The Five State Laws in Effect in 2023

This chapter focuses on the five state comprehensive laws in effect in 2023: California, plus the CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), and VCDPA (Virginia). California is broadest; Utah is the narrowest outlier.

This chapter covers the five laws in effect in 2023: California, plus the CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), and VCDPA (Virginia). Because the acronyms are confusingly similar, the chapter refers to each by state name instead.

Virginia was the second state to enact a law and was initially touted as the pro-business approach, contrasted with California's more privacy-protective, GDPR-like framework. As more states passed laws, that distinction became muddied. The frameworks overlap so heavily that commentators speak of interoperability among them.

Relative breadth of the five laws
Grouping	Characterization
California	Broadest definitions; most GDPR-like; only state to regulate sharing and include employees
Colorado, Connecticut, Virginia	Similar frameworks; provide right to appeal and opt-in for sensitive data sale
Utah	Narrowest definition of business; fewest consumer rights; fewest business obligations

Relative breadth of the five laws

Grouping

Characterization

California

Broadest definitions; most GDPR-like; only state to regulate sharing and include employees

Colorado, Connecticut, Virginia

Similar frameworks; provide right to appeal and opt-in for sensitive data sale

Utah

Narrowest definition of business; fewest consumer rights; fewest business obligations

Key terms - quick answers

What is “CPA”?

The Colorado Privacy Act.

What is “CTDPA”?

The Connecticut Data Privacy Act.

What is “UCPA”?

The Utah Consumer Privacy Act, viewed as the narrowest of the five laws.

What is “VCDPA”?

The Virginia Consumer Data Protection Act, the second state comprehensive law and initially seen as the pro-business model.