Chatter regarding comprehensive U.S. state privacy law picked up steam once again as the calendar turned to 2023. State legislative sessions are ready to commence and questions are swirling about which states could make a run at, or ultimately pass, legislation.
However, the story of 2023 might be more about handling previously passed state laws. A compliance extravaganza kicked off Jan. 1, as the California Privacy Rights Act and the Virginia Consumer Data Protection Act took force. Laws in Colorado, Connecticut and Utah will also go live at different points in 2023.
“Jan. 1 was an important date for a number of reasons. But in many respects, we are only at the start of this process in the U.S.,” Husch Blackwell Partner David Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS, said. “As a privacy community, we need to agree to no longer have privacy laws go into effect on January 1. It just hurts. We’d all be better off with a date like Feb. 28.”
At a high level, states lumping together effective dates appears to favor companies and privacy professionals. Compliance efforts can be done in one shot, under one deadline. That’s easier said than done when each law carries its own nuances, which is the case with California and Virginia.
Convergence and divergence
The CPRA amends the existing California Consumer Privacy Act and hands enforcement power to the California Privacy Protection Agency. Changes to the original statute include a higher threshold for covered entities, a new category for sensitive personal information, enhanced children’s privacy provisions and expanded notification requirements. Notably, CPRA regulations are pending final approval ahead of July 1 enforcement.
Virginia’s law incorporates…
California delays CPRA regulations
The California Privacy Protection Agency (CPPA) was supposed to finalize new pri…