September 26, 2022

Volume XII, Number 269

Advertisement

September 26, 2022

Subscribe to Latest Legal News and Analysis

Are You Ready for 2023? New Privacy Laws To Take Effect Next Year

Five new state omnibus privacy laws have been passed and will go into effect in 2023. Organizations should review their privacy practices and prepare for compliance with these new privacy laws.

What’s Happening?

While the US currently does not have a federal omnibus privacy law, states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Read below to find out if the respective new laws will apply to your organization.  

Which Organizations Must Comply?

The respective privacy laws will apply to organizations that meet particular thresholds. Notably, while most of the laws apply to for-profit businesses, we note that the Colorado Privacy Act also applies to non-profits. There are additional scope and exemptions to consider, but we provide a list of the applicable thresholds below.

The California Privacy Rights Act (CPRA) – Effective January 1, 2023

The CPRA applies to for-profit businesses that do business in California and meet any of the following:

  1. Have a gross annual revenue of over $25 million;

  2. Buy, receive, or sell the personal data of 100,000 or more California residents or households; or

  3. Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.

Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023

The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that:

  1. During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or 

  2. Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data. 

Colorado Privacy Act (CPA) – Effective July 1, 2023

The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds:

  1. Control or process the personal data of 100,000 Colorado residents or more during a calendar year, or 

  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023

The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or 

  2. Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.

Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023

The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25,000,000 or more, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Utah residents, or 

  2. Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.

The Takeaway 

Organizations that fall under the scope of these respective new privacy laws should review and prepare their privacy programs. The list of updates may involve:

  • Making updates to privacy policies,

  • Implementing data subject request procedures, 

  • How your business is handling AdTech, marketing, and cookies,

  • Reviewing and updating data processing agreements,

  • Reviewing data security standards, and 

  • Providing training for employees.  

© 2022 ArentFox Schiff LLPNational Law Review, Volume XII, Number 220
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Eva J. Pulliam Attorney Brand Protection Arent Fox Schiff Washington DC
Partner

Eva splits her time between Washington and San Francisco and concentrates her practice on brand protection: protecting data, brand image, and brand names. She advises clients across numerous industries on best practices in the areas of data privacy, advertising and marketing, and trademark. Household names, tech giants and startups, non-profits, and other innovative organizations call on Eva to guide them through product development and brand management. 

In the privacy space, Eva counsels clients around data collection, use, and transfer, as...

202-857-6323
Christine Chong Privacy Attorney ArentFox Schiff San Francisco
Associate

As an Associate on the privacy, cybersecurity, and data protection team, Christine helps clients with regulatory compliance, data breach response, technology transactions, vendor contracting, marketing initiatives, and external and internal-facing policies. Her clients include international consumer products, e-commerce, manufacturing, data analytics services, retail and technology businesses, and not-for-profit organizations. 

Christine regularly advises on ethical data use, machine learning and artificial intelligence, vendor contracting, and...

415-757-5517
Destiny Planter Attorney Copyright Law ArentFox Schiff Washington DC
Associate

Prior to joining ArentFox Schiff, Destiny was awarded the Frances Phillips Fellowship. She used this opportunity to work with the African Network for the Prevention and Protection against Child Abuse and Neglect and volunteer in orphanages in Kenya and Ghana. She then joined the Carolina College Advising Corps at Ben L. Smith High School in Greensboro, North Carolina, where she worked to increase the rates of college enrollment and completion among low-income, first-generation college and underrepresented high school students.

While in law...

202-857-6077
Advertisement
Advertisement
Advertisement