US state privacy bills on the horizon in 2023

Stay up to date with the latest news in US state privacy law, with bill highlights, legislation status, as well as resources to help your organization stay compliant

Param Gopalasamy
Content Marketing Specialist, CIPP/E, CIPM
January 6, 2023

Photo taken from below government building looking up at architectural columns

*Last updated on 01/19/23

There’s a lot of movement in the US state privacy landscape heading into 2023. With the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA) in effect as of January 1, 2023, the Colorado Privacy Act (CPA) and Connecticut Data Protection Act (CTDPA) going into effect in July 2023, and the Utah Consumer Privacy Act (UCPA) going into effect at the end of the year on December 31, 2023 – that’s five new regulations to keep an eye on and ensure compliance with already. 

To top that off, many new states are also proposing their respective privacy bills forward. So far, we’ve got seven new states with comprehensive state laws in the works, along with an amendment to Virginia’s CDPA. However, privacy bills are much easier to come by than privacy laws. We’ve seen multiple bills introduced to the house and senate floors over the past couple years, only to be stopped in their tracks, with American Data Privacy Protection Act (ADPPA) being the most recent example at the federal level. Let’s look at the legislation proposed in 2023. 

Legislation spotlight


State: New York (New York Privacy Act)

Bill Highlights:

  • Opt-in is required for processing sensitive data  
  • Private right of action for violation of opt-out rights 
  • Requirements for data protection impact assessments (DPIAs) 
  • Targeted advertising is not considered “necessary” to provide services or goods to consumers 
  • Consumers have the avenue to appeal decisions from automated decision making, assessment is required to determine if the system has discriminatory results 


State: Virginia (Amendment relating to the CDPA)

Bill Highlights:

  • Verifiable parental consent is required regarding children’s data (can be verified through government ID, payment systems, or a signed consent form)
  • Parents have the option to consent to the collection and use of the child’s personal data without consent to its disclosure to third-parties
  • “Child” is now redefined as being younger than 18 (previously younger than 13)


State: Kentucky (An Act relating to consumer data privacy)

Bill Highlights:

  • Right to opt-out of targeted advertising, tracking, and sale or sharing of personal data 
  • Universal preference signals, such as the GPC, must be honored by businesses 
  • Controller requirement for quarterly reporting to the AG and Legislative Research Commission including categories and amount of personal data processed, as well as the number of identifiable consumers


State: Tennessee (Tennessee Information Protection Act)

Bill Highlights:

  • Data minimization practices are mentioned, controllers must limit data collection to “what is adequate, relevant, and reasonably necessary” for the purpose 
  • Right to opt-out of the sale of personal information 
  • Data protection assessments are required in the case of targeted advertising, sale of personal information, profiling, sensitive data processing, and any other processing that poses a “heightened risk of harm” to consumers


States with privacy legislation underway


How OneTrust can help your organization with privacy compliance

With 5 new laws coming into effect and even more on the horizon, staying on top of privacy compliance requires the right expertise. Take a look at our resources below to learn more about how your organization can stay compliant and be prepared for new privacy legislation as well. 

The ultimate guide to US privacy: Use this guide to learn exactly what measures your organization needs to take to comply with the new regulations coming into effect. 

Comprehensive US privacy law book: Have the law at your fingertips with this law book that lays out the text of all major US state privacy laws. 

US privacy masterclass webinar series: View our US privacy masterclass webinars on-demand to get advice from OneTrust’s privacy experts on different areas to watch out for when going about privacy compliance. 

OneTrust DataGuidance: Get the regulatory research, privacy news, and legal guidance you need from our DataGuidance portal, powered by privacy and legal experts from around the world. This includes coverage of 300 jurisdictions, updates in 100 languages, and 500 lawyers providing their expertise with real-time regulatory updates. Monitor regulations that apply to your organization and get advice from analysts to make sure your data policies are up to date and compliant.

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more