The states of Colorado, Connecticut, Utah and Virginia recently enacted new state data privacy laws (and California passed significant revisions to its existing data privacy law) that require tailored-to-each-state privacy policy changes. While the California Privacy Rights Act ("CPRA") and Virginia Consumer Data Protection Act ("VCDPA") went into effect on January 1, 2023, the Colorado Privacy Act ("CPA") and Connecticut Data Privacy Act ("CDPA") will go into effect on July 1, 2023, and the Utah Consumer Privacy Act ("UCPA") will go into effect on December 31, 2023.

While these state privacy laws contain several similar compliance requirements that overlap, there are also certain provisions that are unique to each statute. Given the interplay of the five separate laws, it is essential that businesses that operate in these jurisdictions (and meet the consumer data thresholds) make all necessary state specific privacy policy changes to ensure compliance.

What State Specific Privacy Policy Changes Should I Make so that It Complies with the New State Data Privacy Laws?

State Specific Privacy Policy Updates Necessitated by the Recent Wave of State Laws

Businesses that took the necessary steps to comply with the previously passed California Consumer Privacy Act ("CCPA") will already be compliant with many of the requirements contained within the other state data privacy laws. However, California's update to the CCPA, as well as the laws passed by the four other states, will require significant additional state-specific privacy policy revisions even for those entities that already navigated the CCPA compliance process. Below is a partial list of some of the required disclosures that businesses must include in their respective privacy policies in order to comply with the laws:

  • Businesses must disclose what categories and specific items of personal information are collected about consumers covered by the applicable consumer privacy laws;
  • Businesses must disclose what sources they used to collect consumer personal information;
  • Businesses must disclose the categories of personal information that will be sold to/shared with third-parties, as well as the categories of third-parties with whom such personal information will be shared/sold to; and
  • Businesses must provide consumers with the opportunity to exercise various rights and preferences (including opt out rights in multiple contexts).

Liability Under State Consumer Privacy Laws

Liability for violating these state privacy laws, including for having a non-compliant privacy policy, is significant, and may include private actions (for data breaches), as well as actions by state attorneys general. Given the complexity involved in ensuring full compliance with five separate laws, it is essential that businesses consult with experienced counsel now to ensure that privacy policies are compliant.

Similar blog posts:

Update On The CPRA Regulations

More Revisions To The Draft Rules Of The Colorado Privacy Act

The Latest On CPRA Regulations

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.