January 16, 2023

Get Ready for 2023: What You Need to Know about the New Consumer Privacy Laws in the US

The United States has seen the most activity on data protection legislation this past year. This article will look at the laws that will go into effect in 2023 as well as those that may be passed this year. 

The United States has seen the most activity on data protection legislation in 2023. Although the world's largest economy has resisted the trend of enacting comprehensive data protection legislation at the federal level, its federal states have taken steps to protect consumer data privacy to some extent. 

It is important to note that, in contrast to most other laws around the world, US states rely on the opt-out principle. They pass new laws and grant previously unheard-of consumer protection rights, but they are not as comprehensive as in other parts of the world. 

This article will look at the laws that will go into effect in 2023 as well as those that may be passed this year. 

Data Privacy Laws in the US Coming Into Force in 2023

In 2023, the following consumer data privacy laws will go into effect: 

  • The California Privacy Rights Act (CPRA) will go into effect on January 1, 2023. 
  • The Virginia Consumer Data Protection Act (VCDPA) will go into effect on January 1, 2023. 
  • The Colorado Privacy Act (CPA) will go into effect on July 1, 2023. 
  • The Connecticut Data Privacy Act (CTDPA) will take effect on July 1, 2023.
  • The Utah Consumer Privacy Act (UCPA) will go into effect on December 31, 2023. 

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) went into effect on January 1, 2023, and it imposed the following obligations on businesses: 

  • Allowing consumers to opt-out of the sales of personal information
  • Allowing consumers to limit the processing of sensitive personal information
  • Implement data minimization and purposes limitation principles
  • Honoring CPRA consumer requests
  • Providing consumers with a privacy notice
  • Ensure that your service providers comply with the law
  • Establish a data retention period

If you own a business in California or sell to people in California and meet at least one of the following criteria, you must abide by these rules: 

  • Has annual gross revenue of over $25 million in the preceding calendar year.
  • Buys, sells, or shares the personal information of 100,000 or more consumers or households.
  • Gets 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Businesses that engage in extensive marketing practices will easily fall under the purview of the CPRA. If your company must comply, read our in-depth article on CPRA requirements

Virginia Consumer Data Protection Act (VCDPA)

Each violation of the Virginia Consumer Data Protection Act (VCDPA) will result in a $7,500 fine. Businesses that are registered in Virginia or sell to Virginia customers must comply if they meet at least one of the following criteria: 

  • Controls or processes personal data of at least 100,000 Virginia residents, or
  • Controls or processes personal data of at least 25,000 Virginia consumers and derives over 50% of gross revenue from the sale of personal data in a calendar year.

The following are some of the legal requirements for affected businesses: 

  • Allow consumers to opt out of the sales of personal information
  • Provide consumers with a privacy notice
  • Ensure to have data processing agreements in place with your data processors
  • Honor consumer requests
  • Conduct a Privacy Impact Assessment if required for your processing activities.

More information on the Virginia Consumer Data Protection Act can be found here. It went into effect on January 1, 2023. 

Colorado Privacy Act (CPA)

The Colorado Privacy Act takes effect on July 1, 2023. It imposes the following obligations on affected businesses: 

  • Provide consumers with mechanisms to opt-out of the sales of personal information, targeted advertising, and profiling
  • Provide consumers with a privacy notice
  • Conduct data protection impact assessment where there is a risk to consumers
  • Honor consumer requests

Failure to comply with CPA requirements results in penalties of up to $20,000, the highest penalty cap in the US. You must follow the law if you are registered in Colorado or offer goods or services to people in Colorado and meet at least one of the following thresholds: 

  • 100,000 consumers or more during a year,
  • 25,000 consumers or more, and derive revenue from selling personal data (including by receiving a discount on the price of goods or services).

The thresholds are not as high as they appear on the surface. If your Facebook Pixel collects browsing data from at least 100,000 Colorado residents, you will be subject to the law. 

More information on the CPA can be found in our in-depth article.

Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) takes effect on July 1, 2023, and it includes similar requirements to the CPA, such as: 

  • Allow consumers to opt-out of the processing of sensitive personal information
  • Collect and process only the minimum amount of data needed for the processing purpose
  • Provide consumers with a privacy notice
  • Conduct data protection assessments where the processing may pose a risk.

Furthermore, the applicability criteria are the same as in Colorado law. The CTDPA applies to Connecticut businesses as well as non-Connecticut businesses that interact with Connecticut customers if they meet at least one of the following requirements: 

  • Process data of 100,000 or more consumers, excluding personal data, controlled or processed solely for completing a payment transaction, or
  • Process data of 25,000 or more consumers and derive more than 25% of their gross revenue from selling personal data.

We have an in-depth article on CTDPA requirements for your business where you can learn more about how to prepare for compliance. 

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. You should be ready if you: 

  • Conduct business in the state of Utah or produce a product or service that is targeted to consumers who are Utah residents of the state, and
  • Have annual revenue of $25,000,000 or more, and
  • Meet one or more of the following thresholds:
    - During a calendar year, control or process the personal data of 100,000 or more Utah residents,
    - Derive over 50% of the entity’s gross revenue from the sale of personal data and
    - Control or process the personal data of 25,000 or more consumers.

It will not affect all businesses, but if you are required to comply, you must be prepared to: 

  • Provide consumers with mechanisms to opt out of the sale of personal information or from the targeted advertising
  • Have processing agreements in place
  • Provide consumers with a privacy notice
  • Honor consumer requests

The fine is up to $7,500 per violation. 

More information about the Utah UCPA can be found here. 

Consumer Data Privacy In the US That May Be Passed in 2023

The laws mentioned above have been passed. Some have already gone into effect, while others are about to. 

The following laws could be enacted within the next year. It is unknown whether this will occur, but it is never too early to become acquainted with them. 

American Data Privacy and Protection Act (ADPPA)

The American Privacy and Protection Act (ADPPA) could be the country's first comprehensive federal data protection law. It is, however, still too early to conclude that it will be passed. Its future is unknown. 

The current draft law is still being discussed in legislative bodies. Despite the fact that it is based on the opt-out principle, as opposed to the opt-in principle of the GDPR, LGDP, and other data protection laws, it imposes greater obligations on businesses than the existing state consumer privacy laws. 

It may be passed in its current form or another by 2023, so every business owner should learn what the law requires. More information can be found here. It will have an impact on all businesses operating in the United States, whether domestic or foreign. 

New York Privacy Act (NYPA)

The first draft of the New York Privacy Act (NYPA) has already been criticized due to its broad definitions, but it is still being worked on in legislative bodies.

It may, however, make some changes. It prescribes opt-out rights and other consumer privacy rights to New Yorkers as of January 1, 2023, and requires businesses to obtain explicit consumer consent before processing their personal data. If the law is passed as written, New York will be the first state in the United States to require explicit consumer consent. 

Furthermore, it necessitates that businesses conduct regular privacy impact assessments. 

Michigan Consumer Privacy Act (MCPA)

The Michigan Consumer Privacy Act (MCPA) was introduced in 2021 but is still navigating the state legislative mazes. If passed, it will provide consumers with data protection rights such as the right to know, the right to erasure, the right to opt-out of the sale of personal information, and other rights similar to those found in other state laws in the United States. 

The law would apply to businesses conducting business in Michigan or targeting Michigan consumers that either:

  • Control or process the personal information of at least 100,000 Michigan consumers, or
  • Control or process the personal information of at least 25,000 Michigan consumers, and derive at least 50% of its revenue from the sales of personal information.

Ohio Personal Privacy Act (OPPA)

The Ohio Personal Privacy Act (OPPA) was introduced in 2022 and is expected to pass in 2023. Consumers have the right to access, delete, opt-out, change, and correct information under the current draft. 

Customers will also be able to opt out of targeted advertising. 

Noncompliance penalties are set at $5,000 per violation, but businesses will have a 30-day grace period. 

Pennsylvania Consumer Data Privacy Act and Consumer Data Protection Act (PCDPA)

In Pennsylvania, two privacy protection laws are vying for passage. The Consumer Data Privacy Act is one, and the Consumer Data Protection Act is another. Both are very similar and provide consumers with the same privacy rights as other laws in the United States. 

In addition to consumer rights, they must adhere to the principles of data minimization, purpose limitation, and privacy assessments. 

Other Important Events

Two other significant events occurred that are not related to the laws that will go into effect in 2023 or that may become laws in the same year. 

One of them is a law that takes effect in 2024, but you should plan for it sooner. The other is the recently announced US-EU data-flow agreement. 

California’s CAADCA

To protect children's online privacy, California's legislative bodies passed the California Age-Appropriate Design Code Act (CAADCA) in 2022. It goes into effect on July 1, 2024. It affects businesses that handle children's personal information and provide goods and services that children are likely to use, such as those that: 

  • Have elements that are usually of children’s interests, such as games and cartoons
  • Are directed to children, such as video games
  • Have features that are essentially similar to features routinely accessed by children
  • Have been accessed by a significant number of children, which can be assessed by evidence.

Businesses that must comply with the CAADCA should start planning as soon as possible and adjust their privacy practices to meet the new legal requirements. Among them are the following: 

  • Provide privacy by default
  • Provide clear terms and conditions
  • Provide a clear privacy policy
  • Conduct children's privacy protection impact assessments
  • Tailor the products to the users’ age
  • Provide the child with a signal that it is being tracked or monitored by a parent or a guardian, if applicable
  • Honor privacy requests.

Some requirements necessitate adjusting products and services to the new reality, so make sure you do so before 2024. 

EU-US Data Flow Agreement

The Transatlantic Privacy Framework was announced by the European Commission in December 2022 as a proposed adequacy decision for the transfer of data between the EU and the US. 

A few days later, NOYB's Max Schremms announced that the decision violated the GDPR and that they would file a complaint as soon as possible. 

In 2023, we can expect two things: 1) free data flows between the US and the EU, at least for the time being; and 2) NOYB will pursue a Schremms III decision, which would make data transfers between the EU and the US illegal without additional safeguards once again. 

Final Thoughts

The rest of the world has recently passed numerous data protection laws, while the US has resisted at both the federal and state levels. 

Nowadays, the majority of new laws are enacted in the United States. If you operate there, whether from the United States or elsewhere, you must keep a close eye on the legislative processes to stay up to date on new laws and requirements. You can return to our blog to learn more about this subject. We will continue to update our blog as soon as the new laws are enacted.

Schedule a call to learn more