*Last updated on 01/19/23

There’s a lot of movement in the US state privacy landscape heading into 2023. With the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA) in effect as of January 1, 2023, the Colorado Privacy Act (CPA) and Connecticut Data Protection Act (CTDPA) going into effect in July 2023, and the Utah Consumer Privacy Act (UCPA) going into effect at the end of the year on December 31, 2023 – that’s five new regulations to keep an eye on and ensure compliance with already. 

To top that off, many new states are also proposing their respective privacy bills forward. So far, we’ve got seven new states with comprehensive state laws in the works, along with an amendment to Virginia’s CDPA. However, privacy bills are much easier to come by than privacy laws. We’ve seen multiple bills introduced to the house and senate floors over the past couple years, only to be stopped in their tracks, with American Data Privacy Protection Act (ADPPA) being the most recent example at the federal level. Let’s look at the legislation proposed in 2023. 

Legislation spotlight

State: New York (New York Privacy Act)

Bill Highlights:

• Opt-in is required for processing sensitive data  
• Private right of action for violation of opt-out rights 
• Requirements for data protection impact assessments (DPIAs) 
• Targeted advertising is not considered “necessary” to provide services or goods to consumers 
• Consumers have the avenue to appeal decisions from automated decision making, assessment is required to determine if the system has discriminatory results 

State: Virginia (Amendment relating to the CDPA)

Bill Highlights:

• Verifiable parental consent is required regarding children’s data (can be verified through government ID, payment systems, or a signed consent form)
• Parents have the option to consent to the collection and use of the child’s personal data without consent to its disclosure to third-parties
• “Child” is now redefined as being younger than 18 (previously younger than 13)

State: Kentucky (An Act relating to consumer data privacy)

Bill Highlights:

• Right to opt-out of targeted advertising, tracking, and sale or sharing of personal data 
• Universal preference signals, such as the GPC, must be honored by businesses 
• Controller requirement for quarterly reporting to the AG and Legislative Research Commission including categories and amount of personal data processed, as well as the number of identifiable consumers

State: Tennessee (Tennessee Information Protection Act)

Bill Highlights:

• Data minimization practices are mentioned, controllers must limit data collection to “what is adequate, relevant, and reasonably necessary” for the purpose 
• Right to opt-out of the sale of personal information 
• Data protection assessments are required in the case of targeted advertising, sale of personal information, profiling, sensitive data processing, and any other processing that poses a “heightened risk of harm” to consumers

States with privacy legislation underway

• Hawaii (SB 21)
• Indiana (Senate Bill 5)
• Iowa (House Bill 12)
• Kentucky (Senate Bill 15)
• Maryland (HB 33)
• Massachusetts (SD.745)
• Mississippi (Senate Bill 2080 | HB 467)
• New York (Bill S00365) 
• Oklahoma (House Bill 1030) 
• Oregon (SB 619 | SB196)
• Tennessee (Senate Bill 73) 
• Virginia (HB 1688)

How OneTrust can help your organization with privacy compliance

With 5 new laws coming into effect and even more on the horizon, staying on top of privacy compliance requires the right expertise. Take a look at our resources below to learn more about how your organization can stay compliant and be prepared for new privacy legislation as well. 

The ultimate guide to US privacy: Use this guide to learn exactly what measures your organization needs to take to comply with the new regulations coming into effect. 

Comprehensive US privacy law book: Have the law at your fingertips with this law book that lays out the text of all major US state privacy laws. 

US privacy masterclass webinar series: View our US privacy masterclass webinars on-demand to get advice from OneTrust’s privacy experts on different areas to watch out for when going about privacy compliance. 

OneTrust DataGuidance: Get the regulatory research, privacy news, and legal guidance you need from our DataGuidance portal, powered by privacy and legal experts from around the world. This includes coverage of 300 jurisdictions, updates in 100 languages, and 500 lawyers providing their expertise with real-time regulatory updates. Monitor regulations that apply to your organization and get advice from analysts to make sure your data policies are up to date and compliant.