BlogLine

Five States Set to Expand Data Privacy Rights in 2023

1/4/23

By: Amy C. Bender

As the landscape of data privacy regulation is ever-changing, five U.S. state statutes (in California, Virginia, Colorado, Connecticut, and Utah), passed to enhance the privacy rights of consumers in their respective states, go into effect in the new year. Many of these laws share characteristics, such as granting robust rights to consumers relating to access and management of their personal data, clarifying notice at collection and other responsibilities of the entities that control or process this data, and providing regulatory enforcement mechanisms. Each  law is unique, however. Highlights of these laws are discussed below.

California Privacy Rights Act – effective January 1, 2023

This law amends and expands on the protections provided in the California Consumer Privacy Act, including the following:

• Creates two new rights of consumers: the right to correct inaccurate personal information and the right to limit use and disclosure of sensitive personal information.
• Creates a new subset of personal information, “sensitive personal information,” which is personal information that reveals data such as account or credit/debit card combined with an access code or password, precise geolocation, genetic data, ethnic origin, religious or philosophical beliefs, union membership, mail/email/text content, or license/passport/Social Security card number.
• Adds a fourth category, contractors, to the groups that must comply with privacy obligations, in addition to businesses, service providers, and third parties.
• Expands the content required to be included in notice by businesses to workers of collection of personal information, eliminating the CCPA carve-outs and expanding the obligation to HR and B2B-collected data.
• Prohibits businesses from discriminating or retaliating against workers for exercising data privacy rights.
• Extends rights of consumers to employees, applicants, and related individuals.

Enforcement of this law commences on July 1, 2023.

Virginia Consumer Data Protection – effective January 1, 2023

This new law allows consumers to request from a “controller” ( the party responsible for determining the purpose and means of processing personal data) to exercise the rights to:

• Confirm whether or not a controller is processing the consumer’s personal data and to access such personal data;
• Correct inaccuracies in the consumer’s personal data;
• Delete personal data;
• Obtain a copy of the consumer’s personal data; and
• Opt out of the processing of the personal data.

The law also prescribes responsibilities of data controllers, including limiting the type of data collected; not processing personal data for unnecessary purposes; establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices; not processing personal data in violation of non-discrimination laws; and not processing sensitive consumer data without the consumer’s consent. Controllers also must provide consumers comprehensive and clear privacy notices and conduct and document data protection assessments for certain processing activities involving personal data.

In contrast to California, the term “consumer” under Virginia’s law does not include employees.

Colorado Privacy Act – effective July 1, 2023

Colorado’s law also provides privacy rights to consumers and imposes obligations on data custodians. Specifically, the law:

• Provides consumers the rights to access, correct, and delete personal data and to opt out of the sale, collection, and use of personal data;
• Requires companies to safeguard personal data, to provide consumers clear and understandable information about how their personal data is used, and to conduct data protection assessments in the collection and use of personal data; and
• Authorizes the state’s Attorney General to evaluate companies’ data protection assessments and impose penalties for violations.

Like Virginia, the protections given to consumers in Colorado do not extend to employees.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (a/k/a Connecticut Data Privacy Act) – effective July 1, 2023

This Act gives Connecticut residents (again, excluding employees) the rights to:

• Access personal data that a controller has collected about them;
• Correct inaccuracies in their personal data;
• Delete their personal data;
• Obtain a copy of their personal data;
• Opt out of the sale, processing, or profiling of their personal data.

Controllers must, among other requirements:

• Provide consumers a clear and descriptive privacy notice;
• Limit data collection;
• Implement and maintain data security practices;
• Allow consumers to revoke consent;
• Provide a conspicuous link on their website enabling a consumer to opt out of targeted advertising or sale of their personal data; and
• Conduct and document data protection assessments.

Utah Consumer Privacy Act – effective December 31, 2023

Finally, under Utah’s law, which will not take effect until the end of the next year:

• Consumers have the rights to know what personal data a business collects and how it will be used and sold, to access and delete certain personal data, and to opt out of the collection and use of personal data for certain purposes;
• Certain businesses that control and process consumers’ personal data must safeguard that data, provide clear information to consumers regarding how their personal data is used, accept and comply with a consumer’s request to exercise their rights under the law, and delete or stop selling a consumer’s personal data upon request; and
• Enforcement mechanisms including a consumer complaint and investigation process, referral to the state’s Attorney General, payment of actual consumer damages and monetary penalties.

For more information on these laws, and for assistance with your organization’s compliance efforts, contact Amy Bender of FMG’s Data Security, Privacy & Technology Practice Section by email at abender@fmglaw.com.