Privacy professionals that work for companies operating in the US should have a busy year. Throughout 2023, the following US state privacy laws take effect:
- January 1, 2023: California Privacy Rights Act (CPRA)
- January 1, 2023: Virginia Consumer Data Protection Act (VCPDA)
- July 1, 2023: Connecticut Data Privacy Act (CTDPA)
- July 1, 2023: Colorado Privacy Act (CPA)
- December 31, 2023: Utah Consumer Privacy (UCPA)
These laws share a lot in common. For example, they all impact online advertising and tracking, create new liabilities and regulatory risks, and give people new rights over their data.
But there are important differences between each of the five laws, including which types of businesses they cover.
→ Expert speakers will discuss “Privacy in Post-Roe USA: How the Dobbs Decision is Shaping Legislation, Regulation and Enforcement” at Last Thursday In Privacy (LTIP), a one-day event taking place on 26 January 2023 at 6pm (UK time).
This article will explore how each of 2023’s new US state privacy laws applies.
Before We Begin…
Before we look at how each of these US state privacy laws applies, it’s important to note that there are two things this article won’t cover.
Controllers vs. Processors
This article will only look at the types of entities to which the laws primarily apply, known variously as “businesses,” “data controllers,” or “controllers.”
For example, under the CPRA, a company must “determine the purposes and means” of processing Californians’ personal information to meet the definition of a “business”.
This, broadly, means that the business decides how and how to collect and use personal information—even if another company collects or uses the personal information on behalf of the business.
These types of companies are the main targets for rules, liability, and enforcement under each of these laws.
However, the laws also cover other types of entities, e.g., “service providers” or “processors” which operate on behalf of a business or controller.
All of these state laws are considered “comprehensive”—not restricted to a given sector or type of business activity. However, some businesses and types of data processing are exempt from each law, and the rules vary slightly in each case.
This article will focus only on the main applicability provisions—not the exemptions.
Common exemptions include nonprofits and businesses covered by other laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GBLA).
The California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA). The CPRA took effect on January 1st and has a “look back” over 2022.
In terms of its application, the CPRA is arguably the most complicated of the five laws explored in this article.
Here’s the law’s main provision on applicability, at Section 1798.140.(d):
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) As of January 1, of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a)of Section 1798.185.
(B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or, households.
(C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.
The first paragraph of this section of the CPRA establishes that a company must operate for profit and do business in California in order to be covered by the law.
The CPRA then sets out three thresholds. A business must meet at least one of these thresholds to be covered by the CPRA. The business must:
- Have gross annual revenues of over $25m, or
- Buy, sell, or share the personal information of at least 100,000 consumers or households, or
- Derive at least half of its annual revenues from selling or sharing personal information
The CPRA applies slightly more narrowly than the original CCPA, increasing the number of affected consumers required under the second threshold from 50,000 to 100,000. However, the threshold now applies to businesses “sharing” personal information, as well as those buying or selling it.
The law CPRA covers other entities that are “owned or controlled” by a business, plus joint ventures of which the business is a part. Businesses can also opt in by voluntarily certifying with the newly-formed California Privacy Protection Agency (CPPA).
The Virginia Consumer Data Protection Act (VCPDA) also took effect on January 1st of this year.
Section 59.1-572.A. of the VCDPA states:
This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
If a company does business (or targets consumers) in Virginia, only one of two thresholds must be met for the VCDPA to apply. The business must control or process the personal data of:
- At least 100,000 consumers per calendar year, or
- At least 25,000 consumers AND derive over 50 percent of gross revenue from the sale of personal data
Unlike in California, there is no “revenue” threshold under the VCDPA—regardless of their size, businesses will not be covered unless they meet the conditions above.
The Connecticut Data Privacy Act (CTDPA) will take effect on July 1st.
Section 2 of the CTDPA states:
The provisions of sections 1 to 11, inclusive, of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (1) Controlled or processed the personal data of not less than one hundred thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data.
The CTDPA applies in virtually the same way as Virgina’s law, with two exceptions,
The “population” threshold is the same—a business must control or process the personal data of 100,000 consumers per year—but there is a carve-out for businesses that only control or process this data for “completing a payment transaction.”
Secondly, the “sale-derived revenue” threshold (limb two) is lower (25% rather than 50%). So, to be covered by the CTDPA, a business must control or process the personal data of:
- At least 100,000 consumers per calendar year, or
- At least 25,000 consumers AND derive over 25 percent of gross revenue from the sale of personal data
This makes the CTDPA slightly more broadly applicable than Virginia’s law.
But as with Virginia’s privacy law, the CTDPA also contains no “revenue” threshold per se—the rules are the same for businesses of all sizes.
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) also takes effect on July 1st. Section 6-1-1304 of the CPA states:
…this part 13 applies to a controller that:
(a) conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
(b) satisfies one or both of the following thresholds:
(i) controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or
(ii) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more.
Like with Virginia and Connecticut, there’s no threshold for revenue size under the CPA. However, the applicability threshold is broader under the CPA than those other two laws.
As with other states, businesses must process or control the personal data of a certain number of consumers before the CPA applies: 100,000 annually—or 25,000 annually if the business sells personal data.
But under the CPA, if a business processes or controls the personal data of at least 25,000 consumers, the law will apply if the business derives even one cent of revenue—or receives any discount on goods or services—from the sale of personal data.
This is unlike the “sale” threshold in other states, under which the business must derive a significant portion of its revenue from selling personal data (50% in California, Virginia, and Utah, 25% in Connecticut).
The Utah Consumer Privacy (UCPA) takes effect on December 31st—New Year’s Eve. Section 13-61-102 of the UCPA states:
This chapter applies to any controller or processor who:
(a) (i) conducts business in the state; or
(ii) produces a product or service that is targeted to consumers who are residents of the state;
(b) has annual revenue of $25,000,000 or more; and
(c) satisfies one or more of the following thresholds:
(i) during a calendar year, controls or processes personal data of 100,000 or more consumers; or
(ii) derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
The UCPA has the narrowest applicability of the five laws on the list.
Only businesses with annual revenues of $25m or more are affected. Once this threshold is met, the second part of the test is identical to both Virginia and California’s applicability rules.
This is one of several factors that make the UCPA the most “business-friendly” state privacy law.
Last Thursday in Privacy
Last Thursday in Privacy is a GRC World Forums initiative that takes place on the last Thursday of the month to provide up to the minute information and advice to organisations regardless of where they are in the world.
This ‘Last Thursday in Privacy’ event will take place on January 26th 2023, as part of the international Data Privacy Week, and will be hosted on the GRC World Forums engagement hub.
Starting at 06:00 GMT the format will include a mix of;
→ virtual class rooms,
→ online panel sessions,
→ pre-recorded presentations