Connecticut becomes the fifth state to pass a comprehensive privacy law. Are you prepared for state privacy law compliance required in 2023?

Despite a shifting privacy landscape and passage of the EU’s General Data Protection Regulation (GDPR) in 2016, the United States has lagged in adopting a comprehensive Federal privacy law. Nevertheless, over the past few years, particular states have prioritized consumer privacy to address growing concern regarding the unfettered and largely unregulated collection, use and disclosure of consumer personal information.[1] Following the watershed moment created through passage of the California Consumer Privacy Act (CCPA) of 2018, an increasing number of states have followed suit to pass comprehensive privacy laws. Yet, the question remains regarding how many states must pass similar laws before the Federal government takes on the charge of passing a comprehensive privacy law.

Most recently, Connecticut joins this trailblazing group with a nearly unanimous vote supporting the Connecticut Data Privacy Act (CTDPA). This law follows on the heels of Utah passing the Utah Consumer Privacy Act (UCPA), Colorado passing the Colorado Privacy Act (CPA) and Virginia passing the Virginia Consumer Data Protection Act (VCDPA). Further, the CCPA will soon be functionally replaced by the California Privacy Rights Act (CPRA). While these laws share numerous similarities, they diverge in some significant ways that will make compliance a challenge for businesses. As such, businesses are encouraged to learn more about the nuances of these laws to be better prepared for the fast-approaching compliance deadlines.

Compliance Deadlines: Get Your House in Order

Privacy Law Effective Date
California Privacy Rights Act (CPRA) 1/1/2023
Virginia Consumer Data Protection Act (VCDPA) 1/1/2023
Colorado Privacy Act (CPA) 7/1/2023
Connecticut Data Privacy Act (CTDPA) 7/1/2023
Utah Consumer Privacy Act (UCPA) 12/31/2023

States as Laboratories of Democracy: Reimagining the Privacy Patchwork

While state privacy policies often deviate based on differences in resident sensitivities, these new state laws share some salient similarities. For example, each governs businesses that conduct business in a respective state, or otherwise target consumers in such states and process and/or profit from the sale of personal data based on certain volume and dollar thresholds. Each law imposes notice and data protection obligations on businesses subject to each respective law. Each law provides certain rights to consumers to exercise rights over their personal data and enforce those rights. Each law empowers the respective state Attorney General to enforce the law.

For example, the CPA, CPRA, CTDPA, and VCDPA, much like the GDPR, impose stringent requirements on individuals and businesses that determine the purpose and means of processing personal data (referred to as “controllers”). Controllers are also required to enter into a written agreement with any third party that processes personal data at the direction of the controller (referred to as “processors”). Prior to engaging in certain activities such as targeted advertising or sale of personal data, these laws require that controllers conduct and document a data protection assessment.

Like the CCPA and GDPR, the laws in Colorado, Connecticut, Virginia, and Utah afford residents of each state certain rights with respect to their personal data.  In particular, these new laws provide residents with the right to access, correct (with the exception of Utah) and delete their data, and to obtain a copy of their data in a portable and readily usable format. Businesses will need to ensure that residents of these states are made aware of these rights by adding supplemental terms to their website privacy policies, which should also address the business’ obligations under each law. Further, these laws afford consumers additional rights to control processing of their “sensitive personal data”.

Yet, these laws differ in several significant ways as well. As such, despite a business’ compliance efforts to date around the CCPA and GDPR, such efforts do not guarantee an organization will automatically comply with the new state laws coming online in 2023. First and foremost, the CPRA will significantly increase consumer rights beyond the CCPA. The CPRA includes creation of a California Privacy Protection Agency, extends rights provided by the CCPA, and creates additional consumer rights such as the right to correct inaccuracies in personal information and the right to limit how sensitive personal data is processed. Yet, unlike the CPRA (as well as the UCPA), the new state Virginia, Colorado, and Connecticut laws require consumer consent (i.e., an affirmative opt-in) before a business may process sensitive personal data.

From an enforcement perspective, there are also significant deviations. For example, CPRA affords a private right of action while the laws in Virginia, Utah, Colorado, and Connecticut do not. Further, the authorities afforded to Attorneys General across these states vary in terms of the ability to issue regulations. While the CPA, CCPA, and CPRA empower the California Attorney General to issue regulations, neither Virginia, Utah, nor Connecticut grant such rulemaking authority to their respective Attorneys General. These deviations, especially those related to consumer rights, may create conflicts and provide an impetus for resolution at the Federal level.

Further complicating matters, businesses operating nationwide or in multiple states will need to comply with the most stringent requirements among this growing patchwork of comprehensive state privacy laws.

State of the Union: Will Congress Pass Comprehensive Privacy Legislation?

It appears that the privacy tidal wave starting on the west coast has made its way eastward and continues to pave the way for other similarly-minded states to pass comprehensive privacy laws. Will this tidal wave spur Federal action to harmonize disparities amongst these laws?

While Federal action has been encouraged from both private and public actors in the hopes of bettering compliance frameworks, the country has looked toward Capitol Hill to act and pass a Federal privacy law. It is unlikely that a comprehensive Federal law will come soon, as evidenced by such privacy legislation fizzling at various stages within Congress. Yet, even in these early days of state action on privacy . . . the writing on the wall appears to be coming into focus.

Epstein Becker Green will be closely following the rulemaking process in these states as implementing regulations are developed, and as other states continue to legislate in this area. For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, and data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post.

************

[1] See also The Washington Post Editorial Board, Lack of a federal privacy law opens the door to dystopia, The Washington Post (May 5, 2022),  https://www.washingtonpost.com/opinions/2022/05/05/clearview-ai-dystopia-congress-must-pass-federal-privacy-law/.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.