Connecticut, Utah & Colorado Privacy Laws in 2023
The privacy and security of personal information are critically important issues in today’s world. As people engage in more and more activities online, businesses and other organizations come into possession of massive amounts of personally identifiable information (PII). Hackers, identity thieves, and other bad actors cause billions of dollars in losses every year for consumers and businesses alike. Several states have enacted new comprehensive data security laws that place obligations on businesses to safeguard consumers’ personal information. They also impose penalties for failing to do so. Laws in two states, California and Virginia, have already gone into effect. Laws in Colorado, Connecticut, and Utah will take effect later in 2023.
When Do the New Laws Take Effect?
The laws in California and Virginia took effect on January 1, 2023. The effective dates for the new laws in Colorado, Connecticut, and Utah are as follows:
- Colorado Privacy Act (CPA): July 1, 2023
- Connecticut Data Privacy Act (CTDPA): July 1, 2023
- Utah Consumer Privacy Act (UCPA): December 31, 2023
What Do the New Laws Protect?
The new laws provide broad protection for consumer data privacy and impose obligations on businesses.
Who Do the New Privacy Laws in 2023 Cover?
All three laws generally apply to entities that either do business or target consumers in their respective states, and that meet certain other requirements. The CPA and CTDPA apply to for-profit businesses and certain nonprofit organizations without regard to revenue. The UCPA covers for-profit “controller” or “processor” entities that have at least $25 million in annual revenue. Additional criteria involve the amount of personal information that a business possesses, processes, or sells annually.
What Are Consumers’ Rights under the New Laws?
The CPA, CTDPA, and UCPA offer similar sets of rights for consumers, including:
- To know what information is being used, and how;
- To access personal information;
- To delete personal information;
- To reuse personal information across multiple services or platforms, also known as data portability; and
- To opt out of certain uses of their information.
What Information Do the New Privacy Laws in 2023 Protect?
The three laws have almost identical definitions of “personal information.” The CPA defines it as “information that is linked or reasonably linkable to an identified or identifiable individual.” The laws provide additional protections for “sensitive data,” which may include:
- Race, ethnicity, sexual orientation, medical diagnoses, religious beliefs, and other personal data;
- Genetic or biometric data, when collected for the purpose of identifying someone;
- Geolocation data (Connecticut and Utah); and
- Information collected from someone known to be a child (Colorado).
Who Enforces the New Laws?
The attorneys general in each state will have the authority to enforce these laws. District attorneys in Colorado will also have enforcement powers. None of the laws allow private causes of action by individual consumers. Penalties may include the following fines for each violation:
- Colorado: Up to $20,000
- Connecticut: Up to $5,000
- Utah: Up to $7,500
Learn More
Baer Reed works with in-house counsel to help them deal with issues like confidentiality and data privacy. Contact the firm today to learn more.
- On March 31, 2023
- Back to post list