Despite numerous proposals over the years, no one comprehensive federal law governs data privacy in the U.S. yet. The American Data Privacy Protection Act (ADPPA) has made it further along the legislative process than any of its predecessors, but it still faces significant hurdles. As of this writing, it’s still uncertain whether the act will overcome or succumb to those hurdles.
In the meantime, however, individual states have acted rather than wait on the federal government. There’s a complex patchwork of sector-specific and medium-specific laws, including laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing.
In addition to sectoral privacy laws, the U.S. is experiencing a massive drive toward pushing privacy legislation at the state level. That’s because the federal government hasn’t been able to find a consensus on how to legislate broadly. Rather than wait, state lawmakers have been nudged by consumers, consumer advocates, and even companies to set their own rules.
Of course, companies would rather comply with a single federal standard than hire attorneys and privacy professionals, invest in compliance tools, and establish a robust compliance program that covers all applicable state laws. But states see the lack of any data privacy protections as more damaging than overly complex data privacy protections.
California started the domino effect. While it’s true that only five states thus far (California, Colorado, Connecticut, Utah, and Virginia) have been able to pass a comprehensive law to date, many states are trying. Even if their early bills have failed in previous legislative sessions, they serve as a reference point for Republicans and Democrats to begin their amendment work before any deal can reach its final destination: the governor’s desk.
Here’s a breakdown of where things stand and is expected by 2023.
California Privacy Rights Act (CPRA)
The most comprehensive state data privacy legislation to date is the California Privacy Rights Act (CPRA). The CPRA was passed by a ballot initiative in November 2020 and amended California’s previous state privacy law, the California Privacy Protection Act (CPPA). It was supposed to come into effect from January 1, 2023 but due to regulatory issues it might come into effect from July, 2023.
The CPRA is cross-sector legislation that introduces important definitions and broad individual consumer rights and imposes substantial duties on entities or persons that collect personal information about or from a California resident. These duties include informing data subjects when and how data is collected; allowing them to opt-out of data collection; allowing them to access, correct, and delete such information; and restricting how businesses can transfer personal information to other entities.
Many of the above requirements were also included in the CCPA, but once the CPRA passed, the law was amended to include the following:
Right to rectification: This updates and adds to a consumer’s right to correct inaccurate personal information.
Right to restriction: This grants consumers the right to limit the use and disclosure of their sensitive personal information.
Sensitive personal information: This updates the definition of personal information. Certain types of information, like a consumer’s Social Security number, must be treated with special protections.
The CPRA also:
Increased fines for breaches of children’s data threefold
Expanded breach liability beyond breaches of unencrypted data to disclosures of credentials (like an email address or password) that could lead to access to a consumer’s account
Limited the duration of time a company may retain a consumer’s information to only what’s necessary and “proportionate” to the reason it was collected in the first place
Requires companies working with third parties, contractors, and outside service providers to contractually mandate that those organizations exercise the same level of privacy protection to data shared with them as the first party
One of the most significant features of the CPRA is its enforcement. While state attorneys general typically handle privacy cases — unless the FTC is involved, and even then, it’s often a partnership — the CPRA establishes a new privacy regulator.
The California Privacy Protection Agency (CPPA) can fine transgressors, hold hearings about privacy violations, and clarify privacy guidelines. It’s a five-member board, and it starts enforcing six months after the CPRA goes into effect on July 1, 2023.
Virginia’s Consumer Data Protection Act (CDPA)
Virginia’s Consumer Data Protection Act (CDPA) was passed on March 2, 2021. It grants Virginia consumers certain rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it’s treated and protected, and with whom it’s shared.
The law contains some similarities to the EU General Data Protection Regulation’s (GDPR) provisions and the CPRA. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also meet one of the following:
Control or process the personal data of 100,000 or more
Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information
The CDPA requires companies covered by the law to assist consumers in exercising their data rights by obtaining opt-in consent before processing their sensitive data (non-sensitive data may be collected so long as the consumer is notified), disclosing when their data will be sold, and allowing them to opt-out of data collection. It also requires companies to provide users with a clear privacy notice that enables consumers to opt-out of targeted advertising. In addition, it requires data brokers to honor consumers’ requests to opt out of data processing, among other requirements.
The CDPA went into effect on January 1, 2023.
Colorado Privacy Act (CPA)
In June 2020, Colorado became the third U.S. state to pass a privacy law. The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to California’s CPRA, Virginia’s CDPA, and the EU’s GDPR.
While there are similarities, such as some form of a right to opt-out, special protections for sensitive data, and the adoption of some privacy-by-design principles, the significant differences are in the details.
The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive revenue from the sale of that data.
The law lists five rights granted to Colorado residents once the law becomes effective on July 1, 2023. They are:
The right to opt-out of targeted ads, the sale of their personal data, or being profiled
The right to access the data a company has collected about them
The right to correct data that’s been collected about them
The right to request the data collected about them is deleted
The right to data portability (that is, the right to take your data and move it to another company)
There are 17 blanket exemptions within the law. Data exemptions include:
If the data was collected for Colorado health insurance law purposes
If the entity collecting the data or the data collected is already covered by certain sectoral laws, including COPPA or the Family Educational Rights and Privacy Act (FERPA)
If the data has been de-identified or pseudonymized
If the data is being maintained and used by a consumer reporting agency
If the data is being used for employment records purposes
Since the law goes into effect midway through 2023, businesses should expect updates to the law via rulemaking in the first half of the year.
Utah Consumer Privacy Act
In March 2022, Utah became the fourth state to enact a comprehensive consumer privacy law, which will take effect on December 31, 2023. The Utah Consumer Privacy Act (UCPA) draws from the CDPA, CPA, and CPRA.
The law applies to both data controllers and processors that generate over $25 million in annual revenue and either:
Control or process personal data for over 100,000 consumers yearly, or
Derive over 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.
Similarly to the statutes in Colorado and Virginia, there are exemptions for certain types of personal data; however, they’re broader at both the entity and data levels.
The law does not apply to governmental entities or third parties acting on behalf of a governmental entity, tribes, institutions of higher education, nonprofit corporations, business associates, information that meets the definition of protected health information for HIPAA and related regulations, and more.
Financial institutions governed by the GLBA (the Gramm-Leach-Bliley Act) and information in the FCRA (Fair Credit Reporting Act) also aren’t subject to the UCPA. Data processed or maintained in the course of employment is also exempt.
Consumers have the right to:
Confirm whether a controller is processing their personal data and accessing or deleting personal data provided
Obtain a copy of their personal data in a portable, accessible format
Opt-out of processing of personal data for targeted advertising or sale
In contrast to the CDPA and CPA, the UCPA does not include the right to opt-out of profiling nor codify the right to correct inaccuracies in their data.
Connecticut’s Data Privacy Law
Connecticut’s fifth and most recent state to adopt a comprehensive consumer privacy law. Senate Bill 6, or “An Act Concerning Personal Data Privacy and Online Monitoring” (CTDPA), goes into effect July 1, 2023.
The law also draws from Virginia and Colorado’s statutes, with a few departures. It applies to businesses that, during the preceding calendar year:
Controlled or processed personal data of 100,000 or more Connecticut residents, excluding residents whose personal data is controlled or processed solely to complete a payment transaction; or
Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
The law is the first to specify that payment transaction data is not subject to the law, which is for small businesses that process information to complete a transaction, such as restaurants. Consumers can opt out of data processing for the purposes of targeted advertisements, sale to a third party, and profiling.
The state allows a 60-day period to remedy violations through December 31, 2024.
New York SHIELD Act
In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law amends New York’s existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. As of March 2020, the law is fully enforceable.
This law broadened the scope of consumer privacy and provides better protection for New York residents from data breaches of their personal information. It requires employers in possession of the New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”
Last year, in 2022, the state Attorney General settled with an organization $600,000 for failing to meet minimum standards that led to a breach in security and a leak of personal information. While there have been no recent updates to the law, it is still very active and enforced, as shown by this settlement.