Use this button to switch between dark and light mode.

Multi-State Consumer Data Privacy Law Compliance: 6 Principles for In-House Counsel

February 28, 2023 (5 min read)

By Barbara W. Reece | Content Manager, LexisNexis Practical Guidance

In-house counsel are confronting a major change in the regulatory landscape in 2023, with new comprehensive consumer data privacy laws going into effect in five states: California, Colorado, Connecticut, Utah and Virginia.

The effective dates for these consumer privacy laws are:

  • California Privacy Rights Act (CPRA)– January 1
  • Virginia Consumer Data Protection Act (VCDPA) – January 1
  • Colorado Privacy Act (CPA)– July 1
  • Connecticut Data Privacy Act (CTDPA) – July 1
  • Utah Consumer Privacy Act (UCPA) – December 31

Consumer privacy legislation generally refers to laws providing an obligation of notice and transparency upon covered entities; requiring covered businesses to give consumers clear notice and disclosure of their privacy policies; and imposing obligations upon controllers and processors of personal information.

2023 Consumer Privacy Law Changes and What This Means for In-House Counsel

While some of the obligations are familiar to companies doing business in California due to the CPRA’s predecessor – the California Consumer Privacy Act, the CPRA added the right to correct inaccurate personal information and the right to limit the disclosure and use of sensitive personal information. And while there are some common requirements with all five states, the incongruity in the details of these regulations is creating a costly “patchwork of state privacy laws,” the International Association of Privacy Professionals.

Similar requirements include notice and transparency in the form of privacy policies explaining what personal information is collected, how it will be used and shared, what rights a consumer has, and how they may exercise those rights. Other typical consumer rights and business obligations include:

  • Right of access
  • Right of deletion
  • Right of portability
  • Right to opt-out of sales

Some of the differences include:

  • Right of correction
  • Definition of “sale”
  • Treatment of sensitive personal data
  • Right to opt out of profiling
  • Right to appeal denial of consumer requests
  • Treatment of universal opt-out mechanisms and dark patterns
  • Data protection impact assessment requirements
  • Penalties and enforcement methods

In-house counsel are faced with the headache of creating a corporate legal strategy that is nimble enough to achieve compliance with data privacy laws that vary from state-to-state and continue to evolve rapidly.

2023 Consumer Data Privacy Law Resources

To compare the specific requirements of each consumer data privacy law going into effect in 2023, see Consumer Data Privacy: State Law comparison Charts. To track and monitor data privacy bills pending in state legislatures, see Privacy Legislation Tracker: Consumer Privacy Bills.

“On top of the new compliance obligations, further regulations from the California Privacy Protection Agency regarding automated decision making, cybersecurity audits, and privacy risk assessments remain outstanding,” data privacy lawyers Catherine Kozlowski and Aaron Ogunro of Polsinelli PC, in 5 Key Areas Of Privacy Compliance Following State Laws in the February 7, 2023 issue of Law360. “What is clear is that there will be no shortage of privacy compliance steps that organizations will have to take in 2023.”

6 Principles for Multi-State Data Privacy Compliance

Lexis Practical Guidance contributors Kirk Nahra, Arianna Evers and Ali Jessani — attorneys in the Data Security & Privacy Practice at WilmerHale — published an insightful practice note to help in-house counsel and chief privacy officers construct a data privacy program that complies with evolving state consumer privacy law obligations.

In Strategies for Developing a Multistate Privacy Compliance Program, which is available to Lexis+ subscribers, the authors identify six guiding principles that provide a strong foundation toward building a corporate legal strategy that can achieve data privacy compliance across multiple state jurisdictions:

  1. Transparency Requirements

Every state comprehensive privacy law requires businesses to provide consumers with notice of their collection activities and disclose intended uses, data sales or any use for targeted advertising. Most of the new state laws only require businesses to include this information in their privacy policies, although California goes beyond this requirement to provide state residents with additional notices.

  1. Consumer Rights

Privacy laws have historically provided consumers with certain rights in relation to their personal information — the five new state data privacy laws are no different. These include the right to access personal information, the right to correct personal information collected about them, the right to deletion of personal information collected about them, the right to opt out of the sale or sharing of their data, and the right to not be discriminated against based on how a consumer exercises their data privacy rights. There is substantial overlap between the state laws, but the precise contours vary in each state.

  1. Sensitive Data

Related to consumer rights more broadly are the specific rights that consumers have with regard to “sensitive” data (or “sensitive personal information” as defined under California’s law). The categories of information that generally fall within this requirement include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition, sexual orientation, citizenship status, genetic or biometric information, personal data from a known child and precise geolocation information.

  1. Consent

Consent plays an important role in all five state privacy laws going into effect in 2023 and is defined similarly as a clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement. This is a high standard for consent and the laws in some of these states explicitly exclude “implicit” consent or a more general consent from meeting this standard.

  1. Vendor Due Diligence

The new state data privacy laws have adopted the approach that in-house counsel will recall from the EU’s General Data Protection Regulation (GDPR), which requires “controllers” of personal information to enter into data protection agreements with their vendors. The state laws mandate that businesses sign data protection agreements with each relevant vendor to ensure that the vendor limits the use of any personal information it receives to the business’s purposes. The exact language varies a bit from state to state, but they share the common regulatory principles.

  1. Data Security

Finally, state data privacy laws expand businesses’ obligations regarding the notification of consumers when there is a data breach involving their personal information. The new laws include front-end data security requirements to protect against cyberattacks. These requirements are substantially similar across jurisdictions.

Achieve Compliance With Lexis+® General Counsel Suite

Adopting a universal data privacy legal strategy could prove to be simpler and more cost-efficient for in-house counsel, but such an approach is difficult in the short run. The new data privacy regulatory landscape in 2023 requires in-house counsel to stay apprised of emerging legislative developments so they can closely monitor potential implications for their organizations.

Lexis+® General Counsel Suite provides in-house counsel with a vast collection of legal resources, breaking business and legal news, and practical guidance content that includes practice notes, templates and checklists. Learn more about how General Counsel Suite helps you manage today and anticipate tomorrow by signing up for a free trial.

Barbara Reece is a content manager for Lexis Practical Guidance in the Data Security & Privacy practice area. She is a Certified Information Privacy Professional, CIPP/US. Prior to joining LexisNexis, Reece worked as an associate in private practice and as a judicial attorney for the Honorable Mary F. Spicer in the Summit County Court of Common Pleas. Reece earned her J.D. at the University of Akron School of Law and is admitted to practice in Ohio.