While the US currently does not have a federal omnibus privacy law, states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Read below to find out if the respective new laws will apply to your organization.
Which Organizations Must Comply?
The respective privacy laws will apply to organizations that meet particular thresholds. Notably, while most of the laws apply to for-profit businesses, we note that the Colorado Privacy Act also applies to non-profits. There are additional scope and exemptions to consider, but we provide a list of the applicable thresholds below.
The California Privacy Rights Act (CPRA) – Effective January 1, 2023
The CPRA applies to for-profit businesses that do business in California and meet any of the following:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal data of 100,000 or more California residents or households; or
- Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.
Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023
The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that:
- During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or
- Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.
Colorado Privacy Act (CPA) – Effective July 1, 2023
The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds:
- Control or process the personal data of 100,000 Colorado residents or more during a calendar year, or
- Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.
Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023
The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds:
- During a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or
- Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.
Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023
The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25,000,000 or more, and meets one of the following thresholds:
- During a calendar year, controls or processes personal data of 100,000 or more Utah residents, or
- Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.
Organizations that fall under the scope of these respective new privacy laws should review and prepare their privacy programs. The list of updates may involve:
- Making updates to privacy policies,
- Implementing data subject request procedures,
- How your business is handling AdTech, marketing, and cookies,
- Reviewing and updating data processing agreements,
- Reviewing data security standards, and
- Providing training for employees.