Written by Susan Kohn Ross, Lucy Holmes Plovnick, and Stacey Chuvaieva
Colorado, Connecticut, and Utah have enacted comprehensive state privacy laws that will become effective in 2023. The Colorado Privacy Act (“CPA”) and the Connecticut Data Privacy Act (“CTDPA”) both go into effect on July 1, 2023. The Utah Consumer Privacy Act (the “UCPA”) becomes effective on December 31, 2023. The UCPA, CTDPA, and CPA are generally in line with other state’s data privacy laws.
Applicability. The applicability of all three new laws depends upon (i) the number of consumers whose data a business processes annually; and (ii) whether the business derives revenues from sale of personal data. In addition, the Utah law applies only to businesses that earn at least $25 million in annual revenue. Utah and Connecticut, but not Colorado, provide exceptions for defined nonprofit organizations. More specifically:
- Colorado’s CPA applies to a controller that conducts business in Colorado or that produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and that (1) processes data of at least 100,000 consumers annually; or (2) processes data of at least 25,000 consumers and derives revenue or receives a discount on goods or services from selling personal data.
- Connecticut’s CTDPA applies to persons that conduct business in Connecticut or persons that produce products or services targeted at Connecticut residents and (1) process data of at least 100,000 consumers (excluding solely for the purpose of payment transactions); or (2) process data of at least 25,000 consumers and derive at least 50% of gross revenues from selling personal data.
- Utah’s UCPA applies to any entity that conducts business in Utah, or produces products or services that are targeted to Utah residents; has $25 million in annual revenue; and satisfies one or more of the following thresholds: (1) annually controls or processes the personal data of at least 100,000 Utah customers, or (2) controls or processes the personal data of at least 25,000 Utah customers and derives over 50% of its gross revenue from the sale of personal data.
Consumer Rights. The new state privacy laws grant to consumers rights to access, correct (except in Utah), delete, portability, opt out of targeted advertising, sale of personal information, and of profiling (except in Utah). Both Colorado and Connecticut also require data controllers to establish a process for a consumer to appeal the controller’s refusal to take action on consumer requests.
Obligations and Scope. The scope of all three laws is very similar. Unlike California’s CPRA, these new laws neither apply to employees or Business-to-Business (“B2B”) data nor provide for a private right of action. However, both Colorado and Connecticut address a universal opt-out mechanism, a/k/a Global Privacy Control (“GPC”). Under Colorado law, starting July 1, 2024, companies will be required to honor a universal opt-out mechanism allowing consumers to opt out of targeted advertising or sales. Likewise, Connecticut requires compliance with the universal opt-out, but permits companies to delay compliance until January 1, 2025.
2023 Privacy Landscape. In 2023, Virginia, Colorado, Utah, and Connecticut will join California as states with comprehensive privacy laws. Moreover, Massachusetts, Michigan, New Jersey, North Carolina, Ohio, and Pennsylvania have active consumer privacy bills under consideration. The development of privacy law in the coming year promises to expand and so companies need to keep up on these changes and how they are impacted.