This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Another State Privacy Law Passed in US

2023 will be a year of change for many businesses in the US: it is the year that four new state privacy laws (including one signed into law in mid-May in Connecticut) take effect and the pack-leading California privacy law undergoes significant "upgrades." These new laws and upgrades will apply an even sharper focus to consumer privacy in the US.

The Connecticut law, the newest of the bunch, will apply to businesses of a certain size but will not impose a revenue threshold. Like many of the other state laws, it will exempt non-profits and certain other entities from its scope entirely.  

The law will require consent, not an opt-out, for processing of information that is defined as "sensitive," and it will contain an opt-out right for consumers regarding use of their personal data for targeted online advertising, for profiling, and for sale. There are other consumer rights as well, including access, deletion, and correction. Unlike the upgraded California law, Connecticut will not apply to data obtained in an employment setting. Beginning in 2025, regulated entities will have to recognize universal opt-out signals on their websites.

Why It Matters

Many of the features of the Connecticut law are similar to those of privacy laws taking effect next year in Colorado, Virginia, and Utah -- along with the California upgrades.  Because all these laws differ slightly in how they apply, and because all of them carry some obligation to handle consumer requests and to limit use of data in online tracking and advertising, organizations should start reviewing how they collect and use data now if they want to be prepared.

Many small B2B companies will not meet the size threshold to be directly regulated under these new privacy laws, but it is likely they will have to comply anyway if they serve larger customers. The laws require that a regulated business impose compliance obligations on its suppliers. Thus, a review of data practices, data security, personnel awareness, and contractual policies is advisable during the latter half of 2022 in preparation for new compliance obligations in 2023 and beyond.  

The law includes many of the same rights, obligations and exceptions as the consumer privacy laws already on the books in California, Colorado, Utah and Virginia. It draws heavily from Colorado's law and the Virginia Consumer Data Protection Act — with many of the law’s provisions either mirroring or falling somewhere between the Colorado and Virginia laws — but contains a few notable distinctions that should be factored into an entity’s compliance efforts.


hill_mitzi, insights, data security and privacy