6 New Privacy Laws Introduced in 2023
Introduction
It's important to be aware of privacy laws that are coming into effect in the next few years. The California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (HB21-1231), Utah Consumer Privacy Act (SB220) and Quebec Bill 64 all codify the California Consumer Privacy Act, but each legislation presents challenges to organizations due to its differences. Organizations looking to comply with more than one of these laws should scrutinize both the differences and similarities in the laws to ensure they are not caught off guard by differing requirements between jurisdictions.
Background
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2020. The CCPA applies to all covered businesses that have customers in California. The CCPA requires covered businesses to disclose their privacy practices and obtain consent from customers before collecting personal information—including names, location data, payment information and more—about their users.
The six new laws are:
California Privacy Rights Act
The California Privacy Rights Act, or CPRA, is a new law that will go into effect on January 1st of 2023. The CPRA applies to any company that collects data on Californians without their consent and implements the following requirements:
- Companies must clearly state what data they collect and how it will be used.
- Companies must get opt-in consent from consumers before collecting personal information from them and provide notice about how long such information will be kept by the company.
- Consumers have the right to request access to all of their personal data collected by a business in order for them to review it and delete any information they do not want shared with third parties (like advertisers).
The CPRA also allows consumers who believe that an online party violated this law to bring a civil action against them for damages up to $100 per violation plus attorney's fees, which can add up quickly depending on how many violations there are!
The CPRA applies to businesses that collect the personal information of residents of California and do business in California and that meet one of the following factors:
- Have annual gross revenue of more than $25,000,000;
- Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers; or
- Annually buy, sell or share the personal information of 100,000 or more California consumers or households.
The Privacy Policy will need to make the following disclosures:
- The personal information that you collect;
- Where you obtain this personal information from;
- How you use this personal information;
- Whether you share the personal information that you collect. If you do share the personal information that you collect, your Privacy Policy will need to provide what personal information is shared, the categories of third parties with whom the personal information is shared, and why that information is shared with those third parties;
- Whether you sell the personal information that you collect. If you sell the personal information that you collect, you will need to disclose what personal information is sold and the categories of third parties to whom the personal information is sold;
- Whether you offer a financial incentive or price or service difference. If you do, you will need to disclose a description of the incentive or price or service difference as well as how individuals can opt in or opt out of the programs;
- A list of the privacy rights provided to residents of California;
- How an individual can exercise their privacy rights, including what information they will need to provide to you to confirm their identity and how to designate an authorized agent;
- How individuals can contact you for questions.
Colorado Privacy Act
The Colorado Privacy Act is an attempt to respond to the California Consumer Privacy Act, which was passed in June 2018. The law applies to personal information of residents of Colorado, including names and contact information, financial details, biometric data like fingerprints or DNA profiles, digital photos used by law enforcement agencies, healthcare data and even social media passwords. It also applies to businesses that collect this type of data—as well as those who use it for marketing purposes—and requires them not only to disclose what they’re doing with your data but also give you the option not to be tracked by third parties as well.
The act contains some key differences from its Californian counterpart: For example, it exempts companies from disclosing what they do with “non-sensitive” information (such as your name) if you opt out from tracking on their site or app; and it gives consumers more time (18 months instead of 15 days) before any changes made by companies will be legally binding on them.
Connecticut Senate Bill 6
This law, which takes effect in 2024, requires businesses to notify customers of security breaches. It also requires the business to provide a free service that protects customer data and allows users to download a copy of the data they collect on them. The law also requires businesses to have a data retention policy so that they can dispose of sensitive information when it’s no longer needed.
Quebec Bill 64
Bill 64 is a new law that will require businesses to provide consumers with the right to access their personal information and have it corrected if it is inaccurate. This means that if you've been denied a credit card because of your age, or been unfairly charged higher insurance premiums because of gender, this Bill would allow you to request your personal data from the business and correct it if necessary. In other words: Quebec has made an effort to ensure that everyone can benefit from privacy legislation while simultaneously ensuring they're protected by it as well.
Virginia Consumer Data Protection Act
You may have heard about the California Consumer Privacy Act (CCPA). It was the first of its kind and was passed in 2018. At this point, it’s pretty much a given that you’re going to see more states following suit with their own laws in the next few years, so it’s important that we understand what they are and how they work.
Virginia has been on the front lines of data privacy legislation for some time now—taking after California, New Jersey and Oregon—and has recently introduced its own version of a consumer data protection act: The Virginia Consumer Data Protection Act (VCDP). This new law will go into effect on July 1st, 2023.
Utah Consumer Privacy Act
- What is the Utah Consumer Privacy Act?
The Utah Consumer Privacy Act, also known as SB261 (for the name of its sponsor), is a new law that goes into effect on Jan. 1, 2023. It will require companies to provide users with more information about their data collection practices and allow consumers to opt out of certain uses of their data.
- How does it differ from other privacy laws?
While some states have already passed legislation that restricts how organizations use consumer data, it's likely that the Utah law will be among the most stringent in terms of scope and impact on businesses. Unlike similar laws in other states that apply only to organizations doing business within their borders or collecting personal information on state residents (such as California's CCPA), this new law applies broadly, requiring all businesses—regardless of where they're located—to comply with its requirements if they collect personal information from any individuals who reside in Utah.* What are the implications for organizations that do business in Utah?
Organizations that do business both within and outside of Utah should begin preparing now for compliance with these new requirements by reviewing their existing policies related to customer privacy practices; drafting new ones; updating contracts with vendors handling sensitive customer information; training employees about these changes; launching an advertising campaign so customers know what’s coming next year.* What are implications for organizations not currently doing business in America but collecting data from Americans?
It's important to be aware of privacy laws that are coming into effect in the next few years.
Privacy laws are important for keeping your information private. They protect your personal data, like your name and address, from being shared without your consent. Privacy laws also make sure that websites don't use cookies to track you without your permission.
If you're curious about what privacy laws are coming into effect in the next few years, there are several good resources to help keep you up-to-date. For example, Privacy International publishes a report every year that describes all the new privacy laws coming into effect around the world (you can get a free copy here). The European Union has also published an annual report on its progress towards greater protection of data privacy rights since 1995 (this one covers 2018). You can read more about how these reports work at their website: [link].
The CPRA, CDPA, COPA, UPCA, and SB6 codify the California Consumer Privacy Act, but each legislation presents challenges to organizations due to its differences. Organizations looking to comply with more than one of these laws should scrutinize both the differences and similarities in the laws to ensure they are not caught off guard by differing requirements between jurisdictions.
The CPRA, CDPA, COPA, UPCA, and SB6 codify the California Consumer Privacy Act (CCPA). The CCPA is a privacy law that protects consumers' personal information by requiring organizations to provide notice of their data practices and give customers control over their own data. These new laws are intended to clarify how organizations should handle consumer data in order to comply with the CCPA's requirements.
Unfortunately for organizations looking to comply with more than one of these laws or any other regulation regarding consumer privacy rights, each legislation presents challenges due to its differences. Organizations looking to comply with more than one of these laws should scrutinize both the differences and similarities in the laws' requirements in order ensure they are not caught off guard by differing requirements between jurisdictions.
Conclusion
The CPRA, CDPA, COPA and SB6 are similar in many ways. They all require companies to give consumers access to their personal data and control over how that information is used by third parties. However, each law has its own unique language and requirements which may create challenges for organizations looking to comply with more than one of these laws. Organizations should be aware of these differences so they can take action now so they don't get caught off guard later when dealing with different requirements between jurisdictions