BLACK FRIDAY BLOWOUT!
Dive into Savings with MainWP - $50 OFF on our Yearly Plan!
👉 Hurry, before the deal fades to black! ⏰

2023: The Year of the Privacy Laws

Privacy Laws in 2023

Heads up: This page may include affiliate links. Read the full disclosure.

As we ring in 2023, we may think about goals such as making more sales, organizing the garage, and spending more time with family.

One slightly less exciting but essential goal in 2023 will be compliance with the six new privacy laws going into effect this year.

Regarding privacy compliance requirements, it is important to know that privacy laws protect consumers and thus are not based on where your business is located.

In addition, privacy laws can impose very high penalties for violations as penalties are calculated per violation (meaning per website visitor whose privacy rights were infringed upon).

In this article, we will discuss the steps that you will need to take to prepare your business for the myriad of privacy compliance requirements that will go into effect in 2023.

Disclaimer: The information in this article is provided for awareness purposes only and should not be construed as legal advice. Consult your attorney for legal matters.

Step 1: Determine What Privacy Laws Apply to You

Which Privacy Policy Applies in 2023

The golden rule of compliance is first to figure out which privacy laws you need to comply with (as complying with laws that do not apply to you can increase costs, confusion, and liability).

Each new privacy law that is going into effect in 2023 has its own criteria for who needs to comply with that law:

1. California Privacy Rights Act (CPRA) (effective date: January 1, 2023):

The CPRA applies to businesses that collect the personal information of individuals residing in California, that do business in California, and that meet one or more of the following criteria:

  1. Have annual gross revenue of more than $25,000,000;
  2. Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers; or
  3. Annually buy, sell or share the personal information of 100,000 or more California consumers or households.

2. Virginia Consumer Data Protection Act (VCDPA) (effective date: January 1, 2023):

The VCDPA applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents and that meet one or more of the following criteria:

  1. During a calendar year, control or process the personal information of at least 100,000 Virginia residents; or
  2. Control or process the personal information of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal information.

3. Colorado Privacy Act (CPA) (effective date: July 1, 2023):

The CPA applies to anyone that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted toward residents of Colorado and that meet one or more of the following thresholds:

  1. Controls or processes the personal information of 100,000 or more Colorado consumers during a calendar year; or
  2. Derives revenue or receives a discount on the price of goods or services from the sale of personal information and processes or controls the personal information of 25,000 or more Colorado consumers.

4. Connecticut SB6 (effective date: July 1, 2023):

Applies to persons doing business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:

  1. Controlled or processed the personal information of 100,000 or more Connecticut residents;
  2. Controlled or processed the personal information of 25,000 or more Connecticut residents and derived more than 25% of their gross revenue from the sale of personal information.

5. Utah Consumer Privacy Act (UCPA) (effective date: December 31, 2023):

The UCPA applies to anyone collecting the personal information of Utah residents that does business in Utah or that produces a product or service that is targeted to individuals that are located in Utah and that meet one or more of the following thresholds:

  1. Has annual revenue of $25,000,000 or more; and
  2. Meets one of the following criteria:
    1. During a calendar year, controls or processes the personal information of 100,000 or more Utah residents; or
    2. Derives 50% or more of its annual gross revenue from the sale of personal information and controls or processes the personal information of 25,000 or more Utah consumers.

6. Quebec Bill 64 (effective date: September 1, 2023):

This applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise. “Enterprise” is defined as the carrying on by one or more persons of organized economic activity, whether or not it is commercial in nature, consisting of producing, administering, or alienating property or providing a service.

Compliance by contract: if, after looking through the criteria above, you or your attorney have determined that you do not need to comply with these laws because you do not meet the criteria, you may still have to comply with them by contract.

If you work as a vendor to large companies that send you the personal information of their customers, they may ask you to sign a contract that guarantees that you will process that personal information in compliance with the above privacy laws.

You should ensure that you read through your current contracts and any contract amendments, as these requirements would be included in those contracts if your clients want you to comply with these laws.

On the other hand, if you are required to comply with these laws because you meet the thresholds and you send customer information to a vendor for processing, you should ensure that your vendor has signed a contract that requires them to process that personal information in compliance with the laws that apply to you.

You should also audit these vendors regularly to ensure they comply with these laws.

Step 2: Be Ready for Consumer Privacy Rights Requests

Privacy Policy Consent

The purpose of privacy laws is to provide consumers with greater control over their personal information by giving them certain privacy rights.

Below is a list of the privacy rights provided by these laws (please note that not all privacy laws may provide each privacy right):

  1. Right to correct the inaccurate or incomplete personal information;
  2. Right to confirm whether their personal information is being processed;
  3. Right to opt-out of the use and sharing of sensitive personal information;
  4. Right to receive a copy of the personal information in a portable and readily usable format;
  5. Right to transmit personal information to another entity;
  6. Right to delete personal information;
  7. Right to opt-out of the processing of personal information for the purposes of targeted advertising, the sale of personal information, profiling, and the collection of geolocation information.

As these privacy laws go into effect and consumers become more aware of their privacy rights, you will receive an increase in the number of requests to exercise privacy rights.

Each privacy law has a limit on the number of days that the business has to respond to these requests, and thus it is important to prepare to process these requests now so that you can respond in an appropriate time frame.

To prepare for these requests, you should:

  1. Draft response templates that staff can use to respond to requests;
  2. Perform a data inventory so that you know where data is housed and you can easily obtain a copy of that data or delete it;
  3. Draft procedures for exercising privacy rights so that staff can follow a series of steps to effectuate the privacy rights requests;
  4. Train staff on how to process and respond to privacy rights requests;
  5. Provide adequate information in your Privacy Policy as to how consumers can exercise their privacy rights.

Step 3: Update Your Privacy Policy

Privacy Policy Consent Agreement

Privacy laws ensure that consumers can understand what personal information is collected from them, how that information is used, who it is shared with, and that all pertinent information is provided to the consumer by requiring businesses that must comply with those laws to have a Privacy Policy.

In addition, each privacy law has its own requirements for disclosures that a Privacy Policy needs to include to comply with that particular law.

While each law is different, the following is a set of the combined disclosures that are required by these laws:

  1. What personal information is collected;
  2. Where the personal information is obtained from;
  3. How this personal information is used;
  4. Whether that personal information is shared. If the information is shared, then the Privacy Policy will need to state the categories of third parties with whom it is shared and why that information is shared with those third parties;
  5. Whether the personal information is sold. If the information is sold, then the Privacy Policy will need to state the categories of third parties to whom it is sold;
  6. Whether a financial incentive or price, or service difference is offered for not exercising privacy rights. If this is offered, then the Privacy Policy will need to disclose a description of the incentive or price, or service difference as well as how individuals can opt-in or opt out of the program;
  7. A list of the privacy rights provided to consumers;
  8. How an individual can contact the business to exercise their privacy rights, including what information they will need to provide to confirm their identity and how to designate an authorized agent;
  9. How consumers can opt out of the sale of their personal information, the use of their personal information for targeted advertising, and the collection of their geolocation information;
  10. How an individual can appeal a decision that has been made in response to their privacy rights request;
  11. The possibility of transfers of personal information to different countries;
  12. The title and contact information of the person in charge of the personal information;
  13. How an individual can contact the business for questions.

It is important to note that the disclosures within your Privacy Policy will depend on what privacy laws apply to you, and that is why you must first determine the laws that apply to you.

In addition, you must ensure that your Privacy Policy has the proper disclosures before the effective date of the law, as otherwise, you could be fined for non-compliance.

Lastly, your Privacy Policy must be accurate as to your actual business practices. It must accurately reflect what information you collect, what you do with that information, and who you share it with.

Step 4: Meet Ancillary Requirements

While the above is the “meat and potatoes” of the compliance requirements of privacy laws, there are other ancillary requirements that you must also meet to ensure that you comply:

  1. Establish an appeals system: Certain privacy laws give consumers the right to appeal a decision made in response to a privacy rights request. For example, if individual contact a business to ask to delete their personal information and the business denies that request, an individual can appeal to the business to have that decision reviewed. To prepare for these laws, your business should have an appeals system in place where such appeals are forwarded to a staff member who can determine whether the initial decision was correct;
  2. Data protection assessments: Certain privacy laws require businesses to complete a data protection assessment before using personal information for targeted advertising, selling personal information, processing personal information for purposes of profiling, processing sensitive personal information, and any processing activities involving personal information that present a heightened risk of harm to consumers. If you engage in any such processing, you must identify and weigh the benefits of the processing against the potential risks to the rights provided to consumers, as mitigated by safeguards that can be employed to reduce such risks. It is important to conduct these assessments properly as they may be requested by the Attorney General of the state as part of an investigation.
  3. Duties: Certain privacy laws impose duties on the business, such as the duty of transparency (requirement to have a comprehensive Privacy Policy), duty of purpose specification (requirement to specify the express purposes for which the personal information will be used), duty of data minimization (you must not collect more personal information than you need), duty to avoid secondary use (you must not use personal information for a purpose that was not specified to the consumer), duty of care (you must take reasonable measures to secure personal information), duty to avoid unlawful discrimination (you must not use personal information in violation of state or federal laws that prohibit unlawful discrimination against consumers), and duty regarding sensitive data (you must not process a consumer’s sensitive personal information without first obtaining the consumer’s consent).

These steps will provide you with a good starting point for compliance with the new privacy laws that go into effect in 2023. However, they are not a substitute for the advice of your attorney, and you must stay vigilant to ensure that you meet compliance requirements throughout the upcoming years.

Happy 2023!

Looking for something?

Privacy laws apply to businesses that collect personal information. Since no personal information is collected by the MainWP plugins, no privacy laws apply to the MainWP plugins. This includes GDPR, UK DPA 2018, PIPEDA, Australia Privacy Act 1988, LGPD, PIPL, and other privacy laws.
Donata Stroink-Skillrud
Donata Stroink-Skillrud
President of Agency Attorneys

Your Download Is Just One Click Away

…or just download the plugin.

By entering your email, you agree to our Terms of Service and Privacy Policy.