Five U.S. states will begin enforcing new EU-styled data privacy laws in 2023, which will create more stringent data requirements for companies operating in these states, posing financial and reputational risks for companies that fail to comply. California, Colorado, Connecticut, Utah and Virginia are all slated to enact changes to their data privacy legislation later in the year and two of these states have already made the changes effective as of Jan. 1. These new laws integrate a number of modifications based on the European Union's General Data Protection Regulation (GDPR), a legal framework that pursues a ''rights-based approach'' to data protection and is arguably the most stringent data privacy legal framework in the world. These newly enacted and proposed state laws incorporate broader definitions for personally identifiable information (PII), stricter requirements regarding data collection and processing and certain oversight assessments to ensure improved data security practices. 

• The European Union's GDPR is a legal framework that upholds data privacy protections for EU member states and citizens. It was first implemented in May 2018 and represents the most stringent data laws in the world, requiring extensive controls around how EU citizens' data is collected, processed and stored. The GDPR upholds seven basic principles surrounding personal data protection, including transparency, minimization, confidentiality and various data rights, including accessibility, erasure, rectification and portability. 
• The California Privacy Rights Act (CPRA), which was first passed in November 2020 and became effective Jan. 1, amended past California legislation to create a number of individual rights modeled after the GDPR, including expanding employers' requirements for practices including data collection, data storage, data usage and data sharing. The new legislation also expands definitions for different types of PII that employers can collect and requires these employers to ensure that collected data upholds citizens' rights, including that their data is up to date, accurate and can be deleted upon their request.
• The Virginia Consumer Data Privacy Act (VCDPA), which was first passed in March 2021 and also became effective Jan. 1, follows closely in line with these other states' expanded data rights modeled on the GDPR. The new legislation was altered to omit the right to data erasure, but allows users to opt out of certain data processing practices if they choose.
• The Colorado Privacy Act (CPA), which was first passed in July 2021 and will become effective July 1, will also create expanded rights for individual data protection akin to the GDPR, including requiring certain data security provisions for vendors. 
• The Connecticut Data Privacy Act (CDPA), which was first passed in May 2022 and will become effective July 1, will bolster a number of GDPR-modeled individual rights with an emphasis on data minimization, security and assessments for high-risk processing (defined as data processing that involves new technologies or AI, genetic or biometric data, large scale processing, or combinations of data from different data sources). 
• The Utah Consumer Privacy Act (UCPA), which was first passed in March 2022 and will become effective Dec. 31, will similarly require GDPR-styled individual rights and data security and contract provisions, but will not expressly require risk assessments. 

The push by these states to enhance data protection is in response to the U.S. federal government's lack of a comprehensive federal data privacy law and continued allegations of data misuse by U.S. corporations. While there are some federal data laws pertaining to specific sectors and critical infrastructure, the U.S. government does not have a comprehensive federal data privacy law, despite various efforts by lawmakers to reach a bipartisan consensus on a legal framework. In the absence of a federal mandate, U.S. states have been responsible for their own data laws and the vast majority of U.S. states similarly do not have a comprehensive data privacy legal framework. It was only in 2018 that California set the precedent with the California Consumer Privacy Act (CCPA), which California's new CPRA has recently amended and on which these other states' based their own new legislation. The lack of clear data regulation requirements in the United States has historically given companies excessive leeway in their data collection practices, a trend that also contributed to recent efforts by some U.S. states to enforce better data protections for their citizens. In the last year alone, a number of state governments sued U.S. companies, alleging various examples of misusing data or implementing insufficient data protection measures for their clients and users.

• In February 2022, Texas Attorney General Ken Paxton filed a lawsuit against Facebook's parent company, Meta, over allegations that the tech company was collecting Texans' facial recognition information without their informed consent. Later, in October 2022, Paxton's office filed another privacy lawsuit against Google, accusing the company of similarly collecting Texans' facial and voice recognition information without their explicit consent. Both lawsuits remain ongoing. 
• In November 2022, Google agreed to a record $391.5 million privacy settlement with 40 U.S. states under the charge that the company misled users into thinking they had turned off location tracking in their settings even while Google continued to collect data from them. The settlement was the largest internet privacy settlement by U.S. states and will also require Google to make its location tracking disclosures clearer in 2023.

More U.S. states will likely also pursue revised legislation to bolster data protection practices, expanding compliance requirements for companies operating in these states and potentially exposing companies to heightened legal, regulatory and compliance risks. Legislatures in several U.S. states — including Michigan, New Jersey, Ohio and Pennsylvania — are also considering data privacy bills that were all first proposed in either 2021 or 2022. While such efforts will likely bolster data protection practices in the long term, they will also probably pose significant legal, regulatory and compliance challenges to companies operating in those states. The many domestic and foreign companies that operate across various U.S. states will likely struggle to keep up with the varying timelines and data privacy provisions of each state law. The laws that California, Colorado, Connecticut, Utah and Virginia will begin enforcing in 2023 — along with those being considered in Michigan, New Jersey, Ohio and Pennsylvania — are all relatively consistent in their approach to incorporating GDPR-styled language. Some, however, include certain nuances based on local political will that will further complicate compliance efforts. Many companies, especially smaller companies or those with fewer resources, may inadvertently expose themselves to financial and reputational risks if they are fined or penalized by these states for violating the new legislation. Additionally, many of these states' new data privacy laws pertain to only certain organizations exceeding specific thresholds, making it all the more difficult for companies to discern their legal and regulatory obligations. Bipartisan support in Congress for either a federal data breach notification law or a framework similar to the GDPR will likely also increase over the next year amid growing concerns about malicious cyber activity targeting databases in both the public and private sectors. Importantly, however, continued divides between Democrats and Republicans in Washington, along with political infighting on both sides of the aisle, will likely impede such efforts to pass or enact national data privacy policies in the short term. As a whole, the shifting regulatory landscape for data protection in the United States will create an additional layer of complexity for companies in their data compliance efforts throughout 2023. 

• Some of these states' new legal provisions (including those that address data processing), only apply to certain companies that reach preset thresholds, such as processing the data of a certain number of residents. Because of these specificities, smaller companies may not be impacted. But the nuance of each state's requirements will nevertheless require a high level of awareness by all companies operating in these states.
• Some states altered language in their bills on the basis of state-level pushback. For example, in 2022, Virginia tweaked its VCDPA bill to replace the ''right-to-delete'' with the right to opt out of certain processing. While this is only a slight variation from other states' provisions, such small differences will still create more legal headaches and compliance challenges for companies.