Start Preparing for New State Privacy Laws That Take Effect in 2023

December 21, 2022Insights

This alert highlights key requirements in five new state privacy laws that will become effective in California, Virginia, Colorado, Connecticut and Utah in 2023. Also, please join the Gunderson Dettmer privacy team on Thursday, January 12, at 11am Pacific Time for a practical discussion on what companies need to do to comply with these new state laws. Register for the webinar here.

Background on new state privacy laws

Inspired by California’s landmark privacy law (the California Consumer Privacy Act or “CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”), state legislatures across the U.S. have been busy trying to replicate those laws in their own states. Several states have now passed privacy laws, many of which are substantially similar to the CCPA and the GDPR. Many other states are actively considering similar privacy legislation, and we expect to see another active year in the privacy world in 2023. This alert highlights key requirements in these new laws – specifically, the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, and the Utah Privacy Act (collectively, the “2023 State Privacy Laws”), and suggests practical steps companies should take to get ready. Note that some of the 2023 Privacy Laws are still pending final regulations, which could change the requirements.

If you are already compliant with the CCPA and/or GDPR, you can leverage a lot of your prior privacy compliance work when you prepare for the 2023 State Laws, but there are several important changes coming into play in 2023, and most companies will need to update existing privacy notices, extend additional rights to consumers and update contracts with vendors, among other things. In this alert, we walk you through key new requirements, consumer rights, penalties for non-compliance, and how to begin preparing for these laws.

Which states have passed new privacy bills and when do they come into effect?

In the past year, legislatures in Utah, Colorado, Connecticut, and Virginia have passed broad privacy laws that come into effect and will be enforced in 2023. Specifically:

  • The Virginia Consumer Data Protection Act (“Virginia Act”), which becomes effective January 1, 2023;
  • The Colorado Privacy Act (“Colorado Act”), which becomes effective July 1, 2023;
  • The Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“Connecticut Act”), which becomes effective July 1, 2023; and
  • The Utah Privacy Act (“Utah Act”), which becomes effective December 1, 2023.

Additionally, in the 2020 election, California voters approved a ballot initiative that amends the CCPA. This ballot initiative created the California Privacy Rights Act (“CPRA”), which takes effect on January 1, 2023, and will be enforced from July 1, 2023. For a summary of the CPRA, which amends the CCPA, see our previous client alert here.

Is your company subject to the 2023 State Privacy Laws?

A business must meet the thresholds listed below in order to be subject to each law as a “controller” or a “business.” While there are slight variations in the definitions across the 2023 State Privacy Laws, generally, as in the GDPR, a “controller” or “business” is defined as an entity that meets the applicability threshold set out by the respective law (as summarized below) and that controls the means and purposes of processing personal information. However, regardless of whether the company meets the thresholds below, a company may still have obligations under these laws as a “processor,” “service provider,” or “contractor,” when processing personal information on behalf of a controller or business.

The following table outlines the thresholds that a company must meet in order to be subject to these laws as a “controller” or a “business.

California Privacy Rights Act

Applies to a business that does business in California, determines the purposes and the means of the processing of California consumers' personal information, and that meets one or more of the following: 

  • Has annual gross revenues as of January 1 in the preceding calendar year of $25M+
  • Buys, sells or shares the personal information of 100,000 California consumers or households; or
  • Derives from 50% or more of its revenues from selling or sharing personal information. 
Colorado Privacy Rights Act

Applies to a business that produces or delivers commercial products or services that are intentionally targeted to Colorado residents and that either: 

  • Controls or processes the personal information of 100,000 or more Colorado consumers during a calendar year; or
  • Derives revenue or receive a discount of goods or services from the sale of personal information and processes or controls the personal information of 25,000+ Colorado consumers. 
Utah Consumer Privacy Act

Applies to business that (i) conducts business in Utah or produces a product or service that is targeted to consumers who are Utah residents, (ii) has annual revenue in excess of $25M and (iii) satisfies one or more of the following triggers: 

  • During a calendar year, controls or processes personal information of 100,000 or more Utah consumers; or
  • Derives over 50% of the entity's gross revenue from the sale of personal information and controls or processes personal information of 25,000 or more consumers.
Connecticut's Act Concerning Personal Data Privacy and Online Monitoring

Applies to persons that conduct business in Connecticut or persons that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year: 

  • Controlled or processed the personal information of 100,000 or more Connecticut consumers (subject to certain exceptions); or 
  • Controlled or processed the personal information of 25,000 Connecticut consumers or more and derived more than 25% of their gross revenue from the sale of personal information. 
The Virginia Consumers Data Protection Act

Applies to persons that conduct  business in the Commonwealth and either: 

  • Control or process personal information of at least 100,000 Virginia consumers; or
  • Derive over 50% of gross revenue from the sale of personal information and control or process personal information of at least 25,000 Virginia consumers. 

What are key similarities among the 2023 State Privacy Laws?

Each of these laws generally requires controllers to provide certain disclosures to consumers regarding their processing of personal information and provides certain rights to residents of the applicable states regarding their personal information (“Personal information Rights”). While subject to separate conditions and exceptions, each of these new privacy laws provides consumers with the right to delete, access, opt-out of sale, opt-out of targeted (cross-contextual) advertising, and non-discrimination for exercising the foregoing rights.

Additionally, each of these laws provide enforcement authority to state government bodies, which could include the applicable state attorney general, or a privacy-specific agency such as the California Privacy Protection Agency. For a more detailed comparison of these laws, see our table on “What do the 2023 State Privacy Laws require” below.

What are key differences between the 2023 State Privacy Laws?

Each of the 2023 State Privacy Laws has its own particularities. Some key differences between these laws include:

  • Exemptions. Each of the 2023 State Privacy Laws, except the California Act, provide exemptions for personal information collected in the employment and commercial context.
  • Consumer rights. All of the laws except the Utah Act provide consumers with the right to correct personal information and the right to opt out from certain profiling activities.
  • Appeals process. The Virginia Act, the Connecticut Act, and the Colorado Act require controllers to establish a process for individuals to appeal refusals to take action regarding an exercised Personal information Right. However, under the California Act, the business has the discretion to decide whether to offer an appeals process.
  • Cure periods. While each of the laws provide businesses with a cure period after being notified by relevant enforcement agency of a violation, the cure period varies between laws. Additionally, under certain laws, the cure period is discretionary and/or only offered under certain conditions.
  • Private right of action. Only the California Act provides a private right of action, meaning that consumers can enforce their rights directly against the business. However, this private right of action only applies if certain personal information of the consumer is subject to a data breach.

Additional details on key requirements of the 2023 State Privacy Laws can be found in the following section. 

What do the 2023 State Privacy laws require?

The goal of the 2023 State Privacy Laws is to regulate the collection, use, and sharing of personal information. To do this, each of these laws impose requirements in relation to disclosures, consumer rights, data protection assessments, and privacy principles (such as data minimization). Below is a summary of key consumer rights and controller responsibilities in the 2023 State Privacy Laws:

Practical Steps: What can you do to prepare now?

We recommend taking the following steps to start updating your existing privacy compliance program for the 2023 State Privacy Laws:

  1. Determine whether each law applies, and conduct a gap assessment of your existing privacy compliance program. This includes an assessment of whether your company acts as a “business” or “controller” and whether it meets the thresholds for these definitions under each law, as well as whether it may be acting as a “service provider,” processor,” or “contractor” by processing personal information on behalf of a customer that is a “controller” or “business” under one or more of the 2023 State Privacy Laws. When acting as a service provider, processor, or contractor, you may have specific obligations under the contract with your customer. Based on this assessment, you can create a privacy compliance roadmap for 2023.
  2. Make sure your data inventory and compliance records are up to date. Many existing privacy laws already require data inventories, and most companies have already gone through some form of a data mapping exercise. However, updates under the 2023 State Privacy Laws will be needed to identify processing of sensitive personal information, employee and applicant data, and B2B contact data. You will also likely need to update your data map to account for online advertising tools and tracking technologies in place, as well as profiling and automated decision making.  Document steps taken to comply with privacy laws, and be prepared to furnish documentation to regulators upon request.
  3. Determine if you are engaging in certain regulated processing activities that trigger additional requirements. This may include, for example:
    • Evaluating whether your disclosure of personal information to third parties may constitute a “sale” of personal information. Companies that sell personal information must provide certain disclosures to consumers and allow them to opt-out of the sale. The definition of “sale” is broader than most would expect, and can include sharing data through the use of third party cookies on your website. 
    • Evaluating whether you share personal information with third parties for cross-context behavioral advertising.  Companies that share personal information for these purposes must provide consumers with the ability to opt-out of sharing.
    • Evaluating whether you process sensitive personal information. Depending on which state law is implicated and the purposes for which you process the sensitive personal information, you may be required to obtain the consumer’s consent or provide an opportunity to opt-out. You may also be required to conduct a data protection assessment or risk assessment.
    • Evaluating whether you are conducting profiling activities, including any automated processing, to evaluate, analyze, or predict aspects of an individual’s life or preferences, in which case additional obligations will apply.
  4. Strategize your approach with respect to applicable Personal Information Rights. The Personal Information Rights you are required to comply with will vary depending on applicable laws and your processing activities.
  5. Assess and update, as needed, your policies and notices, including:
    • Your privacy policy and any other public notices;
    • Cookie consent mechanisms;
    • Customer and vendor contracts, including data processing agreements; and
    • Privacy notices to employees and candidates under the California Act.
  6. Consider technical solutions to help your compliance. For example, the California Act (and, starting in July 2023, Colorado's Act) requires that your website honors global privacy signals such as the Global Privacy Control, allowing consumers to opt out of targeted advertising and/or the sale of personal information through a pre-determined signal. You may also want to leverage third party solutions to ensure you have a compliant cookie consent and data subject rights management tool.
  7. Determine if you need to conduct a Data Protection Impact Assessment. Each law has specific requirements regarding conducting a risk assessment with respect to certain "high risk" processing activities. In many cases we recommend that you perform an impact assessment for all data processing to ensure compliance with purpose limitations, data minimization and privacy by design requirements.
  8. Make sure you have a data retention policy that is followed throughout your organization. Based on your data mapping results, your data retention policy should specify the reasonably necessary retention period for each type of data.
  9. Make sure your data security safeguards and data breach preparedness meet legal requirements and are appropriate for the level of risk associated with your data. Review and update your written information security program (including your vendor management program) and incident response protocol, and perform data breach simulations (“tabletop exercises”). Consider if any third party audits or certifications (such as SOC2, ISO 27001, ISO 27701 or adherence to a NIST framework) are appropriate for your organization.

How can GD help?

If you have any questions regarding this alert or need assistance with evaluating your obligations under the 2023 State Privacy Laws, please reach out to your Gunderson Dettmer attorney or contact a member of our data privacy team:

Anna Westfelt
Cecilia Jeong
Frida Alim
James Gately
Brian Hall