US State Privacy Laws Update: What Has Changed in 2023?

August 24, 2023

2023 has brought with it a host of changes to the privacy law landscape in the US. In this article, we share some brief but key points about the updates to US privacy law coming into effect this year and in the coming years.  

US State Privacy Laws Update: What Has Changed in 2023?

California  

One of the biggest updates in California privacy law comes from a recent Sacramento Superior Court ruling that the California Privacy Protection Agency (CPPA) cannot enforce certain regulations until March 29, 2024.  

The court ruled that the 12 (of 15) regulations, implementing the California Privacy Rights Act (CPRA) and amending the California Consumer Privacy Act (CCPA)that were finalized on March 29, 2023 cannot be enforced until one year after they became final (so, March 29, 2024).  

This means that these regulations are not enforceable until 2024. It does not mean that no privacy laws are enforceable in California until that date. The existing provisions of the CCPA are in effect and enforceable until the new CCPA regulations kick-in in 2024.  

The remaining three (of 15) regulations (which relate to cybersecurity audits, risk assessments, and automated decision-making) have not yet been finalized and, if this decision is not appealed by the CPPA, it is likely that they would adopt the view that these regulations aren’t going to be enforceable until one year after they are finalized.  

Virginia 

Virginia’s comprehensive privacy law came into effect on January 1, 2023. We covered the law in an earlier article, which you can read here 

Colorado and Connecticut 

Colorado and Connecticut’s consumer privacy laws came into effect on July 1.  

Both states’ privacy laws include a right to access, right to correct, right to delete, right to portability, a right to opt out of certain automated decision-making, transparency requirement, risk assessment requirement, and processing limitations. (Broadly, the terms are not necessarily identical between the states.) 

One major deviation in these laws from Californian law is that both states require businesses to request opt-in permissions from consumers before businesses can process sensitive data. In California, the mechanism is opt-out.  

Utah’s Privacy Law 

Utah’s comprehensive data privacy law comes into effect on December 31, 2023.  

The legislation draws heavily from Virginia’s privacy law and is not likely to add onerous considerations to businesses already (reasonably) compliant with California’s laws.  

Notably, Utah’s law does not contain a right to correct, right to opt-in for sensitive data processing, right against certain automated decision-making, a risk assessment requirement or a purpose limitation.  

2023 Privacy Laws in Texas, Montana, Tennessee, Iowa, Indiana, and Oregon 

Broadly, the privacy laws signed into law in 2023 all contain the following rights:  

  • Right to access; 
  • Right to delete (though the scope of this right can vary from one state to another);  
  • Right to opt out of processing for profiling or targeted advertising purposes (except Iowa); 
  • Right to portability; 
  • Right to opt out of sales; 
  • Right to opt-in for sensitive data processing (except Iowa);  
  • Right to opt out of certain automated decision-making;  
  • Risk assessment requirement (except Iowa);  
  • Privacy notice requirement; and  
  • Purpose limitations. 

Some Key Differences in the 2023 US State Privacy Laws 

  • Indiana’s and Iowa’s privacy laws do not include any revenue thresholds, like other US states. Instead, the application is based on the volume of controlling and processing of personal data (more than 100,000 consumers) or the volume (more than 25,000 consumers) where 50% of gross revenue is derived from data.  
  • Businesses in Texas are covered by the law if they (1) operate in Texas or target Texas residents, and (2) process or engage in the sale of personal information, and (3) are not excluded as a small business. This is a different standard to other states.  
  • Transgender or nonbinary status is included in Oregon’s definition of sensitive data (and in Delaware’s – more on that below).  

A Note About The Delaware Privacy Law:  

Delaware passed a privacy law on June 30, 2023 and it is now pending Governor approval. If enacted, it contains similar protections to those in Colorado, Connecticut, and Oregon.  

As mentioned above, Delaware’s privacy law includes a broad definition of sensitive data, including pregnancy and status as nonbinary or transgender.  

Compliance with US State Laws 

For tailored guidance about your legal risk and compliance with the US state privacy laws, reach out. Our privacy attorneys would love to help.  

Disclaimer

The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you