Welcome to the era of heightened data privacy! In 2023, four new data privacy laws have taken center stage with one more on the horizon, revolutionizing the way we protect our personal information.
These laws introduce groundbreaking measures to safeguard individual rights, promote transparency, and reshape the landscape of targeted advertising. Let’s explore the key aspects of these laws, highlight their shared features and unique nuances, and take a glimpse into the future of privacy regulations.
Get ready for a comprehensive journey through the latest data privacy developments.
New state privacy laws
In 2023, four new data privacy laws have gone into effect, with a fifth law set to slide in on the last day of the year. California’s CPRA and Virginia’s VCDPA came into effect on January 1, 2023. Colorado’s CPA and Connecticut’s CTDPA came into effect on July 1, 2023. We sometimes refer to Virginia, Colorado, and Connecticut’s privacy laws as “fraternal triplets” because they have a similar structure and phrasing around rights, exceptions, and transparency requirements. The good news is that if you’ve already complied with Virginia’s law, you won’t have to change much to ensure compliance with Colorado and Connecticut.
Unlike California, the triplets share these novel aspects:
- The right to opt out of certain kinds of profiling that make significant decisions, like denying housing, a loan, or access to utilities.
- The right to appeal. If your business denies someone’s request to delete or correct their data, you’ll need to have a process in place within your company for the consumer to appeal your denial.
- Data Protection Assessments. Businesses must do a data protection assessment about the information they collect and share for targeted advertising and other sensitive activities. Regulators may come asking for these assessments.
Colorado has more enforcers than Virginia and Connecticut, where only attorney generals are enforcing. Colorado has 22 district attorneys that are set to enforce its privacy law along with the attorney general. Colorado also has a universal opt-out requirement, meaning that consumers should be able to turn on a setting in their browser that will opt them out of the sale and sharing of their personal information for targeted advertising. This requirement will go into effect on July 1, 2024. Businesses will need new processes in place to make sure they not only recognize the opt-out signal, but also internal processes to support putting this signal into place.
Utah’s UCPA is the fifth data privacy law that will go into effect in 2023, effective December 31. Utah is the “business-friendly cousin” of the triplets. It has many of the same requirements as Virginia, Colorado, and Connecticut, but with no regulation of profiling, no data protection assessments, higher thresholds of application, and no right to appeal.
Regulatory action
Regulations are clarifications issued by state agencies to complement existing legislation. Colorado’s initial regulations, which took effect simultaneously with the law, address various aspects of the CPA, similar to California’s initial CCPA regulations.
However, Colorado differentiates itself by providing more comprehensive guidance on Universal Opt-Out Mechanisms (UOOMs) compared to California. The Colorado Attorney General will publish a list of OOPSes that businesses must comply with by January 1, 2024.
As for California, their second round of regulations is currently under development and focuses on areas that were not fully addressed in the initial rulemaking. This round primarily concentrates on automated decision-making, cybersecurity audits, and risk assessments.
Unlike California, Colorado provides more detailed requirements for valid UOOMs and mandates the attorney general to maintain a list of approved mechanisms that businesses must recognize. While this approach may be more restrictive, it offers clearer guidelines for businesses seeking compliance.
Additionally, Colorado specifies the implementation of data protection assessments from the start of the law’s enforcement and establishes thorough criteria for determining the legitimacy of secondary data collection purposes and consumer choice requests.
Currently, California’s CCPA mentions the right to opt out of profiling, risk assessments, and audits without providing specific instructions on how to conduct these practices. The upcoming regulations are expected to clarify the scope of these aspects, including which businesses must comply, when audits/assessments need to be conducted, and their respective requirements.
The comment period on these regulations concluded in March, but the timeline for finalization remains uncertain. While the first round of regulations faced delays due to the establishment of the California Privacy Protection Agency (CPPA) and the groundbreaking nature of California’s privacy law, the second round is anticipated to proceed more swiftly.
Consumer privacy rights request trends
As privacy news continues to dominate headlines, consumer awareness and the number of privacy requests will increase together. DataGrail’s Privacy Trends 2023 report found that the total volume of Data Subject Requests (DSRs) per 1M identities grew by 72% YoY from 2021 to 2022, likely driven by global media attention focusing on high-profile privacy issues and fines.
For organizations working toward privacy compliance, it’s important to remember that more laws are on the horizon as consumers demonstrate a hunger for privacy rights. In fact, DataGrail’s trend report revealed that 52% of DSRs in the United States come from consumers in unprotected states.
What’s next in privacy
The number of states that have passed consumer privacy laws has already doubled in 2023, and many more states are considering their own.
States with privacy bills that have passed and been signed into law are:
- Indiana (effective January 1, 2026)
- Iowa (effective January 1, 2025)
- Montana (effective October 1, 2024)
- Tennessee (effective July 1, 2025)
- Texas (effective July 1, 2024)
Most of these new state laws are similar to the laws in Virginia, Colorado, and Connecticut. However, Texas is a bit of an outlier because it has a complex applicability threshold.
Applicability thresholds for these new laws are generally as follows:
- Process the data of 100k residents
- OR process the data of 25k residents AND collect 50% (or in one case 25%) of revenue from the sale of personal data
- Tennessee’s threshold requires the collection of $25M in annual revenue and the processing of 175k residents’ data.
In addition to these general consumer privacy laws, Washington and Nevada have passed project laws focused on health data. Washington’s My Health My Data law, however, is very broad and vague, making it crucial for all companies to take notice and understand its implications.
There is no threshold, so if you do business with even one person in Washington, you have to comply with this law. It covers anything that could be used to even infer health data. Also, Washington’s law has a private right of action, which is unique and adds to the risk for companies that must comply with it.
Some of the other states with active data privacy bills are:
- Oregon
- North Carolina
- Pennsylvania
- New Jersey
- Delaware
- Massachusetts
The International Association of Privacy Professionals (IAPP) has a useful privacy legislation tracker that shows the status of state privacy laws at a glance.
As each state enacts its own privacy law, the urgency for Congress to pass a federal law intensifies. Congress has been actively addressing privacy and artificial intelligence through hearings and committee meetings.
The American Data Privacy and Protection Act (ADPPA) made progress by advancing out of committee in 2022. However, it encountered obstacles related to preemption, private right of action, divided government, and timing. Lawmakers are grappling with these issues, which are complicating the advancement of the legislation.
SixFifty & DataGrail: your complete data privacy team
Data privacy professionals at companies like SixFifty and DataGrail can help your company keep track of this overwhelming volume of changes and additions to privacy laws around the country. For a more in-depth discussion of the current status of data privacy in the United States, check out our webinar on 2023 privacy trends.
SixFifty’s US Privacy allows companies to draft a single set of compliance documents that covers every state. Our legal team is composed of thought leaders that have created the best legal documents for companies. We will notify you when a law has changed and your documents need a refresh. As more states pass data privacy laws, we update our document generators so your documents are always in compliance.
DataGrail’s core belief is that trust builds transparency. DataGrail is an integrated solution helping companies construct comprehensive privacy programs that empower people with more control over their privacy and identity.
The partnership of DataGrail and SixFifty allows your company access to a complete privacy suite—the most robust offering on the market—so you can focus on what you do best.
