Ready or not, sweeping data protection laws are in the process of reshaping the landscape for consumer data and privacy rights in the United States starting this year. In fact, 2023 has already become a landmark year for privacy regulation.
Already adopted in various forms by five states (California, Colorado, Connecticut, Utah and Virginia with more states certainly to follow in the near future) these comprehensive new data privacy statutes were inspired by the “rights-based” approach to protecting personal information initiated by the European Union’s General Data Protection Regulation (GDPR), which took effect in 2018.
At their core, these statutes start with the basis that “individuals effectively own their personal information and thus presumptively have the legal right to control it, and who can use it is a matter for them to decide,” according to data privacy law expert Frederic D. Bellamy in a recent Reuters news agency article.
California led the way with adoption of the California Consumer Privacy Act of 2018 (CCPA), which gives Golden State residents more control over the personal information that businesses collect about them. Key provisions of the CCPA include:
- The right to know about the personal information a business collects about them and how it is used and shared.
- The right to delete personal information collected from them (with some exceptions).
- The right to opt-out of the sale or sharing of their personal information.
- The right to non-discrimination for exercising their CCPA rights.
In 2020, California voters approved an amendment to the CCPA that added the following additional privacy protections that began on January 1, 2023:
- The right to correct inaccurate personal information that a business has about them.
- The right to limit the use and disclosure of sensitive personal information collected about them.
Virginia became the second state to officially enact comprehensive consumer privacy legislation with the adoption of the Virginia Consumer Data Protection Act (VCDPA), which went into effect on January 1, 2023.
The VCDPA gives Old Dominion residents the right to access their personal data and request that it be deleted by businesses. However, note that there is an exception in the VCDPA for businesses that obtain such personal data from a source other than the consumer. The VCDPA also requires businesses to conduct data protection assessments related to processing personal data for targeted advertising and sales purposes.
States That Have Adopted Data Privacy Laws
| DATA PRIVACY REGULATION | EFFECTIVE DATE | KEY PROVISIONS | POTENTIAL FINES |
| California Consumer Privacy Act (CCPA) | January 1, 2023 | Applies to “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Excludes de-identified data, publicly available information and aggregate information. | Up to $7,500 Per Intentional Violation or $2,500 per Unintentional Violation |
| Colorado Privacy Act (CPA) | July 1, 2023 | Protects personal data, which is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” Excludes de-identified data and publicly available data. | Up to $20,000 Per Violation |
| Connecticut Data Privacy Act (CTDPA) | July 1, 2023 | Protects personal information, which is defined as any “information that is linked or reasonably linkable to an identified or identifiable individual.” Excludes de-identified data and publicly available data. | Up to $5,000 Per Violation |
| Utah Consumer Privacy Act (UCPA) | December 31, 2023 | Protects personal information, which is defined as “information that is linked or reasonably linkable to an identified or identifiable individual.” Excludes de-identified data and publicly available data. | Minimum Fine of $7,500 Per Violation |
| Virginia Consumer Data Protection Act (VCDPA) | January 1, 2023 | Protects personal information, which is defined as any “information that is linked or reasonably linkable to an identified or identifiable natural person.” Excludes de-identified data and publicly available data. | Up to $7,500 Per Violation |
Take Steps Now to Ensure Compliance with State Data Privacy Laws
If your business is already in compliance with the CCPA and/or GDPR (which offers the most stringent data protection requirements), then you most certainly will comply with most of the current and upcoming U.S. state privacy laws and regulations.
If not, then you need to move toward compliance to keep your business ahead of the game as new states move toward adopting their own data privacy regulations.
While each state’s regulations may vary, basic components you should consider include:
- Identify what personal data that your business collects and stores.
- Implement a privacy policy that thoroughly explains how, when, why and where you store your consumers’ data and make that privacy policy available on your website
- Provide an additional form and phone number on your website that connects consumers with individuals in your organization who have the direct responsibility to delete or alter their information.
- Train your employees on data privacy compliance.