|
California Privacy Rights Act (CPRA) |
Colorado Privacy Act (CPA) |
Virginia Consumer Data Protection Act (VCDPA) |
Utah Consumer Privacy Act (UCPA) |
Connecticut Act Concerning Personal Data Privacy (CPDP) |
Effective Date |
January 1, 2023 |
July 1, 2023 |
January 1, 2023 |
December 31, 2023 |
July 1, 2023 |
Thresholds to Applicability |
Conducts business in CA,
Determines the purposes and means of processing personal info. of CA residents, and
Meets one of the following thresholds:
>$25 million in annual revenue in the preceding year,
Buys/sells personal info. of > 100K consumers or households, or
Earns > 50% of annual revenue from selling or sharing personal info.
|
Conducts business in CO or targets products or services to CO residents, and
Meets either of these thresholds:
Processes personal data of > 100K consumers in a year; or
Earns revenue or receives a discount from selling personal data and processes personal data of >25K consumers.
|
Conducts business in VA or targets products or services to VA residents; and
Meets either of these thresholds:
Processes personal data of > 100K consumers; or
Processes personal data of >25K consumers and derives >50% of gross revenue from the sale of personal data.
|
Conduct business in Utah or target products or services to Utah residents,
Have more than $25 million in annual revenue, and
Either:
During a calendar year processes personal data of >100K consumers, or
Process personal data of > 25K consumers and derive > 50% of revenue from the sale of personal data.
|
Produce products or services that are targeted to CT residents, and
In the preceding year:
Process personal data of >100K consumers (excluding payment transaction data), or
Process personal data of > 25K consumers and derive > 25% of revenue from the sale of personal data.
|
Sales |
Right to opt-out of the sale of personal information.
Opt-in consent required to “sell” personal information of minors under age 16.
|
Right to opt-out of the sale of personal data. |
Right to opt-out of the sale of personal data. The definition of a “sale” requires monetary consideration. |
Right to opt-out of the sale of personal data. The definition of a “sale” requires monetary consideration. |
Right to opt-out of the sale of personal data.
Opt-in consent required to “sell” personal data of minors 13 to 16.
|
Targeted Advertising |
Right to opt-out of the “sharing” of personal information for purposes of cross-context behavioral advertising.
Opt-in consent required to “share” personal information of minors under age 16.
|
Right to opt-out of targeted advertising |
Right to opt-out of targeted advertising |
Right to opt-out of targeted advertising |
Right to opt-out of targeted advertising
Opt-in consent required for processing personal data of minors 13 to 16 for targeted advertising.
|
Global Privacy Control |
Yes (optional subject to regulatory process) |
Yes, required by July 1, 2024. |
No |
No |
Yes, required by Jan. 1, 2025. |
Sensitive Data |
Right to limit the use and disclosure of sensitive personal information. |
Consent to process sensitive data. |
Consent to process sensitive data. |
Provide notice and an opportunity to opt out of processing of sensitive data. |
Consent to process sensitive data. |
Profiling |
Pending regulations |
Right to opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. |
Right to opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. |
N/A |
Right to opt-out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. |
Minor & Children’s Data |
Opt-in consent required to “sell” or “share” personal information of minors under age 16. |
COPPA exception; obtain parental consent to process personal data concerning a known child. |
Process sensitive data of a known child in accordance with COPPA. |
Process personal data of a known child in accordance with COPPA. |
Process sensitive data of a known child in accordance with COPPA.
Consent to sell personal data of minors 13 to 16 or process their personal data for targeted advertising.
|
Consumer Rights |
Access, Deletion, Correction, Portability |
Access, Portability, Deletion, Correction |
Access, Portability, Deletion, Correction |
Access, Portability, and Deletion |
Access, Deletion, Correction, Portability |
Authorized Agents |
Permitted for all consumer rights requests |
Permitted for opt-out requests |
N/A |
N/A |
Permitted for opt-out requests |
Appeals |
N/A |
Must create process for consumers to appeal refusal to act on consumer rights |
Must create process for consumers to appeal refusal to act on consumer rights |
N/A |
Must create process for consumers to appeal refusal to act on consumer rights |
Private Right of Action |
Yes, for security breaches involving certain types of sensitive personal information |
No |
No |
No |
No |
Cure Period |
30-day cure period is repealed as of Jan. 1, 2023. |
60 days until provision expires on Jan. 1, 2025. |
30 days |
30 days |
60 days until provision expires on Dec. 31, 2024.
Starting Jan. 1, 2025, AG may grant the opportunity to cure.
|
Data Protection Assessments |
Annual cybersecurity audit and risk assessment requirements to be determined through regulations. |
Required for targeted advertising, sale, sensitive data, certain profiling. |
Required for targeted advertising, sale, sensitive data, certain profiling. |
N/A |
Requires for targeting advertising, sale, sensitive data, certain profiling. |