2023 has brought with it a host of changes to the privacy law landscape in the US. In this article, we share some brief but key points about the updates to US privacy law coming into effect this year and in the coming years.
US State Privacy Laws Update: What Has Changed in 2023?
California
One of the biggest updates in California privacy law comes from a recent Sacramento Superior Court ruling that the California Privacy Protection Agency (CPPA) cannot enforce certain regulations until March 29, 2024.
The court ruled that the 12 (of 15) regulations, implementing the California Privacy Rights Act (CPRA) and amending the California Consumer Privacy Act (CCPA)that were finalized on March 29, 2023 cannot be enforced until one year after they became final (so, March 29, 2024).
This means that these regulations are not enforceable until 2024. It does not mean that no privacy laws are enforceable in California until that date. The existing provisions of the CCPA are in effect and enforceable until the new CCPA regulations kick-in in 2024.
The remaining three (of 15) regulations (which relate to cybersecurity audits, risk assessments, and automated decision-making) have not yet been finalized and, if this decision is not appealed by the CPPA, it is likely that they would adopt the view that these regulations aren’t going to be enforceable until one year after they are finalized.
Virginia
Virginia’s comprehensive privacy law came into effect on January 1, 2023. We covered the law in an earlier article, which you can read here.
Colorado and Connecticut
Colorado and Connecticut’s consumer privacy laws came into effect on July 1.
Both states’ privacy laws include a right to access, right to correct, right to delete, right to portability, a right to opt out of certain automated decision-making, transparency requirement, risk assessment requirement, and processing limitations. (Broadly, the terms are not necessarily identical between the states.)
One major deviation in these laws from Californian law is that both states require businesses to request opt-in permissions from consumers before businesses can process sensitive data. In California, the mechanism is opt-out.
Utah’s Privacy Law
Utah’s comprehensive data privacy law comes into effect on December 31, 2023.
The legislation draws heavily from Virginia’s privacy law and is not likely to add onerous considerations to businesses already (reasonably) compliant with California’s laws.
Notably, Utah’s law does not contain a right to correct, right to opt-in for sensitive data processing, right against certain automated decision-making, a risk assessment requirement or a purpose limitation.
2023 Privacy Laws in Texas, Montana, Tennessee, Iowa, Indiana, and Oregon
Broadly, the privacy laws signed into law in 2023 all contain the following rights:
- Right to access;
- Right to delete (though the scope of this right can vary from one state to another);
- Right to opt out of processing for profiling or targeted advertising purposes (except Iowa);
- Right to portability;
- Right to opt out of sales;
- Right to opt-in for sensitive data processing (except Iowa);
- Right to opt out of certain automated decision-making;
- Risk assessment requirement (except Iowa);
- Privacy notice requirement; and
- Purpose limitations.
Some Key Differences in the 2023 US State Privacy Laws
- Indiana’s and Iowa’s privacy laws do not include any revenue thresholds, like other US states. Instead, the application is based on the volume of controlling and processing of personal data (more than 100,000 consumers) or the volume (more than 25,000 consumers) where 50% of gross revenue is derived from data.
- Businesses in Texas are covered by the law if they (1) operate in Texas or target Texas residents, and (2) process or engage in the sale of personal information, and (3) are not excluded as a small business. This is a different standard to other states.
- Transgender or nonbinary status is included in Oregon’s definition of sensitive data (and in Delaware’s – more on that below).
A Note About The Delaware Privacy Law:
Delaware passed a privacy law on June 30, 2023 and it is now pending Governor approval. If enacted, it contains similar protections to those in Colorado, Connecticut, and Oregon.
As mentioned above, Delaware’s privacy law includes a broad definition of sensitive data, including pregnancy and status as nonbinary or transgender.
Compliance with US State Laws
For tailored guidance about your legal risk and compliance with the US state privacy laws, reach out. Our privacy attorneys would love to help.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.