US state privacy bills on the horizon in 2023

Stay up to date with the latest news in US state privacy law, with bill highlights, legislation status, as well as resources to help your organization stay compliant

Param Gopalasamy
Content Marketing Specialist, CIPP/E, CIPM
January 6, 2023

Photo taken from below government building looking up at architectural columns

*Last updated on 01/19/23

There’s a lot of movement in the US state privacy landscape heading into 2023. With the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA) in effect as of January 1, 2023, the Colorado Privacy Act (CPA) and Connecticut Data Protection Act (CTDPA) going into effect in July 2023, and the Utah Consumer Privacy Act (UCPA) going into effect at the end of the year on December 31, 2023 – that’s five new regulations to keep an eye on and ensure compliance with already. 

To top that off, many new states are also proposing their respective privacy bills forward. So far, we’ve got seven new states with comprehensive state laws in the works, along with an amendment to Virginia’s CDPA. However, privacy bills are much easier to come by than privacy laws. We’ve seen multiple bills introduced to the house and senate floors over the past couple years, only to be stopped in their tracks, with American Data Privacy Protection Act (ADPPA) being the most recent example at the federal level. Let’s look at the legislation proposed in 2023. 

Legislation spotlight


State: New York (New York Privacy Act)

Bill Highlights:

  • Opt-in is required for processing sensitive data  
  • Private right of action for violation of opt-out rights 
  • Requirements for data protection impact assessments (DPIAs) 
  • Targeted advertising is not considered “necessary” to provide services or goods to consumers 
  • Consumers have the avenue to appeal decisions from automated decision making, assessment is required to determine if the system has discriminatory results 


State: Virginia (Amendment relating to the CDPA)

Bill Highlights:

  • Verifiable parental consent is required regarding children’s data (can be verified through government ID, payment systems, or a signed consent form)
  • Parents have the option to consent to the collection and use of the child’s personal data without consent to its disclosure to third-parties
  • “Child” is now redefined as being younger than 18 (previously younger than 13)


State: Kentucky (An Act relating to consumer data privacy)

Bill Highlights:

  • Right to opt-out of targeted advertising, tracking, and sale or sharing of personal data 
  • Universal preference signals, such as the GPC, must be honored by businesses 
  • Controller requirement for quarterly reporting to the AG and Legislative Research Commission including categories and amount of personal data processed, as well as the number of identifiable consumers


State: Tennessee (Tennessee Information Protection Act)

Bill Highlights:

  • Data minimization practices are mentioned, controllers must limit data collection to “what is adequate, relevant, and reasonably necessary” for the purpose 
  • Right to opt-out of the sale of personal information 
  • Data protection assessments are required in the case of targeted advertising, sale of personal information, profiling, sensitive data processing, and any other processing that poses a “heightened risk of harm” to consumers


States with privacy legislation underway


How OneTrust can help your organization with privacy compliance

With 5 new laws coming into effect and even more on the horizon, staying on top of privacy compliance requires the right expertise. Take a look at our resources below to learn more about how your organization can stay compliant and be prepared for new privacy legislation as well. 

The ultimate guide to US privacy: Use this guide to learn exactly what measures your organization needs to take to comply with the new regulations coming into effect. 

Comprehensive US privacy law book: Have the law at your fingertips with this law book that lays out the text of all major US state privacy laws. 

US privacy masterclass webinar series: View our US privacy masterclass webinars on-demand to get advice from OneTrust’s privacy experts on different areas to watch out for when going about privacy compliance. 

OneTrust DataGuidance: Get the regulatory research, privacy news, and legal guidance you need from our DataGuidance portal, powered by privacy and legal experts from around the world. This includes coverage of 300 jurisdictions, updates in 100 languages, and 500 lawyers providing their expertise with real-time regulatory updates. Monitor regulations that apply to your organization and get advice from analysts to make sure your data policies are up to date and compliant.

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more


Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more