How to Prepare Your Business for Privacy Laws Taking Effect in 2023

| Legal Alert
Mariel Giletto, Krishna Jani

In 2023, five new state privacy laws will become effective. How will these new laws affect your business?

Currently, privacy laws in the United States include  a patchwork of state laws as well as some industry- or issue-specific federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA) for protected health information and the Gramm-Leach-Bliley Act (GLBA) for the financial services industry. There is no comprehensive federal privacy law in effect in the United States at this time.

Below you will find a brief overview of the new state privacy laws going into effect, their commonalities, their differences, and what you need to know to prepare your company for compliance.

If you have any questions related to your company’s compliance with these laws, please contact Mariel Giletto or Krishna Jani.

If you have any questions, please contact Mariel Giletto or Krishna Jani.



Effective: January 1, 2023

The California Privacy Rights Act (CPRA) amends and extends the California Consumer Privacy Act (CCPA).  CPRA is a new law with more stringent requirements than the current law and creates a new regulatory agency (California Privacy Protection Agency (CPPA).  To date, only draft regulations have been released.  Final form regulations have not been published.

California’s new, more stringent law is significant because state attorneys general are tasked with enforcing data privacy laws and this new legislation signals a ramp up in enforcement, thereby bringing the U.S closer to Europe’s General Data Protection Regulation (GDPR).

One crucial piece of the proposed CPRA regulations is the right of a consumer to opt-out to both the sale and sharing of personal information. This is relevant for data brokers, and companies that contract with data brokers.

Separately, California passed a new bill called the California Age-Appropriate Design Code Act about two months ago. It is an online safety bill containing unique privacy requirements to protect minors 18 and under.


Effective: January 1, 2023

Under the Virginia Consumer Data Protection Act, consumers have the right to opt-out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.


Effective:  July 1, 2023

The Colorado Privacy Act (CPA) gives the Colorado attorney general authority to adopt rules governing privacy. It also requires that, by July 1, 2023, the Colorado attorney general must adopt rules detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt-out of the processing of personal data for purposes of targeted advertising or the sale of personal data.

Both Connecticut and Utah have also passed privacy laws that are set to take effect on July 1, 2023 and December 31, 2023 respectively.


Each state law:

For example, the CCPA, as amended by the CPRA, applies to any company that does business in California, no matter where it is based, if it meets any of the following criteria:


The significant differences of each state law include:


Below are some helpful considerations for your company to begin their analysis of compliance with the new state laws:


Another draft of a federal privacy law has been introduced – the American Data Privacy and Protection Act.

If you have any questions about the new data privacy laws and how it could affect your business, please contact Mariel Giletto or Krishna Jani.

In light of recent changes to data protection laws, we have updated our Privacy Policy and Terms & Conditions, which explain how we collect, use, maintain, and secure your information. By using this site, you agree to our updated Privacy & Terms of Use Policies