Exercise more. Get organized. Learn a new skill. Comply with six new privacy laws.
That’s right. In case you didn’t have enough New Year’s Resolutions to choose from already, lawmakers have added half-a-dozen new ones for 2023 in the form of six new privacy laws.
If six new laws seem like a lot… That’s because it is.
Protecting a person’s online privacy has become a massive talking point for governments across the globe and this new batch of privacy laws is the latest proof of that.
So, what are these laws and how do they apply to you and your website? Glad you asked. Here’s a quick overview of the six privacy laws going into effect in 2023:
- The California Privacy Rights Act
- Virginia Consumer Data Protection Act
- Colorado Privacy Act
- Utah Consumer Privacy Act
- Connecticut SB6
- Quebec Law 25
Table of Contents
The California Privacy Rights Act
The California Privacy Rights Act (CPRA) is a consumer privacy law that was approved on November 3, 2020 and goes into effect in 2023.
The CPRA replaces and builds upon the California Consumer Privacy Act (CCPA) that went into effect in 2020 by adding additional privacy rights for Californians, including:
- Consumers’ right to correct inaccurate personal information
- Consumer’s right to opt out of the sharing of certain personal information
- Consumers’ right to receive the personal information in a portable and readily usable format
- Consumers’ right to transmit personal information to another entity
- Consumers’ right to limit the use and disclosure of sensitive personal information
- Expanded private right of action for breaches involving email accounts
Who does CPRA apply to?
The CPRA applies to businesses that collect the personal information of residents of California and do business in California and that meet one of the following factors:
- Have annual gross revenue of more than $25,000,000;
- Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers; or
- Annually buy, sell or share the personal information of 100,000 or more California consumers or households.
Businesses that receive the personal information of residents of California from their clients may also need to comply with this law via contract, even if they do not meet the criteria listed above.
- The personal information that you collect;
- Where you obtain this personal information from;
- How you use this personal information;
- Whether you sell the personal information that you collect. If you sell the personal information that you collect, you will need to disclose what personal information is sold and the categories of third parties to whom the personal information is sold;
- Whether you offer a financial incentive or price or service difference. If you do, you will need to disclose a description of the incentive or price or service difference as well as how individuals can opt in or opt out of the programs;
- A list of the privacy rights provided to residents of California;
- How an individual can exercise their privacy rights, including what information they will need to provide to you to confirm their identity and how to designate an authorized agent;
- How individuals can contact you for questions.
What are the penalties for failing to comply with CPRA?
One of the more notable provisions of the CPRA pertains to enforcement and penalties for noncompliance under the law. With respect to enforcement, the CRPA has established the “California Privacy Protection Agency,” a governmental agency that is responsible for the implementation and enforcement of the CRPA.
A notable change in comparison with the CCPA is the CPRA’s specification of fines for violations involving minor consumers under the age of 16. While each intentional violation of the CCPA may be penalized by up to $7,500, the CPRA provides that violations involving the PII of minors, intentional or unintentional, may also result in fines up to $7,500.
Virginia Consumer Data Protection Act
The Virginia Consumer Data Protection Act (VCDPA) was signed into law in 2021 and is scheduled to go into effect in 2023.
The law is designed to give Virginia consumers the following privacy rights:
- To confirm whether the consumer’s personal data is processed and to access such personal data
- To correct inaccuracies in the consumer’s personal data
- To delete the consumer’s personal data
- To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller
- To opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling
Who does VCDPA apply to?
The law applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents and that meet one or more of the following factors:
- During a calendar year, control or process the personal data of at least 100,000 Virginia residents
- Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data
While at first glance, the law may seem to apply to larger businesses only, VCDPA defines “personal data” as “any information that is linked or is reasonably linkable to an identified or identifiable natural person.” Thus, if your website gets quite a few form submissions each year, you can easily meet this threshold. In addition, you may also be required to comply with this law if you are a vendor for a larger company that does meet the above thresholds.
- The categories of personal data processed
- The purposes of processing the personal data
- How consumers can exercise their privacy rights, including how a consumer can appeal your decision regarding their request
- The categories of personal data that you share with third parties, if any
- Whether you sell personal data or process personal data for targeted advertising, as well as how the consumer can opt out of such processing
- One or more secure and reliable means for consumers to submit a request to exercise their privacy rights
How will VCDPA be enforced?
Read more about VCDPA
Colorado Privacy Act
As with the other privacy laws, businesses do not need to be located in Colorado for this law to apply. The Colorado Privacy Act applies to controllers (persons that determine the purposes for and means of processing personal data) of personal data that:
Who does the Colorado Privacy Act apply to?
- Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado; and
- Satisfies one of the following thresholds:
- Controls or processes the personal data of 100,000 or more Colorado consumers during a calendar year; or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more Colorado consumers.
If you do not meet the thresholds above, it is important to note that the Act requires controllers to ensure that processors of personal data adhere to the requirements of the Act. Thus, if you are processing the data on behalf of a client that is subject to the Act, you may be required, via contract, to meet the obligations of this law even if it does not apply to you via statute.
- The categories of personal data collected or processed;
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise their privacy rights, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
- The categories of personal data that are shared with third parties, if any;
- The categories of third parties, if any, with whom the personal data is shared; and
How will be the Colorado Privacy Act enforced?
Once it goes into effect on July 1, 2023, the Colorado Privacy Act will be enforced by the Colorado Attorney General and Colorado District Attorneys. Non-compliance with the law is considered a deceptive trade practice, which can result in penalties of up to $20,000 per violation up to $500,000 for a series of violations. The Act does provide for a 60 day curing period but this period will be available only until January 1, 2025.
Utah Consumer Privacy Act
Who does the Utah Consumer Privacy Act apply to?
The Utah Consumer Privacy Act applies to anyone collecting the personal data of Utah residents that does business in Utah or that produce a product or service that is targeted to consumers that are located in Utah and that meet one or more of the following criteria:
- Has annual revenue of $25,000,000 or more; and
- Meets one of the following thresholds:
- During a calendar year, controls or processes the personal data of 100,000 or more Utah residents; or
- Derives 50% or more of its annual gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more Utah consumers.
The Utah Consumer Privacy Act exempts nonprofits, meaning that only for-profit businesses will need to comply with this law.
- The categories of personal data that you process;
- The purposes for which you process that personal data;
- How consumers can exercise their privacy rights;
- The categories of personal data that you share with third parties, if any;
- The categories of third parties, if any, with whom you share personal data;
- If you sell personal data or engage in targeted advertising, the manner in which consumers may opt out of such use or sales.
How will the Utah Consumer Privacy Act be enforced?
The Utah Consumer Privacy Act will go into effect on December 31, 2023 and will be enforced by the Utah Attorney General. Like other privacy laws, this law imposes heavy penalties for non-compliance, up to $7,500 per violation. In this case, per violation means per website visitor whose privacy rights you infringed upon, meaning that the penalties can compound to a hefty fine.
On May 11, 2022, Connecticut joined the ranks of California, Utah, Colorado, Virginia, Nevada, and Delaware by passing its own privacy law, Connecticut SB6. This new law will go into effect on July 1, 2023.
Who needs to comply with Connecticut SB6?
Connecticut SB6 applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:
- Controlled or processes the personal data of 100,000 or more Connecticut residents; or
- Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of personal data.
It is important to note that first, this law does not apply to nonprofit organizations and second, if the law does not apply to you, you may still need to comply with its requirements by contract if you work with larger companies that do need to comply.
- The categories of personal data processed by the business;
- The purposes for which personal data is processed;
- One or more secure and reliable means for consumers to exercise their privacy rights, including how to appeal a decision that was made with regard to a privacy rights request;
- The categories of personal data that are shared with third parties, if any;
- The categories of third parties, if any, with which personal data is shared;
- An active email address that a consumer may use to contact the business;
What are the penalties for failing to comply with Connecticut SB6?
The Attorney General of Connecticut will have exclusive authority to enforce this new law. Until December 31, 2024, companies will have the right to cure alleged violations of the law. Once the right to cure expires, the Attorney General may bring enforcement actions against companies that fail to comply.
Quebec Law 25
After much debate regarding whether Canada’s federal privacy bill, the Personal Information Protection and Electronic Documents Act (PIPEDA), offers sufficient privacy protections for consumers, Quebec passed a new privacy law, Quebec Law 25 (previously Bill 64).
Who does Quebec Law 25 apply to?
Quebec’s Law 25 applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise within the meaning of Article 1525 of the Civil Code. Article 1525 of the Civil Code defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.” This new law will apply to anyone participating in an economic activity, even if that activity is not commercial, meaning that nonprofit organizations will need to comply with this law, as well as for-profit organizations.
The fact that nonprofit organizations will need to comply with Quebec’s new privacy law is an important difference to PIPEDA, which generally applies to organizations that engage in commercial activity. While this means that nonprofit organizations are generally exempt from PIPEDA, they could be subject to PIPEDA if they engage in commercial activities such as the selling, bartering, or leasing of donor lists.
Quebec’s Law 25 also diverges from PIPEDA by requiring the following disclosures to be made in Privacy Policies:
- The purposes for which personal information is being collected;
- The means through which the personal information is being collected;
- The right of access, portability, and rectification of personal information;
- The person’s right to withdraw consent to the communication or use of the personal information collected;
- How privacy rights requests can be sent to the organization;
- If personal information will be used for automated decision making, that fact must be disclosed;
- The possibility that the personal information may be communicated outside of Quebec;
- The title and contact information of the person in charge of the personal information.
How will Quebec Law 25 be enforced?
Perhaps the biggest and most important difference between PIPEDA and Quebec’s Law 25 is enforcement. Under Quebec’s new privacy law, if an individual has a complaint, the individual can make a complaint to Quebec’s Commission. If the individual is not happy with the resolution of the complaint, they can appeal to the Court of Quebec. The administrative penalties for failure to comply are also steep – a maximum of CAD $50,000 in case of an individual violating the law or a maximum of CAD $10,000,000 or, if greater, 2% of the worldwide turnover for the preceding fiscal year in case of an organization violating the law. Lastly, Quebec’s Law 25 even allows the prosecutor to institute penal proceedings for violations of the law.
So, what now?
If you’re already a Termageddon customer, congratulations! Your website policies will be updated for these new privacy laws if they apply to you.
That’s because we are constantly monitoring these laws (and others) to identify any changes that need to be made to the policies of our clients. Once we’ve identified these changes, we automatically update them via the Termageddon-provided embed code on your website. All changes are made before laws go into effect.
If new privacy laws require us to get additional information about your business, we will email you a few questions to ensure your policies are updated accordingly.
If you’re not a Termageddon user and this is all a bit overwhelming, don’t feel bad. Privacy laws don’t usually make for intriguing water-cooler talk at the office or small-talk at a party (trust us).