July 10, 2023

Get Ready for 2023: What You Need to Know about the New Consumer Privacy Laws in the US

Discover the latest insights on the 2023 US consumer privacy laws and their implications for businesses. Learn about the key compliance requirements and how SecurePrivacy can help protect your customers' data and ensure legal adherence. Stay informed to navigate the changing landscape of consumer privacy and safeguard your business reputation.

The United States has seen the most activity on data protection legislation in 2023. Although the world's largest economy has resisted the trend of enacting comprehensive data protection legislation at the federal level, its federal states have taken steps to protect consumer data privacy to some extent. 

It is important to note that, in contrast to most other laws around the world, US states rely on the opt-out principle. They pass new laws and grant previously unheard-of consumer protection rights, but they are not as comprehensive as in other parts of the world. 

This article will look at the laws that will go into effect in 2023 as well as those that may be passed this year. 

Data Privacy Laws in the US Coming Into Force in 2023

In 2023, the following consumer data privacy laws will go into effect: 

  • The California Privacy Rights Act (CPRA) came into effect on January 1, 2023. 
  • The Virginia Consumer Data Protection Act (VCDPA) came into effect on January 1, 2023. 
  • The Colorado Privacy Act (CPA) will go into effect on July 1, 2023. 
  • The Connecticut Data Privacy Act (CTDPA) will take effect on July 1, 2023.
  • The Utah Consumer Privacy Act (UCPA) will go into effect on December 31, 2023.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) went into effect on January 1, 2023, and it imposed the following obligations on businesses: 

  • Allowing consumers to opt-out of the sales of personal information
  • Allowing consumers to limit the processing of sensitive personal information
  • Implement data minimization and purposes limitation principles
  • Honoring CPRA consumer requests
  • Providing consumers with a privacy notice
  • Ensure that your service providers comply with the law
  • Establish a data retention period

If you own a business in California or sell to people in California and meet at least one of the following criteria, you must abide by these rules: 

  • Has annual gross revenue of over $25 million in the preceding calendar year.
  • Buys, sells, or shares the personal information of 100,000 or more consumers or households.
  • Gets 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Businesses that engage in extensive marketing practices will easily fall under the purview of the CPRA. If your company must comply, read our in-depth article on CPRA requirements

Virginia Consumer Data Protection Act (VCDPA)

Each violation of the Virginia Consumer Data Protection Act (VCDPA) will result in a $7,500 fine. Businesses that are registered in Virginia or sell to Virginia customers must comply if they meet at least one of the following criteria: 

  • Controls or processes personal data of at least 100,000 Virginia residents, or
  • Controls or processes personal data of at least 25,000 Virginia consumers and derives over 50% of gross revenue from the sale of personal data in a calendar year.

The following are some of the legal requirements for affected businesses: 

  • Allow consumers to opt out of the sales of personal information
  • Provide consumers with a privacy notice
  • Ensure to have data processing agreements in place with your data processors
  • Honor consumer requests
  • Conduct a Privacy Impact Assessment if required for your processing activities.

More information on the Virginia Consumer Data Protection Act can be found here. It went into effect on January 1, 2023. 

Colorado Privacy Act (CPA)

The Colorado Privacy Act took effect last July 1, 2023. It imposes the following obligations on affected businesses: 

  • Provide consumers with mechanisms to opt-out of the sales of personal information, targeted advertising, and profiling
  • Provide consumers with a privacy notice
  • Conduct data protection impact assessment where there is a risk to consumers
  • Honor consumer requests

Failure to comply with CPA requirements results in penalties of up to $20,000, the highest penalty cap in the US. You must follow the law if you are registered in Colorado or offer goods or services to people in Colorado and meet at least one of the following thresholds: 

  • 100,000 consumers or more during a year,
  • 25,000 consumers or more, and derive revenue from selling personal data (including by receiving a discount on the price of goods or services).

The thresholds are not as high as they appear on the surface. If your Facebook Pixel collects browsing data from at least 100,000 Colorado residents, you will be subject to the law. 

More information on the CPA can be found in our in-depth article. You can also learn about CPA's Cookie Consent Requirements.

Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) took effect last July 1, 2023, and it includes similar requirements to the CPA, such as: 

  • Allow consumers to opt-out of the processing of sensitive personal information
  • Collect and process only the minimum amount of data needed for the processing purpose
  • Provide consumers with a privacy notice
  • Conduct data protection assessments where the processing may pose a risk.

Furthermore, the applicability criteria are the same as in Colorado law. The CTDPA applies to Connecticut businesses as well as non-Connecticut businesses that interact with Connecticut customers if they meet at least one of the following requirements: 

  • Process data of 100,000 or more consumers, excluding personal data, controlled or processed solely for completing a payment transaction, or
  • Process data of 25,000 or more consumers and derive more than 25% of their gross revenue from selling personal data.

We have an in-depth article on CTDPA requirements for your business where you can learn more about how to prepare for compliance. 

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. You should be ready if you: 

  • Conduct business in the state of Utah or produce a product or service that is targeted to consumers who are Utah residents of the state, and
  • Have annual revenue of $25,000,000 or more, and
  • Meet one or more of the following thresholds:
    undefinedundefinedundefined

It will not affect all businesses, but if you are required to comply, you must be prepared to: 

  • Provide consumers with mechanisms to opt out of the sale of personal information or from the targeted advertising
  • Have processing agreements in place
  • Provide consumers with a privacy notice
  • Honor consumer requests

The fine is up to $7,500 per violation. 

More information about the Utah UCPA can be found here. 

Consumer Data Privacy Laws That Have Been Passed in 2023

US state legislators have been very busy in 2023. So far, five US states passed their own consumer data privacy laws. Montana, Iowa, Indiana, Tennessee, and Texas are the new fie US states whose laws are coming into effect in the next two years.

Iowa Data Privacy Act (IDPA)

The Iowa Data Privacy Act was signed into law on March 28, 2023. It comes into effect on January 1, 2025.

It won’t affect all businesses, but only those that do business in Iowa or target Iowa residents, and either:

  • Control or process the personal data of more than 100,000 consumers, or
  • Control or process the personal data of more than 25,000 and derive at least 50% of the gross revenue by selling the data.

There are no revenue thresholds, like in other US states.

The IDPA brings the usual legal obligations for affected businesses, such as:

  • Limiting the data processing to the specified purposes
  • Provide consumers with a privacy notice
  • Allow consumers to opt out of the sale of personal information
  • Respond to consumer requests for access, deletion, portability, opt-ou, and others
  • Have written contracts with service providers
  • Ensure that the data is safe

Check out our latest article to explore IDPA in more detail.

Indiana Data Privacy Law (IDPL)

The Indiana Data Privacy Law was signed on May 1, 2023 and comes into effect on January 1, 2026. Until then, affected businesses have enough time to adjust to their requirements.

If you comply with other privacy laws already, it won’t be much of a hassle. The IDPL requirements overlap greatly with other US state privacy laws.

It applies to businesses doing business from Indiana or targeting Indiana residents, and:

  • Control or process the personal data of more than 100,000 consumers, or
  • Control or process the personal data of more than 25,000 and derive at least 50% of the gross revenue by selling the data.

Again, no revenue thresholds for applicability.

The IDPL grants consumers privacy rights including the right to know, to delete, to opt out, and others. It requires businesses to:

  • Honor consumer requests
  • Allow consumers to opt out of the sale of personal information
  • Provide them with a comprehensive privacy notice
  • Conduct data impact assessment in the case of targeted advertising
  • Limit the processing to the intended purposes
  • Obtain explicit consent for the processing of sensitive personal data

Tennessee Information Protection Act (TIPA)

The Tennessee Information Protection Act (TIPA) was passed on May 11, 2023. Starting from July 1, 2025, it affects the businesses:

  • doing business from Tennessee or with Tennessee residents
  • Exceeds $25 Million in annual revenue, and
  • Meets one of the following criteria:
    undefinedundefined

If the TIPA applies to you, here’s what you must do:

  • Provide consumers with a privacy notice and a privacy policy
  • Honor consumer requests to know, access, delete, and others
  • Process the data only for the purposes it has been collected for
  • Allow consumers to opt out of the sale of their data
  • Have written contracts with service providers

Montana Consumer Data Privacy Act (MTCDPA)

The Montana Consumer Data Privacy Act (MTCDPA) made Montana the ninth US state to pass a data privacy law. It was passed on May 19, 2023 and comes into force on October 1, 2024.

It applies to businesses operating from Montana or targeting Montana residents that either:

  • Control or process the personal data of more than 50,000 Montana consumers, or
  • Control or process the personal data of more than 25,000 Montana consumers and derives at least 50% of the gross revenue by selling the data.

That brings the following obligations:

  • Responding to consumers’ requests
  • Enabling consumers to opt out of the sale of data
  • Recognize universal opt-out mechanisms
  • Serving consumers with a privacy notice and a privacy policy
  • Obtain explicit consent before collecting sensitive data
  • Conduct data protection impact assessments for processing sensitive data, selling data, or using data for targeted advertising and/or profiling.

Check out our article on MTCDPA.

Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) was passed on May 28, 2023 and will be enforced starting from July 1, 2024.

The TDPSA applies to businesses that:

  • Operate in Texas or target Texas residents,
  • Process of engage in sale of personal information, and
  • Is not excluded as a small business according to the Small Business Administration.

The definition of small business by the Small Business Administration is vague and depends on various criteria.

The two primary criteria used by the SBA to define a small business are:

  • Employee-based size standards taking into account the average number of employees in a business over a 12-month period. The number of employees can vary depending on the industry. For example, in manufacturing, the limit for a small business ranges from 500 to 1,500 employees, depending on the specific industry.
  • Revenue-based size standards, taking into account the average annual revenue of a business over a specific period. The revenue thresholds also vary by industry. For example, in the retail trade industry, the maximum average annual receipts for a business to be considered small can range from $7.5 million to $41.5 million, depending on the specific type of retail trade.

If you belong to any of these groups, here’s what you need to do from October 2024:

  • Allow opting out of the sale of personal data
  • Honor consumer requests
  • Obtain explicit consent for the processing of sensitive data
  • Conduct data protection impact assessments
  • Have written contracts with service providers

If you're interested in learning more, check out our article on TDPSA.

Delaware Personal Data Privacy Act (DPDPA)

The Delaware Personal Data Privacy Act was passed on June 30, 2023 and is set to take force on January 1, 2025, pending governor approval.

The DPDPA covers businesses that:

  • Control or process personal data on more than 35,000 consumers, or,
  • Derive 20% of revenue from selling the data of more than 10,000 consumers.

Notably, the DPDPA does not exempt most nonprofit organizations and contains a 60-day cure provision that sunsets 31 Dec. 2025.

If you are covered by the DPDPA, here is a list of what you’re required to do:

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary
  • Obtain consent for the processing of sensitive data
  • Honor consumer requests
  • Allow consumers to opt out of processing through an opt-out preference signal
  • Provide a privacy notice to consumers
  • Conduct data protection assessments

Update: On September 11, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (DPDPA). Understand what you need to know about the DPDPA.

Oregon Consumer Privacy Act (OCPA)

Last June 22, 2023, the Oregon Consumer Privacy Act was passed. The bulk of OCPA’s requirements will take effect on July 1, 2024 (with a July 1, 2025 effective date for nonprofit organizations).

The OCPA applies to businesses doing business from Oregon or targeting Oregon residents, and:

  • Control or process the personal data of more than 100,000 consumers, or
  • Control or process the personal data of more than 25,000 and derive at least 25% of the gross revenue by selling the data.

There are novel consumer rights introduced in the OCPA that businesses need to be aware of. Aside from the right to access, correct, delete, receive personal information, individuals have the additional following rights:

  • Right to obtain a list of the “specific third parties” to whom a controller discloses personal data
  • Right to request the deletion of “derived data”

The OCPA requires businesses that are covered to:

  • Obtain consent for the processing of sensitive data
  • Obtain affirmative consent in order to profile adolescent data
  • Honor consumer requests
  • Allow consumers to opt-out of targeted advertising, data sales, and significant profiling decisions
  • Provide a privacy notice to consumers
  • Conduct data protection impact assessments and retain it for five years
text

Consumer Data Privacy In the US That May Be Passed in 2023

The laws mentioned above have been passed. Some have already gone into effect, while others are about to. 

The following laws could be enacted within the next year. It is unknown whether this will occur, but it is never too early to become acquainted with them. 

American Data Privacy and Protection Act (ADPPA)

The American Privacy and Protection Act (ADPPA) could be the country's first comprehensive federal data protection law. It is, however, still too early to conclude that it will be passed. Its future is unknown. 

The current draft law is still being discussed in legislative bodies. Despite the fact that it is based on the opt-out principle, as opposed to the opt-in principle of the GDPR, LGDP, and other data protection laws, it imposes greater obligations on businesses than the existing state consumer privacy laws. 

It may be passed in its current form or another by 2023, so every business owner should learn what the law requires. More information can be found here. It will have an impact on all businesses operating in the United States, whether domestic or foreign. 

New York Privacy Act (NYPA)

The first draft of the New York Privacy Act (NYPA) has already been criticized due to its broad definitions, but it is still being worked on in legislative bodies.

It may, however, make some changes. It prescribes opt-out rights and other consumer privacy rights to New Yorkers as of January 1, 2023, and requires businesses to obtain explicit consumer consent before processing their personal data. If the law is passed as written, New York will be the first state in the United States to require explicit consumer consent. 

Furthermore, it necessitates that businesses conduct regular privacy impact assessments. 

Michigan Consumer Privacy Act (MCPA)

The Michigan Consumer Privacy Act (MCPA) was introduced in 2021 but is still navigating the state legislative mazes. If passed, it will provide consumers with data protection rights such as the right to know, the right to erasure, the right to opt-out of the sale of personal information, and other rights similar to those found in other state laws in the United States. 

The law would apply to businesses conducting business in Michigan or targeting Michigan consumers that either:

  • Control or process the personal information of at least 100,000 Michigan consumers, or
  • Control or process the personal information of at least 25,000 Michigan consumers, and derive at least 50% of its revenue from the sales of personal information.

Ohio Personal Privacy Act (OPPA)

The Ohio Personal Privacy Act (OPPA) was introduced in 2022 and is expected to pass in 2023. Consumers have the right to access, delete, opt-out, change, and correct information under the current draft. 

Customers will also be able to opt out of targeted advertising. 

Noncompliance penalties are set at $5,000 per violation, but businesses will have a 30-day grace period. 

Pennsylvania Consumer Data Privacy Act and Consumer Data Protection Act (PCDPA)

In Pennsylvania, two privacy protection laws are vying for passage. The Consumer Data Privacy Act is one, and the Consumer Data Protection Act is another. Both are very similar and provide consumers with the same privacy rights as other laws in the United States. 

In addition to consumer rights, they must adhere to the principles of data minimization, purpose limitation, and privacy assessments. 

Other Important Events

Two other significant events occurred that are not related to the laws that will go into effect in 2023 or that may become laws in the same year. 

One of them is a law that takes effect in 2024, but you should plan for it sooner. The other is the recently announced US-EU data-flow agreement. 

California’s CAADCA

To protect children's online privacy, California's legislative bodies passed the California Age-Appropriate Design Code Act (CAADCA) in 2022. It goes into effect on July 1, 2024. It affects businesses that handle children's personal information and provide goods and services that children are likely to use, such as those that: 

  • Have elements that are usually of children’s interests, such as games and cartoons
  • Are directed to children, such as video games
  • Have features that are essentially similar to features routinely accessed by children
  • Have been accessed by a significant number of children, which can be assessed by evidence.

Businesses that must comply with the CAADCA should start planning as soon as possible and adjust their privacy practices to meet the new legal requirements. Among them are the following: 

  • Provide privacy by default
  • Provide clear terms and conditions
  • Provide a clear privacy policy
  • Conduct children's privacy protection impact assessments
  • Tailor the products to the users’ age
  • Provide the child with a signal that it is being tracked or monitored by a parent or a guardian, if applicable
  • Honor privacy requests.

Some requirements necessitate adjusting products and services to the new reality, so make sure you do so before 2024. 

EU-US Data Flow Agreement

The Transatlantic Privacy Framework was announced by the European Commission in December 2022 as a proposed adequacy decision for the transfer of data between the EU and the US. 

A few days later, NOYB's Max Schremms announced that the decision violated the GDPR and that they would file a complaint as soon as possible. 

In 2023, we can expect two things: 1) free data flows between the US and the EU, at least for the time being; and 2) NOYB will pursue a Schremms III decision, which would make data transfers between the EU and the US illegal without additional safeguards once again. 

Final Thoughts

The rest of the world has recently passed numerous data protection laws, while the US has resisted at both the federal and state levels. 

Nowadays, the majority of new laws are enacted in the United States. If you operate there, whether from the United States or elsewhere, you must keep a close eye on the legislative processes to stay up to date on new laws and requirements. You can return to our blog to learn more about this subject. We will continue to update our blog as soon as the new laws are enacted.

Start your Free Trial