Skip to Content

New State Privacy Laws Will Force Companies to Rethink Data Collection Practices


New state privacy laws in California, Virginia, and Colorado are harbingers of things to come in data collection and consumer privacy. Omnibus privacy laws will go into effect in California and Virginia on January 1, 2023, with Colorado following on July 1, 2023. Utah may not be far behind; at the time of this writing, Utah appears poised to enact its own comprehensive privacy law that would take effect on December 31, 2023.

The three laws that have passed so far are largely similar and take some cues from European privacy laws. They each include strong protections and use limitations around sensitive categories of data, including biometric data, as well as new requirements for privacy notices and data subject rights requests. For the first time, companies doing business in these states will have to provide an appeal process to allow consumers to correct their personal information.

Additionally, CaliforniaVirginia, and Colorado’s laws will give more power to state privacy regulators. California’s updated law will create the California Privacy Protection Agency, a new regulatory body with full enforcement and rule-making authority — making it arguably the first European-style consumer privacy watchdog agency in the United States.

With these three laws going into effect in rapid succession, it’s a signal to businesses across the country to start updating their data collection systems and creating plans to comply with new regulations. The recent laws will almost certainly trigger similar lawmaking in other states (as they already seem to have done in Utah), and any company that does business nationally will come up against new state privacy laws sooner than later. Privacy changes are coming, and companies should consider these key areas in the coming months.

Read more from Biometrics News here