States' long-awaited data privacy laws are going into effect
Starting this week, companies operating in Virginia and California are subject to a new set of data protection laws.
The big picture: After federal lawmakers failed (again) to pass a privacy law last year, companies face what they've always feared and lobbied against: a patchwork of state-level laws that dictate how they collect, store and share consumer data.
- Virginia's industry-backed privacy law went into effect on Jan. 1.
- This week, the California Privacy Rights Act also went into effect, introducing changes to 2018's California Consumer Privacy Act after a 2020 ballot initiative.
Why it matters: Virginia is now the second state, following California, to implement a state-level privacy law.
- Colorado and Connecticut will follow close behind this year with their own rules going into effect this July.
- Meanwhile, Utah's privacy law goes into effect on Dec. 31 this year.
Yes, but: Most industries, including the tech sector, have long argued that inconsistent state privacy laws place an undue burden on businesses, requiring them to establish different protocols for users in various states.
- Privacy advocates have supported strong national legislation but warned against nationwide standards that could undercut stronger state rules.
How it works: Each state has slightly different rules in its privacy laws.
- Only California allows residents to sue companies for data collection violations. Other states allow their attorney general's offices to impose maximum fines between $5,000 and $20,000 per violation.
- Utah's standards will apply to fewer businesses compared to those in California, Virginia and Colorado.
- In California, the amended privacy law established a new state-level agency to implement and enforce the law — differing from other states that leave regulatory responsibilities to the attorney general.
The intrigue: The impact of states' new privacy laws depends heavily on the regulatory muscle each state puts into the laws.
- Virginia has yet to post any information on its website about its law, as David Stauss, a partner at law firm Husch Blackwell LLP, noted in a Twitter thread over the weekend.
- Meanwhile, Colorado and Connecticut have each started rulemaking conversations and hiring additional attorneys ahead of their effective dates, Stauss added.
What's next: Expect state lawmakers to introduce a slew of privacy bills this month as their statehouses' 2023 sessions get started.
- The new Congress could also still pass a federal privacy law — but it's unclear how Republicans' newly won control of the House might change bipartisan negotiations.
Sign up for Axios’ cybersecurity newsletter Codebook here.