Despite recent efforts on Capitol Hill over the summer, Congress has yet to bring a workable model for a national data privacy framework to a vote. Individual states continue to fill the void by responding to growing consumer expectations for greater privacy and control over their personal information. In 2023, four additional states (Colorado, Connecticut, Utah and Virginia) will join California in bringing comprehensive consumer privacy laws into effect. As state legislatures continue to define general data privacy rights, nationwide compliance has become increasingly complicated as many businesses are required to track diverging requirements across all states. The accompanying table is a quick reference guide that compares some of the key provisions of these emerging data privacy statutes.
California’s data privacy law – which first came online in 2018 – set out many of the operational, disclosure and consumer rights obligations that are found throughout all jurisdictions. California’s law is also the broadest in the application, as it is the only law that does not require an entity to control or process the personal data of at least 100,000 consumers to apply. Though additional compliance efforts are likely inevitable, overlapping provisions across all five jurisdictions will hopefully minimize the impact of these additional obligations for those entities that are already in compliance with California’s Consumer Privacy Act (CCPA).
However, businesses should be mindful of the areas where emerging privacy law diverges from California. For example, Virginia, Colorado and Connecticut require data controllers to provide consumers with the right to appeal a controller’s refusal to comply with a consumer’s request. Additionally, California law does not provide the right to opt out of targeted advertising or profiling like the other four jurisdictions. Finally, businesses should confirm they are prepared for the additional obligations brought on by the California Privacy Rights Act, which among other updates, removes CCPA’s exemption for employee data and the statute’s 30-day cure period.1
As California, Virginia, Colorado, Connecticut and Utah pass additional regulations or rules, Stradley Ronon will continue to monitor those developments. To download a current PDF of the reference table below, please click here.
* The attorneys thank Alexandra Romano for her assistance with this article. Stradley Ronon hosted Alexandra Romano as a 2022 summer associate in the firm’s Philadelphia, PA, office.