We are not attorneys, nor do we play them on TV. The following is not meant to be taken as legal advice. Please use this information as part of your own information gathering process.
While the internet has been around for a generation, U.S. laws are still playing catch-up to protect citizens and consumers as technology continues to change the game. Here’s a glimpse at six privacy laws taking effect in 2023:
- The California Privacy Rights Act
- Virginia Consumer Data Protection Act
- Colorado Privacy Act
- Utah Consumer Privacy Act
- Connecticut SB6
- Quebec Bill 64
CPRA
Approved back in November of 2020, the California Privacy Rights Act (CPRA) is a consumer privacy law that goes into effect in 2023. It is the upgraded replacement to the California Consumer Privacy Act (CCPA) that went into effect in 2020.
According to Termaggedon.com: “the CPRA applies to businesses that collect the personal information of residents of California and do business in California and that meet one of the following factors:
- Have annual gross revenue of more than $25,000,000;
- Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers; or
- Annually buy, sell or share the personal information of 100,000 or more California consumers or households.
Businesses that receive the personal information of residents of California from their clients may also need to comply with this law via contract, even if they do not meet the criteria listed above.”
What’s New?
CPRA has a more in-depth description for what needs to be disclosed in your privacy policy. It also specifies fines for violations involving minors under 16 years of age.
Virginia Consumer Data Protection Act
Signed into law in 2021, The Virginia Consumer Data Protection Act (VCDPA) is scheduled to go into effect in 2023. It was designed to give Virginia consumers more rights to their personal data. Privacy policies will need to include specifics if you are a business or person doing business in Virginia or that produce products or services targeted to Virginia residents and that meet one or more of specific.
The VCDPA is enforced by Virginia’s Attorney General. Persons or companies found to be in violation (example: not having a Privacy Policy) will have 30 days to resolve the violation. If found to fail to cure the violation, fines of up to $7,500 per violation. The definition for violation means per website visitor whose privacy rights were infringed upon, which could result in big-time fines real fast!
Colorado Privacy Act
Signed into law in July of 2021, the Colorado Privacy Act (SB190) is a privacy law written to protect the privacy of residents of Colorado. In order to provide privacy rights to residents of Colorado, the law requires certain websites to have a Privacy Policy. It will go into effect on July 1, 2023.
Much like the VCDPA, the Colorado Privacy Act has a period for remedying policy violations. However, with fines of up to $20k per violation or up to half a million dollars for a series of violations, they also have a longer time period to remedy at 60 days. But this leniency only lasts until January 1, 2025.
Utah Consumer Privacy Act
Utah was the sixth state to enact a comprehensive privacy law in March of 2022. The Utah Consumer Privacy Act provides new consumer privacy rights to residents of Utah and imposes various privacy obligations upon certain businesses. Although the law doesn’t go into effect until December 31, 2023, you can start preparations now to ensure compliance before the effective date.
What’s Different?
Unlike other privacy laws, the Utah Consumer Privacy Act exempts nonprofits, meaning that only for-profit businesses will need to comply.
Connecticut SB6
In May 2022, Connecticut joined the ranks of passing its own privacy law, Connecticut SB6. The new law will go into effect on July 1, 2023. Like several of the other privacy laws mentioned here, Connecticut SB6 applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut. Even if these do not apply to you, you may also be required to be compliant if you’re serving as a contractor for a business that it does apply to.
Similar to the Utah Consumer Privacy Act, the Connecticut SB6 does not apply to non-profit organizations.
Quebec Bill 64
If you’re participating in economic activity in Canada, you’ll need to look into Canada’s federal privacy bill, the Personal Information Protection and Electronic Documents Act (PIPEDA). It has been supplemented by the newest Quebec Bill 64 which is different in several ways. Since we focus primarily on brands doing business within the United States, we’re going to leave those details up to you.
What To Do
What you don’t know can hurt your business, so we recommend doing your own independent research and speaking with your business attorney. If you don’t already have one, putting a Privacy Policy in place that complies with any applicable laws is the obvious task at hand. Even if current laws don’t apply to you, we expect the future will bring many more in other states or areas. With hefty fines for violation, it seems best to take preventative measures.
Some options for generating privacy policies include some of the following third-party providers. We don’t have a favorite, you may want to consider doing your own search. Here are a few options to get you started:
Website Design & Development
We don’t specialize in business law, but we do try to keep up with changes that would effect the brands we work with. If you’re in need of an update to bring your website into compliance or to design and develop a new one, we would love to speak with you! You can contact us by filling out our form, or give us a call.
Sources we used to summarize this info: The 6 New Privacy Laws Coming in 2023 – What you Need to Know by Termageddon, Iubenda’s webinar, & U.S. State Privacy Laws in 2023