
- The categories of sources from which consumers’ personal information is collected
- The business or commercial purpose for collecting, selling, or sharing consumers’ personal information.
- The categories of third parties to whom the business discloses consumers’ personal information.
- A list of the categories of personal information it has sold or shared (if relevant).
- A list of the categories of personal information it has disclosed about consumers (if relevant).
- A prominent disclosure that the business has not sold or shared any personal information (if relevant).
The privacy policy must be updated every 12 months.
California’s law also includes other transparency obligations, including a “notice at collection” that must be presented to consumers before collecting their personal information.
Data Minimisation and Purpose Limitation
Four of the five state laws introduces some form of “data minimisation” and “purpose limitation” requirement. These requirements are similar to those found in the EU General Data Protection Regulation (GDPR).
Under California’s law, businesses are prohibited from collecting more personal information than is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed”.
California’s law also requires that businesses don’t retain personal information for “ longer than is reasonably necessary”.
Virginia, Colorado and Connecticut’s laws all require controllers to:
- “Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed…”
- “…not process personal data for purposes that are neither reasonably necessary for, nor compatible with, the disclosed purposes
Utah’s law refers once to duties of “data minimisation” and “purpose specification”, but doesn’t define, describe, or otherwise refer to these concepts. The law’s reference to these now-removed provisions is left over from an early draft.
Data Protection Assessments
Virginia’s and Connecticut’s laws both require controllers to undertake a “data protection assessment” before conducting certain types of processing, including:
- Targeted advertising
- Selling personal data
- Certain types of profiling
- Processing sensitive data
- Any other processing that might present a “heightened risk of harm to consumers”
The data protection assessment involves:
- Identifying the benefits of the processing to the controller, the consumer and others.
- Identifying the risks of the processing.
- Weighing the benefits and risks.
- Identifying any safeguards that could be implemented.
Controllers should retain a written record of their data protection assessments.
Security
All five laws include a requirement for controllers to take “reasonable” security measures to protect personal data. Security measures are always relative to the nature of the processing and the business.
The laws themselves don’t impose any data breach notification obligations, but each state has its own data breach notification laws.
We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance.