Beginning in January 2023, three new state privacy laws (and their applicable regulations) come into effect. They largely follow in the footsteps of the California Consumer Privacy Act that took effect in 2018. The new laws represent the continuation of the United States' journey to a sophisticated privacy and data protection regime.

 Not to be left out, the federal government has also trained its focus on privacy and data protection. Several federal agencies have used their rulemaking authority to implement new regulation that requires a number of entities to implement privacy and security procedures.

Additionally, several other countries have taken steps towards implementing privacy and data protection laws and regulations.

STATE LAWS

 New state privacy laws come into effect in 2023 in California, Colorado, and Virginia. The three new privacy and data protection laws build on the momentum that the California Consumer Privacy Act started-one of the new law's amends the existing California law-and marks a continuation of separate states continuing to try and address consumer privacy and data protection concerns. The federal government, while taking action on the cybersecurity front, has largely shied away from taking action on omnibus privacy and data regulation. This has left the states to take California's lead in passing their own.

 For an in-depth look at the various nuances and requirements under the three new state laws, please check out the Data Meets World website.

California

  In 2020, California privacy interest groups were successful in getting a privacy referendum on the November ballot. The referendum consisted of overhauling and amending the existing California Consumer Privacy Act. On November 3, 2020, California voters approved of the California Privacy Rights Act with over 56% of voters supporting the measure. The California Privacy Rights Act takes effect on January 1, 2023.

 The main changes under the new law include: (1) the categorization and regulation of sensitive personal information; (2) the right for an individual to limit a business's use of sensitive personal information; (3) data minimization standards; (4) restrictions on the use of cookies for cross-contextual behavioural advertising; (5) annual cybersecurity review and audit requirements; (6) the creation of the California Privacy Protection Agency; and (7) the expansion of a limited private right of action.

Colorado

  In July of 2021, the governor of Colorado officially signed the Colorado Privacy Act into law. The Colorado Privacy Act largely sets up a dynamic similar to Europe's GDPR where there are Controllers and Processors of personal information. Additionally, the new Colorado law is very similar in substance to the Virginia law below. The Colorado Privacy Act takes effect on January 1, 2023. The main provisions include: (1) individual rights, including the right to access, correction, and deletion; (2) the implementation of a "controller" and "processor" regime; (3) contractual standards and floors that must be meet in controller and processor relationships; (4) opt-in consent requirements for the collection and processing of Sensitive Data; (5) risk assessment and audit requirements; and (6) individual opt-out rights for the selling of personal information, targeted advertising, and profiling in furtherance of legal (or similar) decisions.

Virginia

  In March of 2021 the governor of Virginia signed the Consumer Data Protection Act into law, making it only the second state at the time to have passed a comprehensive privacy and data protection law. Similar to the GDPR in Europe, the new Virginia law sets up a Controllers and Processors dynamic. Additionally, the new Virginia law is very similar in substance to the Colorado law above, which was passed after the Virginia law. The Consumer Data Protection Act takes effect on January 1, 2023.

 The main provisions of the new law include: (1) individual rights, including the right to access, correction, and deletion; (2) the implementation of a "controller" and "processor" regime; (3) contractual standards and floors that must be meet in controller and processor relationships; (4) opt-in consent requirements for the collection and processing of Sensitive Data; (5) risk assessment and audit requirements; and (6) individual opt-out rights from the selling of personal information, targeted advertising, and profiling in furtherance of legal (or similar) decisions.

 To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.