Despite recent efforts on Capitol Hill over the summer, Congress has yet to bring a workable model for a national data privacy framework to a vote. Individual states continue to fill the void by responding to growing consumer expectations for greater privacy and control over their personal information. In 2023, four additional states (Colorado, Connecticut, Utah and Virginia) will join California in bringing comprehensive consumer privacy laws into effect. As state legislatures continue to define general data privacy rights, nationwide compliance has become increasingly complicated as many businesses are required to track diverging requirements across all states. The accompanying table is a quick reference guide that compares some of the key provisions of these emerging data privacy statutes.
California’s data privacy law – which first came online in 2018 – set out many of the operational, disclosure and consumer rights obligations that are found throughout all jurisdictions. California’s law is also the broadest in the application, as it is the only law that does not require an entity to control or process the personal data of at least 100,000 consumers to apply. Though additional compliance efforts are likely inevitable, overlapping provisions across all five jurisdictions will hopefully minimize the impact of these additional obligations for those entities that are already in compliance with California’s Consumer Privacy Act (CCPA).
However, businesses should be mindful of the areas where emerging privacy law diverges from California. For example, Virginia, Colorado and Connecticut require data controllers to provide consumers with the right to appeal a controller’s refusal to comply with a consumer’s request. Additionally, California law does not provide the right to opt out of targeted advertising or profiling like the other four jurisdictions. Finally, businesses should confirm they are prepared for the additional obligations brought on by the California Privacy Rights Act, which among other updates, removes CCPA’s exemption for employee data and the statute’s 30-day cure period.1
As California, Virginia, Colorado, Connecticut and Utah pass additional regulations or rules, Stradley Ronon will continue to monitor those developments. To download a current PDF of the reference table, please click here.
* The attorneys thank Alexandra Romano for her assistance with this article. Stradley Ronon hosted Alexandra Romano as a 2022 summer associate in the firm’s Philadelphia, PA, office.
1 In addition, these states are continuing to refine the regulations by which they will implement their data privacy laws, and these efforts may lead to further points of divergence with existing California precedents.
Information contained in this publication should not be construed as legal advice or opinion or as a substitute for the advice of counsel. The articles by these authors may have first appeared in other publications. The content provided is for educational and informational purposes for the use of clients and others who may be interested in the subject matter. We recommend that readers seek specific advice from counsel about particular matters of interest.
Copyright © 2023 Stradley Ronon Stevens & Young, LLP. All rights reserved.