Five new U.S. state privacy laws go into effect in 2023. Virginia, Colorado, Connecticut, and Utah have followed California in enacting CCPA-like comprehensive consumer privacy legislation. Additionally, California's comprehensive consumer privacy law will receive a major overhaul on January 1, 2023. In the absence of a federal privacy law, businesses operating in the U.S. must quickly prepare for an evolving patchwork of privacy laws.
In this four-part video series, KO's data privacy and security team, which includes Chris Achatz, Erin Locker, Malia Rogers, and Sahara Williams, identifies key differences between the state laws, compares obligations to existing CCPA and EU GDPR frameworks, and provides best practices on how to develop or modify compliance programs. As businesses prepare for the rollout of the new laws, learn more about how these developments may impact your business in the first video of a four-part series.
Navigating an evolving patchwork of privacy laws
The California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA) each govern "personal information" or "personal data", broadly defined as information that can be linked or reasonably linkable to an individual, such as name, email, IP address, cookies, and device ID. These laws phase in throughout 2023 and will become the de facto minimum privacy standard in the U.S. when read together.
To be subject to these new laws, businesses must annually process a certain volume of consumer data or, for some states, exceed certain annual revenue thresholds. Despite some sweeping exemptions, primarily for regulated industries (e.g., HIPAA or GLBA), such carveouts are not consistent across the laws. For example, Colorado's law is unique in that it encompasses non-profits and, beginning January 1, 2023, California's obligations will extend to human resources data (i.e., job applicants and employees) and data collected in a business-to-business context. The laws also have significant definitional differences and treatment of certain sensitive personal data.
Preparing for key changes under upcoming state privacy laws
In the first video of this four-part series, KO data privacy and security attorneys, Chris Achatz and Malia Rogers, discuss the threshold question of scope, including relevant entity- and data-level exemptions, compliance deadlines, and general obligations. Subsequent publications in this series will delve deeper into the topics discussed in this first video; specifically, practical guidance to update privacy policies, operationalizing consumer access and deletion requests, and revise contract obligations with service providers and customers.
Watch the video:
Viewers are eligible for one CLE credit by watching the video. Please contact Alex Melberg at firstname.lastname@example.org for the CLE code.
With compliance deadlines approaching as early as January 1, 2023, businesses are advised to assess application of these laws and make the necessary privacy compliance program updates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.