5 new US state privacy laws to go into effect in 2023: what to know

One of the biggest changes on the horizon is the forthcoming implementation and enforcement of five new US state privacy laws. The laws will force businesses to adopt new practices designed to give consumers greater say over how and when their personal information is used commercially.

For organizations reliant on the use of consumer data – many advertisers chief among them – it’s time to assess how to adapt core data policies and practices ahead of potential enforcement action.

Luckily, most forthcoming privacy laws have many lookalike requirements. “From a business perspective, there are a lot of similarities between the state privacy laws that will become effective in 2023,” explains Caitlin Chin, a fellow at the Center for Strategic and International Studies, where her research focuses on tech regulation. “In general, they will incorporate data minimization provisions, requirements for ‘reasonable’ security measures to protect personal information, enhanced transparency or disclosure requirements and greater individual controls over data collection, processing and retention. These are all basic principles that private companies can consider preemptively implementing everywhere, not just in California, Utah, Virginia, Colorado and Connecticut.”

Here are the dates and details to know about the five new state privacy laws slated to go into effect in 2023.

January

The California Privacy Rights Act (CPRA)

CPRA, which amends the California Consumer Privacy Act (CCPA) of 2018, goes into effect on January 1 2023.

CPRA more accurately mirrors the EU’s sweeping General Data Protection Regulation (GDPR) and introduces a smattering of new consumer protections.

It applies to all for-profit businesses that do business in California and meet any of three other requirements: (1) have a gross annual revenue over $25m; (2) buy, sell or receive the personal data of 100,000 or more California residents or households; (3) can attribute 50% or more of their annual revenue to the sales or sharing of California residents’ personal data.

According to Kirk Nahra, a leading privacy attorney and the co-chair of both the big data practice and the cybersecurity and privacy practice at international law firm WilmerHale, the CPRA presents the “biggest changes” for businesses compared to other state laws – especially considering that its rules protect employees and contractors working for businesses that meet the qualification threshold.

Under CPRA, businesses are required to give notice to consumers if they plan to collect and sell or use their data, and consumers are able to opt out of the sale and sharing of their information. California residents can also ask organizations to update or remedy inaccuracies in their data. Plus, under CPRA, organizations face limitations on how much data they can collect and use under new data minimization requirements; they are only allowed to collect personal information that is necessary for legitimate business functions.

The new law also requires businesses to disclose the ways they harvest, use and share sensitive data – which includes social security numbers, genetic data, passport information, precise geolocation information, race and religious affiliation. While a range of US states will require user opt-in for the processing of sensitive data, California goes a step further by enabling consumers to limit the use of sensitive data.

Broadly, the collection and exchange of sensitive data is a growing concern among regulators, according to experts. “The heightened protections for sensitive personal information are among the most impactful changes that will take effect next year – and will undoubtedly be an enforcement priority,” says Arielle Garcia, senior vice-president and chief privacy officer at ad agency UM Worldwide.

The advertising industry, she says, should be on high alert. “Marketers should pay close attention to the sensitive data, known and inferred, that they are collecting, using and sharing in the course of refreshing their data inventories. This includes data shared via pixel and server-to-server integration – as well as partner data – like audience segments comprised of sensitive attributes or sensitive inferences. Understanding this will be central to compliance, and also will enable marketers to consider how data availability changes may impact their strategies.”

The Virginia Consumer Data Protection Act (CDPA)

Also effective January 1 2023, Virginia’s far-reaching data privacy regulation applies to businesses in Virginia or businesses that offer services and products targeted to Virginia residents and that also: (1) control or process the personal information of 100,000 or more Virginia residents; or (2) control or process the personal information of at least 25,000 Virginia residents and also derive 50% or more of their total revenue from the sales of consumers’ personal data.

Under the law, state residents can opt out of data collection and sale. Businesses for whom CDPA applies must ask permission before collecting sensitive data, and consumers are given the choice to opt out.

Like CPRA, CDPA also includes data minimization requirements; businesses can only gather and hold consumer data deemed reasonably necessary for business.

July

The Colorado Privacy Act (CPA)

The new Colorado Privacy Act, signed into law in 2021, is set to become enforceable beginning on July 1 2023.

Subjected organizations are those doing business in Colorado or targeting their services and products to Colorado residents and that also: (1) process or control the personal data of over 100,000 consumers annually; or (2) derive revenue or enjoy discounts on services and goods from selling the personal data of 25,000 consumers or more. Not-for-profit organizations that meet the requirements are not exempt.

Under CPA, businesses are required to issue a notice to consumers explaining what kinds of personal information they collect or process, as well as the specific purposes for doing so and with whom this data may be shared. The law requires businesses to seek consent in order to collect and process sensitive data.

Subjected organizations must provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that discloses information about the organization’s data collection and sharing policies and practices. Furthermore, businesses must agree to data processing contracts with service providers ahead of transferring any consumer data. Unlike CPRA, CPA does not apply to employment records and some other types of data.

However, like other state laws going into effect in 2023, CPA includes an opt-out requirement. Consumers are able to opt out of the sale of their personal information, being profiled and receiving targeted advertising.

How the proliferation of opt-out rights will impact consumer behavior and business at large remains to be seen. “In general, there is broad consensus among privacy advocates that opt-out mechanisms are not enough to protect individual privacy and that businesses should not condition privacy protections on notice-and-choice,” says Chin. “This is why, regardless of whether or not an individual chooses to opt out of targeted advertising, private businesses and marketers will need to be aware of the fine print of individual state provisions related to data minimization, consumer profiling and third-party data sharing.”

CPA comes with higher risks of noncompliance; fines may be up to $20,000 per violation (compared to Virginia’s max of $7,500). And while businesses are given a 60-day cure period for violations – where CPRA, CDPA and others offer just 30 days – the notice of violation and right to cure provision is set to expire on January 1 2025. Ultimately, organizations will need to get – and stay – on track before 2025 to avoid high fines.

The Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA)

CTPDA, signed into law in May of this year, will go into effect on July 1 2023.

The law applies to any business conducting business in Connecticut or targeting residents with its products or services that also: (1) controls or processes the personal data of 100,000 or more Connecticut residents each year; or (2) generates over 25% of its gross revenue from selling consumers’ personal data and processes or controls the personal data of 25,000 or more Connecticut residents.

Under CTPDA, consumers can access and delete personal information that has been collected by businesses.

Much like CPA, CTPDA allows consumers to opt out of data sales, profiling and targeted advertising. CTPDA includes additional opt-out mechanisms specific to biometric data and children’s data – a key privacy concern for the federal government. Plus, like other state laws, CTPDA requires consumers’ explicit consent for the collection and processing of sensitive data.

Additionally, businesses subject to CTPDA must practice data minimization; they may only collect personal data dubbed relevant and reasonably necessary.

CTPDA enforcement may be slightly less stringent than other state privacy laws; fines for individual violations may only be as high as $5,000 and companies have a 60-day cure period – although the cure period provision expires at the end of 2024 (although the state attorney general will grant cure periods at their discretion).

December

The Utah Consumer Privacy Act (UCPA)

UCPA outlines all-new privacy protections for Utah residents. It goes into effect at the end of the year, on December 31 2023.

The law applies to any company conducting business in Utah or targeting Utah residents with its products or services, has an annual revenue of $25m or more and either: (1) controls or processes the personal data of 100,000 or more Utah residents; or (2) derives more than 50% of its gross revenue from selling consumers’ personal data or processes or controls the personal information of 25,000 or more Utah residents.

With its revenue threshold, Utah’s law takes aim at larger businesses, ensuring that small- and medium-sized organizations are given greater leeway when it comes to the collection, storage, use and sale of consumer data.

The protections outlined in UCPA mirror many of those found in Virginia’s CDPA: consumers can request a copy of their data files and access and delete their own personal information. Plus, businesses must provide a notice to consumers that spells out the kinds of personal data they gather and use and the purposes for doing so. The notice must also outline the kinds of consumer data shared with third parties and who those parties are.

Under a data minimization clause, subjected organizations can only collect personal information deemed relevant and necessary.

However, UCPA requires an opt-out mechanism but not an opt-in before businesses process personal data – with the exception of sensitive data. Under the law, consumers can opt out of sharing data that would otherwise be shared with third parties for advertising purposes. They cannot, however, opt out of automated profiling.

Ultimately, UCPA is much more business- and advertiser-friendly than other state privacy laws.

Implications for marketers

These and other forthcoming privacy regulations and enforcement actions will erect new hurdles for the advertising ecosystem at large, which has for years relied on the smooth collection and exchange of consumer data.

“All of the forthcoming consumer privacy laws have one thing in common,” says Amy Pimentel, a partner at international law firm McDermott Will & Emery. She specializes in data protection, privacy and cybersecurity law. “Businesses need to provide consumers with more information and more choices about data usage. For marketers specifically, this means providing consumers with the means to opt out of retargeting and cross-context behavioral advertising.”

The changes, she predicts, will force industry players to innovate. “The rules for digital marketing will change in the coming year, pushing digital marketing teams to come up with creative ways to build brands and promote products. When developing a marketing strategy for 2023 and beyond, businesses should think about how to provide meaningful choices and how to honor those choices without losing key revenue streams and awareness platforms.”

Her advice? Begin earlier rather than later, and prioritize consumer choice by building out consent mechanisms and user controls.

The sentiment is echoed by industry leaders including Jessica Simpson, senior vice-president of solutions consulting and verified technology at Publicis Media, who argues that trust is the preceding requirement for any interaction that a consumer has with an advertiser – whether offline or online. As such, it’s a marketer’s job to generate trust by putting consumers’ wishes first.

“The only way to fully recognize [that trust] is by understanding what motivates the people that drive your business, and then further educating those people on why they should continue to interact with your brand,” she says. “The best way to do this is to understand [consumers’] preferences inside and out. Present them with choices, value and enough information about how to access their data, and how you plan to use their data. Do this while simultaneously honoring consumer choice by jurisdiction, enforcing obligations and activating consented data via privacy-enhancing technology – specifically next-gen consent management platforms and consumer trust and privacy platforms.”

At the end of the day, Simpson says, “marketing ultimately owns the trust that is forged between the consumer and their brand.”

For more, sign up for The Drum’s daily US newsletter here.