The Weekly Breach Breakdown: Don’t Keep Your Comments to Yourself – A Look at the 2023 Privacy Laws by State

• The California Privacy Protection Agency released the regulations to make the new California Privacy Rights Act (CPRA) effective. Once the proposed rules are final, they will go to the California Office of Administrative Law (OAL) to approve or reject them.
• The CPRA is supposed to go into effect on January 1, 2023. However, expect a delay in the OAL’s decision, slowing down the enforcement of the new law.
• Looking at other privacy laws by state, Virginia also has a privacy law slated to take effect at the beginning of 2023. The other state laws that go into effect next year are Colorado and Connecticut on July 1, 2023, and Utah on December 31, 2023.
• Going into 2023, New Jersey, Michigan, Pennsylvania and Ohio already have state privacy bills filed. Twenty-two (22) other states considered state privacy laws in the last legislative cycle. Most of those bills will be refiled in some form.
• To learn about data compromises, consumers and businesses should visit the ITRC’s improved data breach tracking tool, notified.
• If you believe you are the victim of an identity crime, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

Don’t Keep Your Comments to Yourself

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 4, 2022. Each week, we look at the most recent events and trends related to data security and privacy. This week, we talk about five state privacy laws as we move closer to the day when those laws go into effect in 2023. All of these privacy laws by state have similar, but not identical, requirements to give consumers more access and control over their personal information that businesses collect, use, share, sell or store.

New Regulations for California Privacy Rights Act

This week, the California Privacy Protection Agency released the regulations required to make the new California Privacy Rights Act effective. The law is supposed to go into effect on January 1, 2023. However, the Agency is required to take 15 days of comments before finalizing a draft of the rules. That comment period is open until November 21 – so don’t keep your comments to yourself.

The Next Steps for the California Privacy Rights Act

Once those proposed rules are stamped final, they go to a different state agency – the California Office of Administrative Law (the OAL) that will approve or reject the rules. Once approved, the rules can go into effect, and the Privacy Agency can begin to enforce the law. Simple math – and history – tells us that it is highly unlikely the OAL will get that done before 12:01 a.m. on January 1. Count on a delay in the enforcement of the new law.

The proposed rules have not been significantly modified since they were originally proposed. However, the Privacy Agency has debated several important issues along the way, not the least of which is how aggressive they want to be when enforcing the law. Especially since businesses may have little to no time to conform to the regulations before they become effective. You can learn more about and comment on the proposed privacy regulations at CPPA.ca.gov.

Other Privacy Laws by State in 2023

California is not the only state with a new privacy law that takes effect on January 1, 2023 – so does Virginia. Unlike California, where the law will be enforced by a newly created state agency, Virginia’s law will be enforced by the Commonwealth’s Attorney General (AG). The Virginia AG has not released information on how they intend to enforce the law.

The other state laws go into effect later in the year: Colorado and Connecticut on July 1, 2023, and Utah on December 31, 2023.

More State Privacy Laws Could Be on the Way

Next year will be busy for privacy debates as all state legislatures begin a new session. Four states – New Jersey, Michigan, Pennsylvania and Ohio – already have state privacy bills filed. Twenty-two (22) other states considered state privacy laws in the last legislative cycle. Most, if not all, of those bills will be refiled in some form. We will continue to watch the movement of the possible privacy laws by state.

Meanwhile, Congressional supporters of a bipartisan federal privacy law will have to start over in 2023.

Contact the ITRC

If you want to learn how to protect your personal or business information or think you have been the victim of an identity crime, visit our website www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Be sure to listen to last month’s episode of our sister podcast, the Fraudian Slip, where we broke down the findings of our 2022 Business Impact Report, which looks at what happens when small businesses are victims of cyberattacks and data breaches. We will be back next week with another episode of the Weekly Breach Breakdown.