State attorneys general will soon be at the helm of enforcing new consumer privacy rights for millions of Americans gaining more control over how companies collect and use their data in 2023.
Virginia, Colorado, Connecticut, and Utah are the first states beyond California to implement sweeping data privacy laws that will roll out next year. How they put their statutes into practice will test how attorneys general ensure business compliance, and provide lessons for other states looking to regulate consumer privacy in the absence of a federal law.
“It’s groundbreaking work and honestly, these rights are crucial,” said Michele Lucan, deputy associate attorney general and chief of the privacy section at the Connecticut Attorney General’s Office.
The four pending state laws are similar in structure and leave enforcement to attorneys general instead of allowing an individual to sue a company over alleged violations. Their implementation differs from California, which is the only state to create a new regulatory agency to oversee the expanded consumer privacy protections that come online next year.
Companies are watching to see how attorneys general in these four states interpret the new laws and apply provisions that allow businesses to fix compliance issues without penalty. The newness of state privacy laws leaves open questions about how they will work in practice, including ongoing rulemaking in Colorado.
Privacy advocates and industry are watching to see whether the laws change business behavior and how consumers react. Public perception could bolster, or diminish, traction for state privacy laws elsewhere, said Keir Lamont, senior counsel with the Future of Privacy Forum’s US legislation team.
Next year “can really be an inflection point” for consumer privacy, Lamont said.
Business Outreach
The Connecticut Attorney General’s Office is beefing up its staff before the state’s privacy law goes into effect July 1. The privacy section, which already has four full-time attorneys, will be adding two more attorneys and a legal investigator, Lucan said.
“This has become our main focus right now is making sure we’re ready to implement this law,” she said.
The office intends to reach out to businesses and consumers about the new law and could become aware of potential violations through consumer complaints and media reports, Lucan said. Companies have the right to cure fixable violations within 60 days through the end of 2024.
Utah hasn’t started formal plans to implement its consumer privacy law, which takes effect Dec. 31, 2023, Zach Whitney, communications director for the Utah Department of Commerce, said in an email. The department’s Division of Consumer Protection and the attorney general’s office both have roles in compliance and enforcement.
The law includes a 30-day “cure” period for businesses to fix violations. Utah worked with the business and tech communities to draft the privacy legislation and will continue to do so through implementation, Gov.
‘Ticky-Tack Fouls’
Virginia’s privacy law takes effect Jan. 1 and gives consumers the right to access their data and request its deletion, among other provisions. The attorney general must give a company 30 days to fix violations before pursuing action. The state attorney general’s office didn’t respond to multiple requests for comment.
In Colorado, rulemaking is underway ahead of the Colorado Privacy Act’s July 1 effective date. The goal is to “create rules that businesses can understand and follow,” Attorney General
“Our goal is not to create traps for the unwary and to engage in a game of finding footfalls,” Weiser said at a Ballard Spahr privacy summit.
Colorado will focus enforcement on companies that deliberately flout the law versus those that misunderstood the requirements, Weiser said. Companies will get 60 days to remedy fixable violations flagged by the attorney general or district attorneys until Jan. 1, 2025.
“We are going to work on sound enforcement that makes a distinction between flagrant fouls and ticky-tack fouls,” Weiser said.
The Colorado Attorney General’s Office declined to comment further while the rules are still being crafted.
To contact the reporter on this story:
To contact the editors responsible for this story:
To read more articles log in.
Learn more about a Bloomberg Law subscription.