2023 Data Security Incident Response Report Get the Full Report

State Privacy and Data Collection Legislative Update

Share this chapter

In 2022, companies prepared for three new privacy rights to take effect January 1, 2023, under the amended CCPA.

The Right to Opt Out of Sharing

The amended CCPA includes a new defined term — “sharing” — and provides consumers the right to opt out of sharing. The term “sharing” was added to address arguments that behavioral advertising is not a sale. Sharing means “disclosing… a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration….” “Cross-context behavioral advertising” means targeting of advertising to a consumer based on the consumer’s personal information obtained from their activity across businesses, different websites, applications, or services, other than the business, with which the consumer intentionally interacts. There are two key components to the definition of sharing: (1) The explicit language that sharing, unlike selling, does not require any consideration, and (2) the purpose for the transfer must be cross-context behavioral advertising.

Businesses that engage in sharing are required to provide a link on their websites titled, “Do Not Sell or Share my Personal Information,” which must immediately effectuate the consumer’s right to opt out of sales/sharing or direct them to where they can learn more about the right and make that choice. Businesses must provide two or more designated ways for consumers to submit a request to opt out of the sales/sharing of their personal information to third parties for cross-context behavioral advertising. Usually, this is effectuated through a cookie preference center and/or a request form that consumers can access by clicking on the “Do Not Sell or Share my Personal Information” link but must also be recognized via an opt-out preference signal. Lastly, access and transparency obligations apply to shared personal information as if it was sold personal information.

The Right to Correction

The amended CCPA provides a new right for consumers to request that a business correct personal information that it maintains about the consumer. The right is similar to what exists under the GDPR and also exists under the new 2023 privacy laws in Virginia, Colorado, Connecticut, and Utah. When a business receives a request to correct, they need to consider the nature of the personal information and the purposes for processing it. Businesses must disclose to consumers that this right exists and must use commercially reasonable efforts to fulfill verifiable requests.

The Right to Limit Use and Disclosure of Sensitive Personal Information

The amended CCPA provides a new defined term of “sensitive personal information” and imposes new obligations on businesses processing sensitive personal information, which now includes:

  • Social Security, driver’s license, state identification card, or passport numbers;
  • Account log-in, financial account, debit card, or credit card numbers in combination with any required security or access code, password, or credentials allowing access to an account;
  • Precise geolocation (radius ≤ 1,850 ft.);
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication;
  • Genetic data;
  • Biometric information processed for the purpose of uniquely identifying a consumer;
  • Personal information collected and analyzed concerning a consumer’s health; and
  • Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The amended CCPA provides consumers the right to request that a business limit the use and disclosure of their sensitive personal information. Specifically, a consumer can direct a business to use sensitive personal information only for purposes necessary to perform the service or provide the goods requested or as set forth in 1798.140(e)(2)(4)(5), and (8). Businesses that process sensitive personal information for purposes that are not necessary to perform the service or provide the goods requested or as set forth in 1798.140(e)(2)(4)(5), and (8) will be required to provide a link on their homepage(s) titled, “Limit the Use of My Sensitive Personal Information.”

Four More State Privacy Laws Take Effect in 2023

In 2022, companies began preparing for four new comprehensive privacy laws in Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (effective July 1, 2023), and Utah (effective December 31, 2023). Inspired primarily by the CCPA and the GDPR, these laws extend data privacy rights to consumers in their respective states, including the right to access, right to delete, right to correct, and right to opt out of targeted advertising. Although all four laws – and the CCPA – appear to share common goals of consumer protection, greater transparency, increased control over personal data and limiting targeted advertising, there are significant differences among each of these laws related to the right to opt out of profiling, recognition of automated browser signals, and Data Protection Impact Assessments (DPIAs).


January 1, 2023


July 1, 2023


July 1, 2023


December 31, 2023

California’s Age-Appropriate Design Code Act

On September 15, 2022, Gov. Gavin Newsom signed into law the California Age-Appropriate Design Code Act (AADC), which will take effect on July 1, 2024. Inspired by (though not identical to) a similar law in the United Kingdom, the AADC seeks to promote online safety and privacy for children under 18 years of age. Covered businesses will be required to complete a DPIA and may need to make changes to their online services and products.

The AADC applies to any business that meets the revenue or data-collection thresholds created by the CCPA and that “provides an online service, product[ ] or feature likely to be accessed by children.” The act covers not only services directed to children but also general-audience websites, apps, and online services that are routinely accessed by a significant number of children, have a “significant amount” of child users, are “substantially similar” to services known to be accessed by children, advertise to children, or have design elements known to be of interest to children.

Although the AADC does not include a private right of action, civil penalties are stiff – up to $2,500 per affected child for each negligent violation and up to $7,500 per affected child for each intentional violation. Although there is a 90-day right-to-cure provision, the Attorney General may demand a list of all DPIAs completed by a business within three business days and copies of all DPIAs within five business days.

The AADC is currently subject to a legal challenge by a consortium of online businesses alleging that it improperly restrains free speech, among other issues.