Published:

Updated:

The 6 new privacy laws coming in 2023: What you need to know

Privacy Policy

Colorado Privacy Act, CPRA, Utah Consumer Privacy Act, VCDPA

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

Exercise more. Get organized. Learn a new skill. Comply with six new privacy laws.

That’s right. In case you didn’t have enough New Year’s Resolutions to choose from already, lawmakers have added half-a-dozen new ones for 2023 in the form of six new privacy laws. 

If six new laws seem like a lot… That’s because it is. 

Protecting a person’s online privacy has become a massive talking point for governments across the globe and this new batch of privacy laws is the latest proof of that.

So, what are these laws and how do they apply to you and your website? Glad you asked. Here’s a quick overview of the six privacy laws going into effect in 2023:

  • The California Privacy Rights Act
  • Virginia Consumer Data Protection Act
  • Colorado Privacy Act
  • Utah Consumer Privacy Act
  • Connecticut SB6
  • Quebec Law 25

The California Privacy Rights Act 

The California Privacy Rights Act (CPRA) is a consumer privacy law that was approved on November 3, 2020 and goes into effect in 2023.

The CPRA replaces and builds upon the California Consumer Privacy Act (CCPA) that went into effect in 2020 by adding additional privacy rights for Californians, including:
 

  • Consumers’ right to correct inaccurate personal information 
  • Consumer’s right to opt out of the sharing of certain personal information
  • Consumers’ right to receive the personal information in a portable and readily usable format
  • Consumers’ right to transmit personal information to another entity
  • Consumers’ right to limit the use and disclosure of sensitive personal information
  • Expanded private right of action for breaches involving email accounts

Who does CPRA apply to?

The CPRA applies to businesses that collect the personal information of residents of California and do business in California and that meet one of the following factors: 

  1. Have annual gross revenue of more than $25,000,000; 
  2. Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers; or 
  3. Annually buy, sell or share the personal information of 100,000 or more California consumers or households.

Businesses that receive the personal information of residents of California from their clients may also need to comply with this law via contract, even if they do not meet the criteria listed above. 

What disclosures will my Privacy Policy need to include?

If the CPRA applies to you, your Privacy Policy will need to make the following disclosures: 

  1. The personal information that you collect; 
  2. Where you obtain this personal information from; 
  3. How you use this personal information; 
  4. Whether you share the personal information that you collect. If you do share the personal information that you collect, your Privacy Policy will need to provide what personal information is shared, the categories of third parties with whom the personal information is shared, and why that information is shared with those third parties; 
  5. Whether you sell the personal information that you collect. If you sell the personal information that you collect, you will need to disclose what personal information is sold and the categories of third parties to whom the personal information is sold; 
  6. Whether you offer a financial incentive or price or service difference. If you do, you will need to disclose a description of the incentive or price or service difference as well as how individuals can opt in or opt out of the programs; 
  7. A list of the privacy rights provided to residents of California; 
  8. How an individual can exercise their privacy rights, including what information they will need to provide to you to confirm their identity and how to designate an authorized agent; 
  9. How individuals can contact you for questions. 

What are the penalties for failing to comply with CPRA?

One of the more notable provisions of the CPRA pertains to enforcement and penalties for noncompliance under the law. With respect to enforcement, the CRPA has established the “California Privacy Protection Agency,” a governmental agency that is responsible for the implementation and enforcement of the CRPA. 

A notable change in comparison with the CCPA is the CPRA’s specification of fines for violations involving minor consumers under the age of 16. While each intentional violation of the CCPA may be penalized by up to $7,500, the CPRA provides that violations involving the PII of minors, intentional or unintentional, may also result in fines up to $7,500. 

Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA) was signed into law in 2021 and is scheduled to go into effect in 2023.

The law is designed to give Virginia consumers the following privacy rights:

  • To confirm whether the consumer’s personal data is processed and to access such personal data
  • To correct inaccuracies in the consumer’s personal data
  • To delete the consumer’s personal data
  • To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller
  • To opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling

Who does VCDPA apply to?

The law applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents and that meet one or more of the following factors:

  • During a calendar year, control or process the personal data of at least 100,000 Virginia residents
  • Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data

While at first glance, the law may seem to apply to larger businesses only, VCDPA defines “personal data” as “any information that is linked or is reasonably linkable to an identified or identifiable natural person.” Thus, if your website gets quite a few form submissions each year, you can easily meet this threshold. In addition, you may also be required to comply with this law if you are a vendor for a larger company that does meet the above thresholds.

What are VCDPA Privacy Policy requirements?

Similar to other privacy laws, VCDPA requires businesses to have an accessible, clear, and meaningful Privacy Policy that includes the following disclosures:

  • The categories of personal data processed
  • The purposes of processing the personal data
  • How consumers can exercise their privacy rights, including how a consumer can appeal your decision regarding their request
  • The categories of personal data that you share with third parties, if any
  • Whether you sell personal data or process personal data for targeted advertising, as well as how the consumer can opt out of such processing
  • One or more secure and reliable means for consumers to submit a request to exercise their privacy rights

How will VCDPA be enforced? 

The Virginia Consumer Data Protection Act is enforced by Virginia’s Attorney General. Upon the finding of a violation (e.g. not having a Privacy Policy), a company would have 30 days to cure the violation. Failure to cure would allow the Attorney General to issue fines of up to $7,500 per violation. In this case, “per violation” would mean per website visitor from Virginia whose privacy rights were infringed upon, meaning that fines could quickly add up to large sums.

Read more about VCDPA

Colorado Privacy Act

As with the other privacy laws, businesses do not need to be located in Colorado for this law to apply. The Colorado Privacy Act applies to controllers (persons that determine the purposes for and means of processing personal data) of personal data that:

The Colorado Privacy Act (SB190) is a privacy law that was signed into law on July 8, 2021 to protect the privacy of residents of Colorado. The law achieves this goal by providing privacy rights to residents of Colorado, requiring certain websites to have a Privacy Policy and imposes heavy fines for failure to comply. This law will go into effect on July 1, 2023.

Who does the Colorado Privacy Act apply to?

  • Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado; and
  • Satisfies one of the following thresholds:
    • Controls or processes the personal data of 100,000 or more Colorado consumers during a calendar year; or
    • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more Colorado consumers.

If you do not meet the thresholds above, it is important to note that the Act requires controllers to ensure that processors of personal data adhere to the requirements of the Act. Thus, if you are processing the data on behalf of a client that is subject to the Act, you may be required, via contract, to meet the obligations of this law even if it does not apply to you via statute.

What are the Colorado Privacy Act Privacy Policy requirements?

If the Colorado Privacy Act applies to you, you will need to update your Privacy Policy to include the following information:

  • The categories of personal data collected or processed;
  • The purposes for which the categories of personal data are processed;
  • How and where consumers may exercise their privacy rights, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
  • The categories of personal data that are shared with third parties, if any;
  • The categories of third parties, if any, with whom the personal data is shared; and
  • If personal data is sold to third parties or processed for targeted advertising, then the Privacy Policy must disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

How will be the Colorado Privacy Act enforced? 

Once it goes into effect on July 1, 2023, the Colorado Privacy Act will be enforced by the Colorado Attorney General and Colorado District Attorneys. Non-compliance with the law is considered a deceptive trade practice, which can result in penalties of up to $20,000 per violation up to $500,000 for a series of violations. The Act does provide for a 60 day curing period but this period will be available only until January 1, 2025.

Utah Consumer Privacy Act

On March 25, 2022 Utah became the sixth state to enact a comprehensive privacy law, the Utah Consumer Privacy Act. This law provides new consumer privacy rights to residents of Utah and imposes various privacy obligations upon certain businesses, such as the requirement to have a comprehensive Privacy Policy. This law goes into effect on December 31, 2023 and businesses that need to comply with this law should start preparations now to ensure that they are ready before the effective date.

Who does the Utah Consumer Privacy Act apply to?

The Utah Consumer Privacy Act applies to anyone collecting the personal data of Utah residents that does business in Utah or that produce a product or service that is targeted to consumers that are located in Utah and that meet one or more of the following criteria:

  • Has annual revenue of $25,000,000 or more; and
  • Meets one of the following thresholds:
    • During a calendar year, controls or processes the personal data of 100,000 or more Utah residents; or
    • Derives 50% or more of its annual gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more Utah consumers.

The Utah Consumer Privacy Act exempts nonprofits, meaning that only for-profit businesses will need to comply with this law.

What are Privacy Policy requirements for the Utah Consumer Privacy Act?

If this law applies to you, you will be required to post a Privacy Policy that includes the following disclosures:

  • The categories of personal data that you process;
  • The purposes for which you process that personal data;
  • How consumers can exercise their privacy rights;
  • The categories of personal data that you share with third parties, if any;
  • The categories of third parties, if any, with whom you share personal data;
  • If you sell personal data or engage in targeted advertising, the manner in which consumers may opt out of such use or sales.

How will the Utah Consumer Privacy Act be enforced?

The Utah Consumer Privacy Act will go into effect on December 31, 2023 and will be enforced by the Utah Attorney General. Like other privacy laws, this law imposes heavy penalties for non-compliance, up to $7,500 per violation. In this case, per violation means per website visitor whose privacy rights you infringed upon, meaning that the penalties can compound to a hefty fine.

Connecticut SB6

On May 11, 2022, Connecticut joined the ranks of California, Utah, Colorado, Virginia, Nevada, and Delaware by passing its own privacy law, Connecticut SB6. This new law will go into effect on July 1, 2023.

Who needs to comply with Connecticut SB6? 

Connecticut SB6 applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:

  • Controlled or processes the personal data of 100,000 or more Connecticut residents; or
  • Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of personal data.

It is important to note that first, this law does not apply to nonprofit organizations and second, if the law does not apply to you, you may still need to comply with its requirements by contract if you work with larger companies that do need to comply.

What are Connecticut SB6 Privacy Policy requirements?

Connecticut SB6 requires businesses to display a Privacy Policy that contains the following disclosures:

  • The categories of personal data processed by the business;
  • The purposes for which personal data is processed;
  • One or more secure and reliable means for consumers to exercise their privacy rights, including how to appeal a decision that was made with regard to a privacy rights request;
  • The categories of personal data that are shared with third parties, if any;
  • The categories of third parties, if any, with which personal data is shared;
  • An active email address that a consumer may use to contact the business;
  • If a business sells personal data or processes it for targeted advertisements, the Privacy Policy must disclose this fact, as well as how consumers can opt out of such uses.

Companies will not only need to have a Privacy Policy that has the disclosures above, but will also need to provide a clear and conspicuous link to the Privacy Policy on their websites.

What are the penalties for failing to comply with Connecticut SB6?

The Attorney General of Connecticut will have exclusive authority to enforce this new law. Until December 31, 2024, companies will have the right to cure alleged violations of the law. Once the right to cure expires, the Attorney General may bring enforcement actions against companies that fail to comply.

Quebec Law 25

After much debate regarding whether Canada’s federal privacy bill, the Personal Information Protection and Electronic Documents Act (PIPEDA), offers sufficient privacy protections for consumers, Quebec passed a new privacy law, Quebec Law 25 (previously Bill 64).

Although Quebec already had a privacy law, the Act Respecting the Protection of Personal Information in the Private Sector, Canada’s legislature considered that law to be substantially similar to PIPEDA. In fact, the Privacy Policy disclosures that were required to be made, the privacy rights offered to individuals, and the enforcement mechanisms of both laws were essentially the same. However, with the passage of Quebec Law 25, quite a few changes have been made that diverge this law from PIPEDA. 

Who does Quebec Law 25 apply to?

Quebec’s Law 25 applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise within the meaning of Article 1525 of the Civil Code. Article 1525 of the Civil Code defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.” This new law will apply to anyone participating in an economic activity, even if that activity is not commercial, meaning that nonprofit organizations will need to comply with this law, as well as for-profit organizations. 

The fact that nonprofit organizations will need to comply with Quebec’s new privacy law is an important difference to PIPEDA, which generally applies to organizations that engage in commercial activity. While this means that nonprofit organizations are generally exempt from PIPEDA, they could be subject to PIPEDA if they engage in commercial activities such as the selling, bartering, or leasing of donor lists. 

What Privacy Policy disclosures are required by Quebec Law 25?

Quebec’s Law 25 also diverges from PIPEDA by requiring the following disclosures to be made in Privacy Policies: 

  • The purposes for which personal information is being collected;
  • The means through which the personal information is being collected; 
  • The right of access, portability, and rectification of personal information; 
  • The person’s right to withdraw consent to the communication or use of the personal information collected;
  • How privacy rights requests can be sent to the organization;
  • If personal information is collected using technology that allows the person to be identified, located and profiled, the Privacy Policy must inform the person of the use of such technology and of the means available, if any, to deactivate the functions that allow the person to be identified, located, or profiled;
  • If personal information will be used for automated decision making, that fact must be disclosed;
  • The possibility that the personal information may be communicated outside of Quebec;
  • The title and contact information of the person in charge of the personal information.

In contrast, PIPEDA does not require Privacy Policies to disclose whether the personal information will be used for automated decision making, nor how users can deactivate functions that allow a person to be identified, located, or profiled. These Privacy Policy changes mean that organizations that need to comply with Quebec’s Law 25 will need to update their Privacy Policies prior to the law going into effect in September, 2023.

How will Quebec Law 25 be enforced?

Perhaps the biggest and most important difference between PIPEDA and Quebec’s Law 25 is enforcement. Under Quebec’s new privacy law, if an individual has a complaint, the individual can make a complaint to Quebec’s Commission. If the individual is not happy with the resolution of the complaint, they can appeal to the Court of Quebec. The administrative penalties for failure to comply are also steep – a maximum of CAD $50,000 in case of an individual violating the law or a maximum of CAD $10,000,000 or, if greater, 2% of the worldwide turnover for the preceding fiscal year in case of an organization violating the law. Lastly, Quebec’s Law 25 even allows the prosecutor to institute penal proceedings for violations of the law. 

So, what now? 

If you’re already a Termageddon customer, congratulations! Your website policies will be updated for these new privacy laws if they apply to you.

That’s because we are constantly monitoring these laws (and others) to identify any changes that need to be made to the policies of our clients. Once we’ve identified these changes, we automatically update them via the Termageddon-provided embed code on your website. All changes are made before laws go into effect.

If new privacy laws require us to get additional information about your business, we will email you a few questions to ensure your policies are updated accordingly.
If you’re not a Termageddon user and this is all a bit overwhelming, don’t feel bad. Privacy laws don’t usually make for intriguing water-cooler talk at the office or small-talk at a party (trust us).

That being said, privacy laws aren’t going away. So if you’d like to have a proven plan for keeping your policies up to date at an affordable cost, check out the Termageddon Privacy Policy Generator.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates