Throughout 2022 and into 2023, state regulation of data privacy continued its rapid expansion. In 2022, companies prepared for new comprehensive privacy laws in California and Virginia. Three more laws have or will come into effect in 2023, and at least seven more will follow over the next two years. Meanwhile, legislation on specific issues, including children’s privacy and health privacy, continues to expand.
Expansion of Privacy Rights in Virginia and California
The Virginia Consumer Data Protection Act (VCDPA) took effect on Jan. 1, 2023, providing consumers in the state with comprehensive data privacy rights (including access to personal data, deletion, correction, opting out of targeted advertising, and consent to process sensitive data). Meanwhile, the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA), which also took effect on Jan. 1, expanded the CCPA’s rights to California employees, job applicants and business contacts. The CPRA also created new rights for California residents, including the right to opt out of “sharing” of personal information for cross-context behavioral advertising, the right to correct inaccurate personal information, and the right to limit certain uses and disclosures of sensitive personal information. You can read more about these changes here.
But the CPRA was not the only California privacy law to grab headlines in 2022. On Sept. 15, 2022, Gov. Gavin Newsom signed into law the California Age-Appropriate Design Code Act (AADC), which will take effect on July 1, 2024. Inspired by (though not identical to) a similar law in the United Kingdom, the AADC seeks to promote online safety and privacy for children under 18 years of age by requiring covered businesses to complete a data protection impact assessment and potentially change the ways in which their services interact with minors online.
The AADC is currently subject to a legal challenge by a consortium of online businesses alleging that it improperly restrains free speech, among other issues. Unless this lawsuit is successful, any business that meets the revenue or data-collection thresholds created by the CCPA and that “provides an online service, product[] or feature likely to be accessed by children” will need to either adopt age-assurance techniques to prevent access by underage users or make the service compliant for users of all ages. Among other rules, the AADC requires covered businesses to configure default settings to a high level of privacy protection; avoid collecting, selling, sharing or retaining personal information unless it is needed to provide a service with which a child is actively and knowingly engaged; and avoid all uses of personal information that may be “materially detrimental to the physical health, mental health or well-being of a child.” More information on the AADC can be found here.
Colorado, Connecticut, and Utah
Following close on the heels of the amended CCPA and the VCDPA, two comprehensive privacy laws came into effect on July 1 of this year – the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA). Utah’s law will come into effect on Dec. 31. Inspired primarily by the CCPA and the E.U. General Data Protection Regulation, the CPA and the CTDPA extend data privacy rights to consumers in their respective states, including the right to access, right to delete, right to correct, right to appeal and right to opt out of targeted advertising. Utah’s law is similar, though slightly different– for example, consumers in Utah are not provided with a right to correct or to appeal. Although these laws share common goals of consumer protection, greater transparency, increased control over personal data and limiting targeted advertising, there are significant differences among them related to, for example, the right to opt out of profiling, recognition of automated browser signals, and data protection impact assessments.
State Legislatures Pass New Privacy Laws at an Unprecedented Rate
Since Jan. 1, state legislatures have passed eight additional comprehensive privacy laws, seven of which have been signed into law at the time of this blog post. Thus, by Jan. 1, 2026, consumers in California, Colorado, Connecticut, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah and Virginia (and likely Delaware) will be covered under a comprehensive privacy law. Several bills proposing similar laws remain pending in other states. Meanwhile, still other states – including Washington – have passed or are considering health-focused privacy laws that may be nearly as broad in their applicability as the comprehensive privacy laws.
Although many of the laws share common features and include a somewhat standard slate of data privacy rights (including deletion, correction, access and various opt-outs), state-specific requirements and the sheer number of new laws mean that remaining in compliance will require ongoing attention to new rules. The proliferation of laws also further emphasizes the potential benefits of a federal privacy law that could preempt this patchwork of requirements. However, with 40 percent of the U.S. population slated to be covered by a state privacy law by 2026, some members of Congress may feel that the states are adequately regulating personal data. Regardless of what happens at the federal level, businesses must stay vigilant in order to comply with the rapid expansion of data privacy regulations.
[View source.]
