In-house legal professionals are entering 2025 with an expectation that the year will bring challenges they can anticipate, as well as a host of headaches that are unexpected right now. They are considering...
By Madison Johnson, Esq | Manager, Large Markets The return of President Trump to the White House for another four-year term has large law firms moving to adapt their service offerings and practice area...
The past year was filled with exciting breakthroughs of products built with new generative artificial intelligence (Gen AI) technology, but it also ushered in a peculiar new regulatory skirmish that in...
Businesses across the globe are bracing for potential increases in tariffs on imported goods flowing into the U.S. in 2025. “On the campaign trail, then-presidential candidate Donald Trump proposed...
By Madison Johnson, Esq. | Manager, Large Markets Legislative activity surrounding the regulation of AI has begun to take greater shape this year, especially at the state level, and industry observers...
By Barbara W. Reece | Content Manager, LexisNexis Practical Guidance
In-house counsel are confronting a major change in the regulatory landscape in 2023, with new comprehensive consumer data privacy laws going into effect in five states: California, Colorado, Connecticut, Utah and Virginia.
The effective dates for these consumer privacy laws are:
Consumer privacy legislation generally refers to laws providing an obligation of notice and transparency upon covered entities; requiring covered businesses to give consumers clear notice and disclosure of their privacy policies; and imposing obligations upon controllers and processors of personal information.
While some of the obligations are familiar to companies doing business in California due to the CPRA’s predecessor – the California Consumer Privacy Act, the CPRA added the right to correct inaccurate personal information and the right to limit the disclosure and use of sensitive personal information. And while there are some common requirements with all five states, the incongruity in the details of these regulations is creating a costly “patchwork of state privacy laws,” the International Association of Privacy Professionals.
Similar requirements include notice and transparency in the form of privacy policies explaining what personal information is collected, how it will be used and shared, what rights a consumer has, and how they may exercise those rights. Other typical consumer rights and business obligations include:
Some of the differences include:
In-house counsel are faced with the headache of creating a corporate legal strategy that is nimble enough to achieve compliance with data privacy laws that vary from state-to-state and continue to evolve rapidly.
To compare the specific requirements of each consumer data privacy law going into effect in 2023, see Consumer Data Privacy: State Law comparison Charts. To track and monitor data privacy bills pending in state legislatures, see Privacy Legislation Tracker: Consumer Privacy Bills.
“On top of the new compliance obligations, further regulations from the California Privacy Protection Agency regarding automated decision making, cybersecurity audits, and privacy risk assessments remain outstanding,” data privacy lawyers Catherine Kozlowski and Aaron Ogunro of Polsinelli PC, in 5 Key Areas Of Privacy Compliance Following State Laws in the February 7, 2023 issue of Law360. “What is clear is that there will be no shortage of privacy compliance steps that organizations will have to take in 2023.”
Lexis Practical Guidance contributors Kirk Nahra, Arianna Evers and Ali Jessani — attorneys in the Data Security & Privacy Practice at WilmerHale — published an insightful practice note to help in-house counsel and chief privacy officers construct a data privacy program that complies with evolving state consumer privacy law obligations.
In Strategies for Developing a Multistate Privacy Compliance Program, which is available to Lexis+ subscribers, the authors identify six guiding principles that provide a strong foundation toward building a corporate legal strategy that can achieve data privacy compliance across multiple state jurisdictions:
Every state comprehensive privacy law requires businesses to provide consumers with notice of their collection activities and disclose intended uses, data sales or any use for targeted advertising. Most of the new state laws only require businesses to include this information in their privacy policies, although California goes beyond this requirement to provide state residents with additional notices.
Privacy laws have historically provided consumers with certain rights in relation to their personal information — the five new state data privacy laws are no different. These include the right to access personal information, the right to correct personal information collected about them, the right to deletion of personal information collected about them, the right to opt out of the sale or sharing of their data, and the right to not be discriminated against based on how a consumer exercises their data privacy rights. There is substantial overlap between the state laws, but the precise contours vary in each state.
Related to consumer rights more broadly are the specific rights that consumers have with regard to “sensitive” data (or “sensitive personal information” as defined under California’s law). The categories of information that generally fall within this requirement include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition, sexual orientation, citizenship status, genetic or biometric information, personal data from a known child and precise geolocation information.
Consent plays an important role in all five state privacy laws going into effect in 2023 and is defined similarly as a clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement. This is a high standard for consent and the laws in some of these states explicitly exclude “implicit” consent or a more general consent from meeting this standard.
The new state data privacy laws have adopted the approach that in-house counsel will recall from the EU’s General Data Protection Regulation (GDPR), which requires “controllers” of personal information to enter into data protection agreements with their vendors. The state laws mandate that businesses sign data protection agreements with each relevant vendor to ensure that the vendor limits the use of any personal information it receives to the business’s purposes. The exact language varies a bit from state to state, but they share the common regulatory principles.
Finally, state data privacy laws expand businesses’ obligations regarding the notification of consumers when there is a data breach involving their personal information. The new laws include front-end data security requirements to protect against cyberattacks. These requirements are substantially similar across jurisdictions.
Adopting a universal data privacy legal strategy could prove to be simpler and more cost-efficient for in-house counsel, but such an approach is difficult in the short run. The new data privacy regulatory landscape in 2023 requires in-house counsel to stay apprised of emerging legislative developments so they can closely monitor potential implications for their organizations.
Lexis+® General Counsel Suite provides in-house counsel with a vast collection of legal resources, breaking business and legal news, and practical guidance content that includes practice notes, templates and checklists. Learn more about how General Counsel Suite helps you manage today and anticipate tomorrow by signing up for a free trial.
Barbara Reece is a content manager for Lexis Practical Guidance in the Data Security & Privacy practice area. She is a Certified Information Privacy Professional, CIPP/US. Prior to joining LexisNexis, Reece worked as an associate in private practice and as a judicial attorney for the Honorable Mary F. Spicer in the Summit County Court of Common Pleas. Reece earned her J.D. at the University of Akron School of Law and is admitted to practice in Ohio.