December 20, 2022Client Alert

State Law Privacy Compliance in 2023: Your Business’s New Year’s Privacy Resolutions

With 2023 fast approaching, we strongly recommend businesses add privacy and cybersecurity compliance to their new year’s resolutions. Why now? Well, 2023 is the Year of Privacy Compliance (or it should be). Currently, only California has a comprehensive data privacy law. Over the next year, four new state laws—and significant amendments to California’s law—all go into effect and will require businesses to update several areas of operations, including public-facing platforms and services, back-end operations, and relationships with service providers and third parties.

On January 1, 2023, both the Virginia Consumer Data Protection Act and the California Privacy Rights Act, which amends the current California law, go into effect. For large businesses that operate in California, January 1 also means the end of the cure period for California’s current law and the end of the current exemption for employee and business-to-business data.

Six months later on July 1, 2023, the Colorado Privacy Act and the Connecticut Data Privacy Act go into effect. The same day, California’s new requirements become fully enforceable.

To close out the year, Utah’s Consumer Privacy Act goes into effect on December 31, 2023.

(In case that wasn’t enough, both California and Colorado are in the process of publishing regulations and are expected to release final rules in the spring to give businesses time to comply before July 1, 2023.)

We (the Privacy and Cybersecurity Team at Michael Best) understand if you or your business are unsure where to start. To help, we’ve a included a checklist of key steps to take as you craft your 2023 privacy and cybersecurity resolutions (and refine your budgets) heading into the new year:

In Q1, prioritize:

  1. Updating your privacy policy to comply with the Virginia law and the new California requirements.
  2. Updating your website configuration to honor global opt-out signals.
  3. Becoming fully compliant with the current California requirements and the Virginia law.
  4. Identifying and prioritizing service provider, contractor, and third-party contracts that will need to be updated.
  5. Creating a plan for reasonable compliance with the new California requirements, and the Colorado and Connecticut laws by July 2023.

In Q2, focus on:

  1. Identifying and procuring vendors to help you with some of the back-end compliance requirements, including tracking and communicating consent preferences downstream.
  2. Providing consistent privacy rights and opt-out options across applicable jurisdictions.
  3. Continuing to update relevant contracts.
  4. Incorporating additional requirements from Colorado’s and California’s forthcoming regulations by July.

In Q3 and Q4:

  1. Tweak your privacy practices based on new insights we learn as regulators issue guidance and enforce these new requirements.
  2. Plan for compliance with Utah’s privacy law by the end of the year.

Our team has significant inhouse privacy and cybersecurity expertise. Our diverse experiences include working for a regulatory body, building international and domestic compliance programs, and assisting businesses with data breach prevention and response activities, among others. We have developed a variety of action plans and playbooks that enable us to take a comprehensive approach for our multi-state and global clients or focus on single state compliance for our more regional clients.  We also monitor all state law and regulatory developments and are prepared to assist you with taking the above steps for state law compliance. Please reach out to any of us for assistance.

back to top