As state legislatures around the country continue to introduce comprehensive consumer privacy bills, those states who have already enacted them continue to flesh out proposed regulations and other guidance, in some cases even after the effective dates of those laws. .
California. The new CPRA amendments (including expiration of the CCPA employee and B2B exemptions) took effect on January 1, 2023. On February 14, 2023, the California Privacy Protection Agency (“CPPA”) filed its final draft of the California Privacy Act of 2020 (“CPRA”) regulations with the California Office of Administrative Law (“OAL”). This filing begins a 30-day review period, where the OAL has until March 292, 2023 to review the regulations. If approved, they will be submitted to the California Secretary of State for filing. Otherwise, the OAL will provide notice of the CPAA with a written decision of its reasons for disapproving the package. To view the latest CPRA regulations, click here.
Update: Today, the CPPA has announced an upcoming public meeting on March 3, 2023. More details are available at: https://cppa.ca.gov/meetings/.
Colorado. The Colorado Consumer Privacy act took effect on January, 1, 2023. Meanwhile, on January 27, 2023, the Colorado Attorney General released an updated draft of its rules on the Colorado Privacy Act, based on input received through January 18, 2023. A hearing on the proposed rules took place on February 1, 2023, and the comment period closed on February 3, 2023. 137 comments were filed. As of this posting, a revised draft has not yet been released. To review the latest (Jan 27, 2023) Colorado Rules, click here.
Virginia. The Virginia Consumer Data Protection Act (“VCDPA”) took effect on January 1, 2023. The Office of Attorney General has not indicated plans to develop implementing regulations, but did release some summary FAQs on February 2, 2023. To view the FAQs, click here.
Connecticut. The Connecticut Data Privacy Act (“CTDPA”) takes effect on July 1, 2023. Although no implementing regulations have yet been proposed, the Attorney General has released a portal with FAQS. To view the FAQs, click here.
Utah. The Utah act will not be effective until December 31, 2023. There has been no indication of proposed regulations yet.
Whether one of these laws applies to your business or not depends on various factors laid out in the respective statutes, which are all similar but slightly different. They include gross annual revenue, whether products or services are targeted to the state’s residents, and the volume of personal data controlled or processed, and/or the amount of revenue derived from the sale of personal data. To view a comparison chart detailing the applicability of each law, contact the Chair of Balch’s Data Security and Privacy Team at firstname.lastname@example.org.