And then there were five. On May 10, Connecticut Governor Ned Lamont signed his state’s Consumer Privacy Act, causing Utah to join California, Virginia, Colorado, and Utah as states that have enacted a consumer data privacy protection law. The Virginia law will take effect on January 1, 2023. The Connecticut law, along with that of Colorado, will take effect on July 1, 2023. Utah’s will take effect on December 31, 2023.
California was the first to adopt such a law, and its California Consumer Privacy Act was amended and toughened by the approval in 2020, by referendum, of the California Privacy Rights Act. The California law, as amended, continues to be the most privacy protective—and arguably burdensome to businesses—of the state laws enacted to date.
The other four states have taken a generally less regulatory and prescriptive approach, although they differ among themselves in certain details. For example, the Connecticut and Utah laws do not include the data minimization required by Virginia. Utah does not include a right of correction or require protection risk assessments (in certain circumstances), although Connecticut does.
Both the Connecticut and Utah laws contain provisions addressing the standard topics of notice, access, portability, choice regarding sales of data, nondiscrimination against consumers who exercise their rights, and security provisions. There is no private right of action; enforcement is in the hands of the state attorney general
In general, any business that currently or plans to comply with the California, Virginia, and Colorado consumer privacy laws should be able to comply with the Connecticut and Utah laws with little additional difficulty. That is likely, because the criteria that determine what businesses are subject to the Utah law—i.e., revenues or number of customers, or operation as data sellers—closely track those of the other states’ laws. However, a business must still conduct some state-specific tinkering, unless it decides to adopt a one-size-fits-all approach that would, in effect, give consumers in some states privileges not required by the law of those states. But the converse is not true; a business that complies with the Connecticut or Utah laws alone will face additional obligations if they expand into, or even have customers in, California, Virginia, and Colorado.
Many have urged Congress to enact a federal consumer data privacy law, which many in industry hope would lead to nationwide uniformity. But despite more than two decades of discussion and expressions of great interest, Congress has yet to take any real steps towards doing so. Enacting such a law has proven quite difficult, and there is little time to do so in the current Congress. And there is no assurance that even a federal law would create nationwide uniformity; some want a federal law to establish a floor upon which states could impose additional requirements.
And, finally, even a uniform federal law might not solve the problems facing businesses that operate internationally. For example, none of the state laws takes the approach of the European Union’s General Data Protection Regulation. And businesses seeking to transfer data to the U.S. from the EU will have tangle with complex transfer mechanisms.