5 state privacy laws publishers need to know for 2023

5 State Privacy Laws Publishers Need to Know for 2023

In September 2022, the IAB Tech Lab launched the Global Privacy Platform (GPP). This is a user consent and preference communication protocol. It has been finalized, and new state-level privacy signaling support is likely to continue to roll out in the coming months. In October, state-level signals were released, and five states have launched – and are adopting – new regulations. That includes California, Virginia, Utah, Colorado, and Connecticut.

As a publisher, you need to fully understand each of these privacy regulations and how they may impact your business.

5 state laws going into effect in 2023

Here’s a fast breakdown of each of these laws that are already moving forward. These are new regulations that companies must meet.

  • California’s Privacy Rights Act (CPRA) update has become effective January 1, 2023; The civil and administrative enforcement of CPRA begins July 1, 2023.
  • Virginia Consumer Data Protection Act has become effective and enforceable as of January 1, 2023.
  • Colorado Privacy Act becomes effective and enforceable on July 1, 2023.
  • Connecticut Data Privacy Act becomes effective and enforceable on July 1, 2023.
  • Utah Consumer Privacy Act becomes effective and enforceable on December 31, 2023.

If you monetize website traffic that operates within any of these US states, you’ll need to understand and adapt to these changes fully.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act is the most comprehensive of all state-level data privacy laws to date. It amends the California Consumer Privacy Act (CCPA) which came into effect on January 1, 2020.

This law creates definitions and broad individual consumer rights. It also requires entities and persons connecting personal information to protect that data. The duties required by all collecting entities include:

  • Informing people of when and how data will be collected.
  • Creating a way for people to opt-out of that collection of their data.
  • Providing a way for people to access, correct, or delete data about them.
  • Restrictions on how this information can be transferred.

The amended law also put into place the Consumers’ Right to Correct Inaccurate Personal Information, which provides consumers with the right to correct any type of inaccurate personal information collected about them. It also introduced the Right to Restriction, which means consumers have the legal right to limit personal data use as well as require disclosure of sensitive personal information.

Also notable, the current amended law creates sensitive personal information protections. Social Security numbers, and other data considered sensitive, must be treated with specific protections.

The law has fines for breaches related to children’s data (increased by threefold) and expanded breach liability to credential disclosures. The law also limits the length of time that a company is able to maintain and use that collected data and that companies working with third-party organizations have to follow the same privacy protections when data is shared with them.

Another key factor in CPRA is that a new privacy regulator has been enacted.

This organization, called the California Privacy Protection Agency, will levy up to $2,500 in fines per violation on those who break these rules. Violations involving minors go up to $7,500 per intentional violation.

The five-member board will begin enforcing this law in July of 2023.

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act was put into place on March 2, 2021.

This law aims to regulate the collection and processing of personal information from Virginia residents by for-profit companies. More specifically, it aims to hold businesses accountable for making their data collection processes more transparent and give users the ability to opt-out of and award prior consent to the processing of their personal data.

Companies that conduct business in Virginia and produce services that target Virginian residents must comply with these requirements.

While the VCDPA nearly mirrors the CPRA with regard to its comprehensiveness, there are still some notable differences. Namely, the lowered age of minors, the lack of private right of action, and the lack of any requirement for repeatedly asking for consent after it’s withdrawn.

Residents of Virginia have the following 5 data privacy rights under the VCDPA:

  1. Right to confirm whether or not a controller is processing their personal data and to access such personal data;
  2. Right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of processing said personal data;
  3. Right to delete personal data provided by or obtained about themself;
  4. Right to obtain a copy of their personal data that they previously provided to the controller in a readily usable format, allowing them to send their data to another controller without any issues; and,
  5. Right to opt out of the processing of personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

All organizations that do business in Virginia are required to comply with these requests within 45 days of receiving them. More explicitly, it applies to organizations that control or process personal data for at least 100,000 residents of Virginia or those that process personal data of at least 25,000 Virginia-based consumers but also earn at least half of their revenue from the sale of this information.

Companies that fail to comply within the timeframe will first be given a 30-day notice to rectify the situation. If it is not remedied by then, they will be subject to fines of up to $7,500 per violation.

This law has gone into effect in full as of January 1, 2023.

Colorado Privacy Act (CPA)

The third state law for all companies is the Colorado Privacy Act, which was established in July 2021. The law provides residents with the legal right to protect their data and puts obligations on anyone that gathers, processes, or controls such data.

It follows the same basic guidelines as the other privacy regulations in that it requires companies to provide consumers with a way to opt-out and places specific, sensitive data restrictions.

Among the rights residents of Colorado will receive include:

  • The right to opt-out of the sale of their personal data, any targeted ads, or profiling of their information.
  • The right to access all of the data collected about them by a company or organization.
  • The right to make corrections to inaccurate data that is collected about them.
  • The right to request that the data collected be destroyed.
  • The right to data portability or to take data from one organization and move it to another.

There are some data exemptions to those laws, including data that’s protected by the Colorado health insurance laws or data already covered by other laws such as COPPA.

Unlike the VCDPA, the CPA offers a 60-day period to businesses found to be in violation of its own provisions. The CPA deems deceptive trade practices as violations. As a result, businesses found to be breaching the CPA can be fined up to $20,000 per violation.

This law will go into effect in July of 2023.

Connecticut Data Privacy Act (CTDPA)

Connecticut passed its law, An Act Concerning Personal Data Privacy and Online Monitoring, also known as the CTDPA, in May 2022. It gives Connecticut residents specific rights over their personal data and sets up responsibilities and privacy protection standards for data controllers that process said personal data.

This affects publishers as the goal is to protect Connecticut residents acting in an individual or household context, such as browsing the Internet.

More precisely, it applies to publishers that collect data for over 100,000 Connecticut citizens.

However, this does not include residents who have controlled personal data or data for payment transactions, or it will apply to those organizations in which 25% or more of the gross revenue of the company comes from 25,000 or more residents of the state.

Connecticut’s law is unique in not requiring payment transaction data to count against the company’s 100,0000 rule. It also has a 60-day notice period which will remain in effect through December 31, 2024. After this, data controllers will not be given any notice for any violations.

Businesses found to be infracting the CTDPA can be fined up to $5,000 per violation.

This law will go into effect in full as of July 1, 2023.

Utah Consumer Privacy Act (UCPA)

In March of 2022, Utah passed the Utah Consumer Privacy Act, a comprehensive consumer privacy law.

The law applies to anyone collecting or processing data that generates over $25 million in annual revenue as well as controls data for over 100,000 consumers each year or gets 50% of its gross revenue from that data and processes data from at least 25,000 people.

Utah’s law exempts some information, including information collected by government organizations as well as any organization acting on behalf of the government, institutions of higher education, nonprofits, tribes, and other organizations. It also does not replace HIPAA or other regulations, GLBA, or FCRA data.

Under Utah’s new law, consumers have rights such as:

  • Confirming the collection of the data as well as requesting the deletion of it.
  • Obtaining a copy of personal data in an accessible form.
  • And opting out of the collection of data from targeted ads.

While the UCPA is considerably influenced by the VCDPA and the CPRA, its significant distinctions lie in how it’s regulated. While the Attorney General (AG) has the full right to enforce the UCPA, the Utah Consumer Protection Division is authorized under the UCPA to receive and investigate consumer complaints and recommend actionable matters to the AG.

In the event of a violation, the AG will notify the organization’s controller or data processor describing the alleged violations. The organization will have a 30-day cure period to rectify the violation. If the organization fails to remedy the situation within the allocated time or continues to violate the UCPA, it can be fined up $7,500 per violation.

The UCPA will go into effect on December 31, 2023.

In summary

Often, the burden of meeting these laws and requirements falls on the shoulders of the organization collecting that information.

As a result, publishers must make changes to the way they collect, maintain, change, and share data, including sensitive information. Not doing so could result in costly fines as well as complications in using that data. Also, note that other states are working to increase their data protection rights. Expect those to change in the future as well.

While you're here...

Did you know that the average publisher loses 10-40% of their revenue to ad blocking? What you may not know is that ad blocking has largely shifted to ad-filtering, with over 300M users allowing a safer, less interruptive ad experience to be served to them—in turn supporting their favorite sites and creators.

Blockthrough's award-winning technology plugs into publishers' header bidding wrapper and ad server to scan ad creatives for compliance with the Acceptable Ads Standard to activate this "hidden" audience and generate incremental revenue, while respecting the choice and experience of ad-filtering users.

Want to learn more?