Connecticut became the fifth state to pass a comprehensive state privacy law when the Connecticut Data Privacy Act (CTDPA) was signed into law in May 2022. The CTDPA had followed closely behind the Utah Consumer Privacy Act (UCPA) which had been signed into law just weeks earlier. Both the UCPA and the CTDPA joined a privacy landscape in the US which has been becoming an increasingly complex space to navigate since the passing of the California Privacy Rights Act (CPRA) in 2020 which will enter into effect on January 1, 2023 and will extend and amend many of the California Consumer Privacy Act’s (CCPA) requirements.

A rise in state privacy law has left organizations that operate in the US having several key dates for their diaries in 2023. As previously mentioned, the CPRA will enter into effect on January 1, 2023, alongside the Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA) marking a fast start for compliance in 2023. At the beginning of July, the CTDPA will enter into effect finally followed by the UCPA on December 31, 2023.

While compliance deadlines are one thing that organizations should keep top of mind, the varying compliance requirements of five incoming privacy laws should also be a top priority. Download this infographic to for an easy-to-digest comparison of some of the US state privacy law’s key requirements.

Sensitive personal information

The CPRA introduced the category of sensitive personal information in US state privacy law, a provision that has found its way into many of the privacy laws that have passed since.

When comparing how requirements for using sensitive personal information stack up against each other it is first important to understand what types of information fall under the legal definition of sensitive personal information and whether you are required to obtain specific consent or offer the consumer the opportunity to opt-out.

Consumer rights

As consumers become more aware of privacy legislation and the rights that are afforded to them there is an increased need for organizations to be able to offer consumers the correct methods to exercise these rights.

In a similar fashion to sensitive personal information, consumer rights are at the core of US state privacy laws. But, each state affords different rights to consumers and sets out varying requirements relating to how organizations must fulfill them. There are notable differences relating to what activities the right to opt-out covers as well as what is in scope for the right to appeal.

Enforcement and penalties

Every organization will want to avoid falling foul of the law for both financial and reputational reasons. Again, different states different rules. Only one out of the five US states with comprehensive privacy laws is not overseen by the local Attorney General and across all five laws there are significant differences in relation to cure periods, a private right of action, and maximum monetary penalties.

Download the infographic for a quick view into the US state privacy law in 2023 or download the detailed Comparing US State Privacy Laws eBook.