MWH Law Group logo

State Law Countdown: Are You Ready?

December 8, 2022

As you will likely already be aware, the California Privacy Rights Act (CPRA) becomes fully effective January 1, 2023, but that’s not the only US state with a privacy law coming into effect in 2023. Virginia’s Consumer Data Protection Act (VCDPA) also goes into effect January 1. The Colorado Privacy Act (CPA) becomes effective July 1, 2023, as does the Connecticut law (“An Act Concerning Personal Data Privacy and Online Monitoring,” which is too long to say; we’ll call it the Connecticut Privacy Law – CPL – for short). Utah’s Consumer Privacy Act (UCPA) becomes effective December 31, 2023.

Companies that have already been working to comply with the California Consumer Privacy Act (CCPA) – the CPRA’s predecessor law – will be better-positioned to comply with the new laws, but there are significant differences between them that will challenge even the most prepared. (Note that where necessary for clarity we will call the CCPA “the first law” and the CPRA “the second law.”) We’ve outlined three of the biggest below.

1. Employee and Business-to-Business Information

First, the arguably biggest issue for companies: The application of the California laws to information about people that the organization employs or contacts in a contractual setting.

The first law addressed the rights of “consumers,” which the law defined as “a California resident.” It was quickly amended in 2018 to include a moratorium on the application of the law to information obtained in the course of the employee/employer relationship, or information acquired as a result of seeking or forming a contractual relationship (business-to-business or B2B), but that moratorium expires January 1, 2023, with CPRA.

Employees who are residents of California will now have the same rights as other California residents to request to know what information their employer has about them, to request to delete the information, to request to correct it, to request to limit sale or sharing of the information, etc. So will persons with business-to-business relationships with your organization. All the processes an organization has put into place to enable “consumers” to make rights requests will now need to be managed for employees and B2B relationships as well.

The other four state laws specifically limit the rights to persons acting in an individual or household context or exclude information gathered as a result of an employment relationship, thus avoiding this issue entirely.

2. For-Profit v. Not-for-Profit

While California, Virginia, Connecticut, and Utah all limit application of their laws to entities that “conduct business” (and California specifically states that it is directed at entities organized for the financial benefit of its owners), Colorado applies the CPA to entities that conduct business in Colorado or which “produce products or services that are targeted to the residents of the state.” This definition will cause the CPA to be applicable to not just for-profit entities but any non-profit entities that “produce” a good or service targeted to Coloradans. There are some exclusions under the Colorado law – for example, financial institutions subject to the Gramm-Leach-Bliley Act are exempt, so a credit union would still not be subject – but there are plenty of non-profit organizations that will be subject to this law and need to prepare.

3. Contracting Requirements

The laws all have slightly differing requirements regarding contracting, but generally, a business must have specific contractual terms with its third parties which dictate the purpose and use of the information. A data controller – the business that decides the purpose and means of processing personal information – is responsible for making sure that its third parties agree to and follow the contractual terms. It’s important to note that even if your organization never sees the personal information that is collected, you may still be a data controller, since your organization decided to have the third party collect and process it on your behalf. If that’s the case, then you must have the appropriate contractual provisions in your agreements with your third parties.


Kerry L. Childe

Kerry L. Childe, Special Counsel
735 N. Water St., Suite 610
Milwaukee, WI 53202
P: (414 436-0353 / F: (414) 436-0354