US Privacy Roundup: New State Laws Pass, CT & CO Enter Enforcement, CPRA Delayed
Privacy & Compliance | July 06, 2023
The enactment of the General Data Protection Regulation (GDPR) in Europe in 2018 and the California Consumer Privacy Act of 2018 (‘CCPA’) started a tidal wave for state privacy laws in the United States. And in 2022, it seemed that the wave had reached a crescendo and the nation was on the verge of passing bipartisan federal privacy legislation as the American Data Privacy and Protection Act (ADPPA) passed through the House Energy and Commerce Committee with a 53-2 vote. Ultimately though, the ADPPA failed to advance to the House or Senate floors, as lawmakers failed to find agreement on the sticking points of the preemption of state law and enforcement.
In its place, the wave of new state-level privacy laws kept rolling through 2023. So far this year three state-level comprehensive privacy laws have entered enforcement in Virginia, Colorado, and Connecticut, and The California Privacy Rights Act (CPRA) has begun partial enforcement following a judicial delay of key provisions. Five other states–Tennessee, Texas, Montana, Indiana, and Iowa–have passed consumer privacy laws, and two more–Oregon and Delaware–have bills awaiting their governors’ signatures. And with six more laws currently introduced and under consideration in various state legislatures, it’s fair to say that more are on the way.
To say that 2023 has been a big year for US privacy law would be an understatement. To help you keep up with the multiple developments on the privacy front, we’ve put together this list of the key updates to US privacy law this year, with new laws, enforcement deadlines, and new technical requirements included.
For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.
What’s Coming: New Laws, Enforcement, and Technical Requirements
Throughout 2023, momentum for state-level privacy laws has hit an all-time high, and there’s no reason to believe that 2024 will be any different. Here are the key updates to US privacy law in 2023 and 2024:
The Virginia Consumer Data Privacy Act (VCDPA) is in effect and enforceable as of Jan. 1, 2023
The VCPDA adopted many of the provisions of the California Consumer Privacy Act (CCPA) but took a more limited scope and a softer approach to issues of enforcement. Unlike California’s law, the VCDPA does not permit consumers to sue companies for alleged breaches or violations; enforcement rests solely with the Virginia Attorney General. This has become the de facto enforcement model for state-level privacy as every subsequent law to the VCDPA has also designated enforcement to their respective Attorney General’s office. The law requires businesses to obtain opt-in consent for processing sensitive personal information and provides consumers with the right to access, correct, and delete their personal data. Fines can reach up to $7,500 per individual violation.
The Colorado Privacy Act (CPA) is in effect and enforceable as of July 1, 2023
The CPA gives Colorado consumers new rights patterned after the individual rights under GDPR, requires opt-in consent for sensitive data processing, and mandates data security and contract provisions for vendors and assessments for “high-risk” processing. Colorado’s law carries the highest penalties of any state-level data privacy law–up to $20,000 per violation. However, businesses have a cure period of 60 days for most violations. A “sunset” mechanism means two further changes automatically take effect in 2025: the removal of the cure period for fixing violations and the introduction of a “universal opt-out” mechanism for data sales.
Connecticut Data Privacy Act (CTDPA) is in effect and enforceable as of July 1, 2023
The CTDPA follows the blueprints of the VCPDA and CPA closely but includes a broad definition for the “sale of personal data,” which may be interpreted to forbid data sharing without consent. The law also requires affirmative opt-in consent for the processing of sensitive personal data. The CTDPA carries fines of up to $5,000 per violation and allows businesses a 60-day cure period to remediate violations once they are given notice by the office of the Attorney General. You can read more about the CTDPA in our recent blog post on the subject.
Enforcement of the California Privacy Rights Act (CPRA) has been delayed
On the eve of the July 1st enforcement deadline for the CPRA, a June 30th decision from the Sacramento County Superior Court delayed the enforcement of many CPRA regulations from 1 July to 29 March 2024. The enforcement of rules regarding data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns, and consumer request handling have all been delayed. However, provisions that were complete at the time of the ballot initiative in 2020 are still enforceable as of July 1, 2023. Notably, that includes the loss of the cure period, which previously allowed businesses 30 days to mitigate violations before being fined. Learn how the CPRA compares to the CCPA.
The Utah Consumer Privacy Act (UCPA) will be effective and enforceable on Dec. 31, 2023
Utah’s law is similar to Colorado and Virginia’s but carries a much narrower scope–businesses must have an annual revenue of over $25,000,000 to be subject to the law–and fewer requirements for opt-out consent. The definition of “personal data” also serves to narrow the scope of applicability for the UCPA’s consent requirements. That definition specifically omits “de-identified data,” “publicly available information,” and “aggregated data,” resulting in a narrower scope than the CCPA, VCDPA, and CPA. The UCPA will be enforced by the Utah Attorney General’s office and carries fines of up to $7,500 per violation.
The Tennessee Information Protection Act (TIPA) was passed in April 2023 and is effective July 1, 2024
Tennessee passed the Tennessee Information Protection Act (TIPA) in April 2023, making the Volunteer State the fourth of five states to enact privacy legislation in 2023. Inspired by the Virginia Consumer Data Protection Act (VCDPA), TIPA shares key definitions, business obligations, and core consumer rights, such as requiring consent for processing sensitive personal data and offering opt-out options for data sales, targeted advertising, and significant profiling decisions. However, the TIPA has very narrow applicability and shares the same $25,000,000 revenue threshold as the UCPA. Fines for noncompliance can reach $7,500 per violation.
The Texas Data Privacy and Security Act (TDPSA) was passed in May 2023 and is effective July 1, 2024
The Texas Data Privacy and Security Act (TDPSA) was passed on May 28, 2023, making Texas the tenth state to pass data privacy legislation, and the fifth to do so in 2023. The law was modeled after Virginia’s VCDPA, with the goal of creating a law that would be largely exchangeable with other states’ privacy regulations. However, there are significant differences in the scope and application of the law. Unlike other states’ laws, the TDPSA does not use business revenue or volume of data to determine thresholds for applicability. Instead, the law is applicable to any business with more than 500 employees that dpes business in Texas or offers products or services consumed by Texas residents. The TDPSA includes expansive opt-out requirements and includes pseudonymous data in its “personal data” definition– a first amongst US state-level privacy laws. Noncompliance with the law can carry civil penalties of up to $7,500 per violation.
The Montana Consumer Data Privacy Act (MCDPA) was passed in May 2023 and is effective Oct. 1, 2024
Montana’s law aligns closely with the legislation passed in Virginia and Connecticut while incorporating some unique distinctions. This move reflects a trend, seen in states like Tennessee and Indiana, towards adopting more business-friendly data privacy frameworks as opposed to California’s more stringent regulations. The law does not put forth specific fines for violations and instead stipulates that the Montana Attorney General may file a lawsuit against perpetrators if no cure action is taken within 60 days of notice of a violation.
Iowa Consumer Data Privacy Act (ICDPA) passed March 2023, effective Jan. 1, 2025
Passed in March 2023, the Iowa Consumer Data Protection Act governs how businesses collect, use, and disclose the consumer data of Iowans. It’s designed to give consumers greater transparency and control over their personal data and is more business-friendly compared to some other states’ laws. Notably, the ICDPA does not give consumers the right to correct inaccurate personal information. The ICDPA provides for a tiered system of penalties for violations of the law, with a maximum penalty of $7,500 per violation. However, violators are granted a 90-day cure period to fix violations before they are fined.
Indiana Consumer Data Privacy Act (InCDPA) passed May 1, 2023, effective Jan. 1, 2026
The Indiana Consumer Data Protection Act (InCDPA) gives Indiana citizens substantial rights regarding their personal data, including the rights to access, correction, deletion, data portability, and opting out of data processing. Indiana’s law generally follows the opt-out consent model common to US laws. However, the law does require businesses to obtain affirmative express consent from consumers before processing sensitive data or engaging in the sale of personal data. The InCDPA stipulates a civil penalty of up to $7,500 for each violation of its provisions. Read more about the InCDPA here.
Oregon legislature passes privacy law
Oregon state legislature recently passed the Oregon Consumer Privacy Act (OCPA), which, if signed by Governor Tina Kotek, will make Oregon the eleventh state to pass comprehensive consumer privacy legislation. The OCPA would give Oregon residents the rights to know what personal data is collected about them and which third parties have access to that data, to correct inaccurate personal data, to request the deletion of personal data, and to opt out of the processing of personal data collected for the purposes of sale or targeted advertising. Notably, the OCPA’s definition of personal data includes pseudonymous identifiers such as cookies.
Delaware legislature passes privacy law
On June 30, 2023, the Delaware state legislature passed the Delaware Personal Data Privacy Act. If the bill is signed into law by Governor John Carney, Delaware will become the twelfth state to pass a consumer data privacy law. The rights and responsibilities put forth in Delaware’s bill closely mirror those in the CTDPA.
New universal opt-out requirements proliferate
Lawmakers have embraced the concept of a universal opt-out method (UOOM)–a browser or device setting or plugin that allows consumers to opt out of all data processing via a single action. California, Colorado, Connecticut, Montana, and Texas will all require data controllers to recognize and respect universal opt-outs by 2025. Read more about opt-out preference signals here.
Comparing State-Level Privacy Laws with The Comprehensive Guide to US Privacy Law
Without an overarching federal privacy law, each new state privacy law adds to the already complex patchwork of U.S. privacy regulation, creating a challenging compliance environment for businesses and privacy professionals operating in the US. In this environment, businesses must frequently reconsider their approach to compliance and privacy in light of new rights and requirements that may–or may not– align with existing privacy laws.
And, as more states enact privacy laws, not only are digital privacy best practices becoming the law, but transparency and privacy are also increasingly expected by consumers. To build trust, businesses must clearly and honestly communicate why they collect consumer data. Anything less could damage customer relationships. In fact, in a survey of 1,000 American consumers, 71% said they would stop doing business with a company if it gave away sensitive data without permission.
To succeed in such a complex compliance environment, organizations must be keenly aware of, and be able to operationalize, the varying requirements to achieve broad compliance while still meeting business goals.
To help, we’ve distilled complex privacy regulations across ten key US states into a digestible format–The Comprehensive Guide to US Privacy Law for 2023—providing you with a clear overview for comparing, prioritizing, understanding, and complying with these laws.
In this 46-page eBook, you’ll learn more about the differences between the CCPA, CPRA, CPA, CTDPA, InCDPA, ICDPA, MCDPA, TIPA, TDPSA, UCPA, and VCDPA, and how you can operationalize compliance with each law.
The Book also includes a State Privacy Law Comparison Chart, which identifies 16 properties common among comprehensive privacy laws, broken into three categories: business requirements, consumer rights, and enforcement capabilities.
Get Compliant with CHEQ Privacy
State privacy laws are pressing new responsibilities—and penalties—on businesses and marketers. CHEQ Privacy offers organizations a solution to help build a fully compliant website and simplify compliance with Indiana’s law, as well as the UCPA, CTCDPA, VCDPA, CCPA, CPA, GDPR, and any future privacy laws.
Request a demo to see how CHEQ can help your organization meet its compliance and consent management needs.