If you work in the privacy industry in the United States, it’s going to be a busy year for you. Throughout 2023, several new state privacy laws will come into effect, including the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCPDA), the Connecticut Data Privacy Act (CTDPA), the Colorado Privacy Act (CPA), and the Utah Consumer Privacy (UCPA) law. 

While all of these laws share many similarities, including their impact on online advertising and tracking, they also have some important differences, including which types of businesses they cover.

 If you have any further questions or concerns, please do not hesitate to reach out.

The CPRA, which amends the California Consumer Privacy Act (CCPA), is the most complicated of the five laws. Businesses that must comply with the CPRA must operate for profit and do business in California. They must also meet at least one of three thresholds, including having gross annual revenues of over $25 million, buying, selling, or sharing the personal information of at least 100,000 consumers or households, or deriving at least half of their annual revenues from selling or sharing personal information. The CPRA covers other entities that are “owned or controlled” by a business, plus joint ventures of which the business is a part.

The VCPDA applies to people conducting business in the Commonwealth of Virginia or producing products or services targeted to residents of Virginia. During a calendar year, businesses must control or process personal data of at least 100,000 consumers to be covered by the VCPDA. Additionally, businesses must also process personal data of at least 25,000 consumers and receive at least 50% of their gross revenue from the sale of personal data to be subject to VCPDA.

The CTDPA applies to any person conducting business in Connecticut or producing products or services that are intentionally targeted to Connecticut residents. Any business that collects personal information from more than 100,000 consumers or derives more than 50% of its revenue from selling consumers’ personal information is covered by the CTDPA.

The CPA applies to businesses that collect or process the personal data of 100,000 or more Colorado residents or earn revenue from selling their personal data. Businesses that process personal data on behalf of other entities that the CPA covers must also comply with its provisions.

Starting July 1st, the Colorado Privacy Act (CPA) will take effect, and it applies to any controller that conducts business in Colorado or intentionally targets residents of the state with commercial products or services. If a business controls or processes the personal data of at least 100,000 consumers annually or 25,000 consumers if they sell personal data, then the CPA applies. The applicability threshold is broader under the CPA than other states. Unlike other state laws, the CPA doesn’t require businesses to have a minimum revenue threshold to apply. If a business process or controls the personal data of at least 25,000 consumers and derives any amount of revenue or discount on goods or services from the sale of personal data, then the law will apply. This is unlike other states where businesses must derive a significant portion of their revenue from the sale of personal data.

Finally, the UCPA applies to any person conducting business in Utah or producing products or services intentionally targeted to Utah residents. Businesses that collect or process personal data of more than 100,000 Utah residents, or that derive more than 50% of their revenue from selling consumers’ personal information, are covered by the UCPA.

Targeting Ads – One important topic that has been widely debated in recent years is the implications of targeting ads. With the rise of social media and online advertising, companies can collect vast amounts of user data and target ads based on their interests, behaviors, and demographic information. While this has the potential to increase the effectiveness of advertising and provide a more personalized experience for users, it also raises concerns about privacy and the potential for manipulation. All new US privacy laws aim to focus on this aspect. 

2023 is set to be a busy year for privacy professionals in the United States, with several new state privacy laws coming into effect. While all of these laws share many similarities, they also have important differences in terms of the types of businesses they cover. Businesses need to familiarize themselves with the specifics of each law and ensure that they comply. If you need more information, attend the Last Thursday in Privacy event on 26th January 2023, where expert speakers will discuss the topic in detail.