What's On the Horizon: 2023 State and Federal Data Privacy Legislation

January 27, 2023

By: Amber L. Lawyer and Maureen H. Milmoe

The United States is gearing up for another noteworthy year in data privacy and cybersecurity. 2023 will likely be a year of transition as certain data privacy laws come into effect. As concerns around data protection and cybersecurity continue to persist, we expect more state and federal legislative action. Along with enhanced legislation, data privacy enforcement and regulatory action will likely increase in the U.S. throughout the year.

1. New Data Privacy Laws

Five states now have comprehensive consumer privacy laws: California (CCPA and CPRA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) and Virginia (VCDPA). As discussed below, more than 30 other states have also considered data privacy legislation, and a few will likely pass in the next year.

As of Jan. 1, 2023, consumers have new rights afforded by the California Privacy Rights Act (CPRA), which is a recent amendment to the California Consumer Privacy Act of 2018 (CCPA). Such rights provide consumers the right to correct inaccurate personal information that a business has about them, and the right to limit the use and disclosure of sensitive personal information collected about them. Beginning July 1, 2023, the California Privacy Protection Agency will be enforcing the CCPA through administrative enforcement actions. For more information on CCPA and CPRA, you can read our blog post here.

Taking effect on July 1, 2023, the Colorado Privacy Act (CPA) provides protections for personal data held by entities that do business in Colorado or target Colorado residents. Notably, covered entities include profit and nonprofit businesses that qualify for CPA compliance. Currently, the Colorado Attorney General has released two drafts of the proposed CPA rules and has a formal rulemaking hearing scheduled for later this year. We expect formal CPA rules will be finalized within the next few months. For more information on CPA, you can read our blog post here.

Beginning on July 1, 2023, under the Connecticut Data Privacy Act (CTDPA), Connecticut residents will have certain rights over their personal data and covered entities will have new responsibilities and privacy protection standards. Notably, the CTDPA requires covered entities to ask for consent before processing data from a Connecticut resident under the age of 18. For more information on CTDPA, you can read our blog post here.

Late this year, on Dec. 31, 2023, the Utah Consumer Privacy Act (UCPA) will take effect. Unlike other state laws, the UCPA applies only to companies with annual revenue of at least $25 million among other criteria. While the scope of the UCPA is narrower compared to other state privacy laws, future amendments are a possibility. For more information on UCPA, you can read our blog post here.

As of Jan. 1, 2023, Virginia enacted the Virginia Consumer Data Protection Act (VCDPA). A comprehensive consumer data privacy law mirrored off of CCPA, the VCDPA provides protections for personal data held by entities that do business in Virginia or target Virginia residents. For more information on VCDPA, you can read our blog post here.

2. Proposed Data Privacy Laws

Nine states have already proposed new comprehensive consumer privacy laws: Iowa, Indiana, Kentucky, Massachusetts, Mississippi, New Jersey, New York, Oklahoma, Oregon and Tennessee. While it remains to be seen if these proposed bills will be enacted, these laws could create an array of new consumer privacy rights and business obligations.

Similar to the five new data privacy laws, the proposed legislation will require many companies to reassess their collection and use of personal information and modify their business practices accordingly. We continue to stay informed on the changing state privacy landscape and will update our guidance to you as new data privacy legislation is enacted.

3. Expected Federal Legislative Action

A patchwork of state privacy laws has prompted federal legislators to propose the American Data Privacy and Protection Act (ADPPA), aiming to provide a uniform approach to data privacy. The ADDPA is largely consistent with the framework of various state privacy laws, as well as the European Union's General Data Protection Regulation (GDPR). Similarities include numerous individual privacy rights, including rights to access, delete and correct data, as well as the right to data portability.

Although the ADDPA has yet to pass, the bill has pushed the U.S. closer to enacting a federal data privacy law. Due to federal legislators increased interest in data privacy, regardless of whether the ADPPA passes, there's a strong likelihood of a comprehensive federal privacy bill passing soon.

For more information or guidance concerning any of the topics above, please contact Amber Lawyer, CIPP/US & CIPP/E, Maureen Milmoe or any Bond attorneys in the cybersecurity and data privacy practice.