state privacy policy

Businesses Must Make State Specific Privacy Policy Changes! 

The states of Colorado, Connecticut, Utah and Virginia recently enacted new state data privacy laws (and California passed significant revisions to its existing data privacy law) that require tailored-to-each-state privacy policy changes.  While the California Privacy Rights Act (“CPRA”) and Virginia Consumer Data Protection Act (“VCDPA”) went into effect on January 1, 2023, the Colorado Privacy Act (“CPA”) and Connecticut Data Privacy Act (“CDPA”) will go into effect on July 1, 2023, and the Utah Consumer Privacy Act (“UCPA”) will go into effect on December 31, 2023.   

While these state privacy laws contain several similar compliance requirements that overlap, there are also certain provisions that are unique to each statute.  Given the interplay of the five separate laws, it is essential that businesses that operate in these jurisdictions (and meet the consumer data thresholds) make all necessary state specific privacy policy changes to ensure compliance.   

What State Specific Privacy Policy Changes Should I Make so that It Complies with the New State Data Privacy Laws?

State Specific Privacy Policy Updates Necessitated by the Recent Wave of State Laws

Businesses that took the necessary steps to comply with the previously passed California Consumer Privacy Act (“CCPA”) will already be compliant with many of the requirements contained within the other state data privacy laws.  However, California’s update to the CCPA, as well as the laws passed by the four other states, will require significant additional state-specific privacy policy revisions even for those entities that already navigated the CCPA compliance process.  Below is a partial list of some of the required disclosures that businesses must include in their respective privacy policies in order to comply with the laws:

  • Businesses must disclose what categories and specific items of personal information are collected about consumers covered by the applicable consumer privacy laws; 
  • Businesses must disclose what sources they used to collect consumer personal information;
  • Businesses must disclose the categories of personal information that will be sold to/shared with third-parties, as well as the categories of third-parties with whom such personal information will be shared/sold to; and
  • Businesses must provide consumers with the opportunity to exercise various rights and preferences (including opt out rights in multiple contexts).

Liability Under State Consumer Privacy Laws 

Liability for violating these state privacy laws, including for having a non-compliant privacy policy, is significant, and may include private actions (for data breaches), as well as actions by state attorneys general.  Given the complexity involved in ensuring full compliance with five separate laws, it is essential that businesses consult with experienced counsel now to ensure that privacy policies are compliant.

If you require assistance in connection with consumer data privacy compliance for your business, please e-mail us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney.  Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney. 

Attorney Advertising

Photo by Agence Olloweb on Unsplash

Similar blog posts:

Update On The CPRA Regulations

More Revisions To The Draft Rules Of The Colorado Privacy Act

The Latest On CPRA Regulations


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

data CIPA law Swigert law consumer protection data on cumputer screen

Swigart Law Group CIPA Demands

Readers of this blog likely know about the wave of consumer privacy litigation directed at online companies’ collection of consumer data. A litany of these

Read More »