The shaping of modern data privacy laws like GDPR and CCPA is attributed to the need for more robust governance of digital data across varied channels and scenarios. In the United States, there are hundreds of federal and state laws, including several proposed and enacted privacy bills, to protect individuals' data privacy. The US data protection laws, spanning the nation's 50 states and territories, govern the collection, storage, processing, and disposal of personally identifiable information (PII). They obligate organizations to comply with prevalent data privacy standards concerning the handling of personal information.
This article provides businesses with a comprehensive overview of the significant laws and regulations governing data privacy in nine states of the United States, thereby illuminating the legislative landscape in this area.
For direct access to specific topics, kindly utilize the links provided below, leading to comprehensive sections on individual data privacy laws.
- California Privacy Rights Act (CPRA)
- New York Privacy Act (NYPA)
- Colorado Privacy Act (CPA)
- Connecticut Personal Data Privacy & Online Monitoring Act 2022
- Nevada Privacy Law
- Maine Privacy Law
- Virginia Consumer Data Protection Act (VCDPA)
- Utah Consumer Privacy Act (UCPA)
- Washington Biometric Privacy Law
US Data Privacy Laws: An Overview
Notably, there is no single, predominant US federal privacy law to protect data privacy, but there are nearly 20 sector-specific laws that are focused on industries like finance, healthcare, telecom, etc. These sectoral laws, such as the US Privacy Act of 1974, HIPAA, COPPA (The Children's Online Privacy Protection Act ), GLBA, SOX, etc., have specific provisions for handling different types of personal data. This data could include personal health information, credit reports, children's information, etc. In addition, the country has over 100 "State-Level" data privacy laws, including several privacy-focused laws in California alone. Some of these prominent US data protection laws include the California Privacy Rights Act (CPRA), the New York SHIELD Act, the New York Privacy Act, the Nevada Privacy Law, the Maine Privacy Law, etc.
.jpg)
Read Complete Timeline
At the federal level, the US Federal Trade Commission (FTC) oversees the enforcement of these data protection laws, but there is no overarching federal law to ensure compliance with privacy regulations in the US. Therefore, a majority of data privacy regulation in the US is based on state-level laws. Due to conflicting or incompatible provisions in these laws, businesses might find it challenging to understand their obligations clearly. For instance, data breach notification is a standard provision in the US data privacy laws, but the definition of personal data and data breach varies. Also, data destruction or deletion standards may vary, a majority of data privacy laws compel organizations to destroy personal data on request.
Data Privacy Regulations in the US:
The following are some of the prominent data privacy laws in the United States:
1. California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA) of 2020, or Proposition 24, is an amendment to the California Consumer Privacy Act (CCPA). This Act not only extends consumer privacy rights and business obligations but also establishes the first dedicated privacy regulator in the United States: the California Privacy Protection Agency (CPPA). The CPRA grants California residents greater control over their personal data collected by businesses, and it imposes increased responsibilities on organizations operating within California for managing and safeguarding such data. The CPPA, alongside the California Attorney General, has a vital mission: enforcing the CPRA, setting strict rules, and educating the public on privacy issues.
Additionally, the CPRA functions with dual roles: implementing and enforcing the law and educating the public about their rights and obligations under it.
Key Provisions
Right to Information at Collection: Businesses must inform consumers at or before the point of personal information collection about the categories of information they collect and the purposes for which they use it.
- Right to Know: Consumers have the right to request a business, free of charge and up to twice a year, to disclose the following: the categories and specific details of personal information collected about them, the sources of this information, its usage purposes, the categories of third parties with whom the information is shared, and the categories of information that are sold or disclosed to third parties.
- Right to Delete Personal Information: A consumer has the right to request the deletion of their personal information collected by businesses. Consumers can initiate this request through various methods, such as a mandatory toll-free number. Once a request is generated, businesses are obligated to respond within 45 calendar days, with the possibility of a one-time extension. Upon deletion, the CPRA requires businesses to inform their service providers, contractors, and third parties about the consumer's request.
- Right to Correct Inaccurate Personal Information: Businesses must understand and implement the "right to correct," which allows consumers to request corrections to their inaccurate personal information. Consumers need to submit a verifiable request, providing enough details for businesses to confirm their identity. Businesses should clearly instruct how to submit these requests and use reasonable methods to verify consumer identity, considering the data's sensitivity and the risk of unauthorized access or correction. Properly handling these requests is key for regulatory compliance and maintaining consumer trust.
- Right to Opt-Out of Sale or Sharing of Personal Information: Under the CPRA, businesses are required to comply with consumer requests to cease selling or sharing personal information, particularly for cross-context behavioral advertising. Following an opt-out request, businesses cannot resume selling or sharing the consumer's data without subsequent authorization. Furthermore, businesses must observe a mandatory 12-month waiting period before inviting consumers to opt back into the sale or sharing of their personal information.
- Right to Limit: Businesses must be aware that consumers have the right to limit the use and disclosure of their sensitive personal information. This includes data such as bank account details, geolocational data, or genetic information. Consumers can restrict businesses from utilizing or sharing this information for purposes not essential to the provision of the requested goods or services.
The CPRA stipulates the methods for deletion, which include:
- Permanently and completely erase personal information from existing systems, excluding archived or backup systems.
- De-identifying the personal information.
- Aggregating consumer information.
However, the CPRA also outlines exceptions to this deletion obligation. These include circumstances like legal compliance, research purposes, and protecting free speech rights, as long as the use of the information is compatible with the context in which it was originally provided. Notably, the CPRA does not specifically address the deletion of data from archived or backup systems.
Applicability
The CPRA applies to businesses handling the personal information of more than 100,000 consumers or households or those deriving a significant portion of revenue from sharing personal information. It also includes specific provisions for minors and sensitive personal information.
Penalties Implication
The California Privacy Protection Agency, replacing the California Office of Attorney General, will enforce the CPRA. Penalties include:
- Standard Violation: Up to $2,500 per violation.
- Intentional Violation or Involving Minors: Up to $7,500 per violation.
- Adjustments: Penalties can be adjusted as per specific legal provisions.
- Good Faith Consideration: The court may reduce penalties considering the violator's cooperation.
- Allocation of Recovered Penalties: Recovered penalties are deposited in the Consumer Privacy Fund.
- Double Penalties Prohibited: For the same violation, a business does not need to pay both an administrative fine and a civil penalty.
2. New York Privacy Act (NYPA)
The New York Privacy Act is among the latest data privacy laws in the US, which will guarantee every New York resident the right to access, control, and erase the personal data collected from them. The NY State Senate Bill S5642 obligates companies that collect information on New York residents to disclose their methods of de-identifying personal data.
Key Provisions
- Section 1102 (Article 42) of the New York Privacy Act: It mandates companies to acquire expressed and documented consent of consumers before sharing or selling their personal data.
- Section 110: It obligates companies to notify consumers of their rights. It also obligates them to allow customers the right to opt in or opt-out.
- Section 1106: It mandates that companies must maintain the required oversight to ensure compliance concerning de-identified data.
- Right to Deletion: Businesses and enterprises should be aware that under the New York Privacy Act (NYPA), they, as controllers, are required to erase a consumer's personal data upon request within 45 days. However, there are exceptions to this rule. Personal data may be retained when necessary for freedom of speech, legal obligations, public interest tasks, public health, research, archiving, or legal claims defense.
Applicability
The New York Privacy Act governs legal entities, including individuals and companies, conducting business in New York State or purposefully offering products or services to residents of New York.
Penalties Implication
The statute stipulates civil penalties and damages, calculated based on the number of impacted individuals, the severity of the violation, and the company's size and revenue. Civil penalties are set up to $15,000 per violation under the Act.
3. Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) was passed in 2021 and enacted in July 2023. It aims to give Colorado residents control over their information when businesses within the state collect it. This law shares similarities with California's Consumer Privacy Act (CCPA). It empowers the residents and grants them the right to access, correct, delete, and control how their personal information is used.
Key Provisions
The Colorado Privacy Act grants the following rights to Colorado residents:
- Right to Access: Individuals have the right to request a copy of the personal data a business has collected about them, as well as information about how that data is used and shared.
- Right to Correct: Individuals can request that businesses correct any inaccurate or incomplete personal information they have collected.
- Right to Delete: Individuals have the right to request that businesses delete their personal data when the data is no longer necessary for the purposes for which it was collected or when the individual withdraws their consent.
- Right to Opt-Out: For targeted advertising or certain profiling purposes, individuals have the right to opt out of the sale of their personal data.
- Right to Data Portability: Individuals can request a copy of their personal data in any portable format (PDF, CSV, etc.) that can be easily transferred to another business.
Applicability
The Colorado Privacy Act applies to businesses that meet at least one of the following criteria:
- Control or process the personal data of at least 100,000 Colorado residents per year.
- Earn income or benefit from reduced pricing on goods or services through selling personal data and managing or overseeing the personal data of a minimum of 25,000 consumers.
Penalties Implication
The Colorado local and district-level attorneys are entrusted with the task of enforcing the CPA. Non-compliance with the CPA is considered a deceptive trade practice according to Colorado law, and penalties can reach up to $2,000 per violation per consumer, with a maximum penalty cap of $500,000.
4. Connecticut Personal Data Privacy & Online Monitoring Act 2022
Passed in 2022 and implemented from July 1, 2023, the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) is a new law that aims to keep the personal information and online activities of people living in Connecticut safe and private.
Key Provisions
- Right to Request Information: Consumers have the right to inquire if a company is processing their data. For example, a Connecticut resident could ask an online retailer whether the retailer is collecting and analyzing their shopping habits.
- Right to Opt-Out: This allows consumers to refuse the processing of their data for certain purposes. For instance, a user could opt out of targeted advertising, preventing a social media platform from using their browsing history to tailor ads.
- Right to Obtain Portable Copies: Consumers can get a copy of their data in a transferable format. For example, a person might request a downloadable file of their user data from a cloud storage service.
- Right to Request Corrections: This right lets consumers correct inaccuracies in their data. For instance, if a credit reporting agency has incorrect personal information, a consumer can request that this information be corrected.
Applicability
The Act is applicable to entities that either engage in business within Connecticut or provide products or services specifically for Connecticut residents. Additionally, it applies if, in the preceding year, the entity either:
Controlled or processed the personal data of:
- 100,000 or more consumers, not counting data processed solely for payment transactions.
- At least 25,000 consumers earned over 25% of their gross revenue from selling personal data.
Penalties Implication
Under the Connecticut Data Privacy Act (CTDPA), the Connecticut Attorney General can enforce penalties, issuing fines up to $5,000 per violation and ordering restitution or disgorgement of illegal profits. Initially, from July 1, 2023, to December 31, 2024, violators will receive a notice and have 60 days to rectify the issue. Additionally, starting in 2025, businesses must allow consumers to opt out of targeted advertising or data sales through mechanisms like Global Privacy Control.
5. Nevada Privacy Law
The Nevada privacy law, officially known as Nevada Revised Statutes Chapter 603A, governs the collection of personally Identifiable Information (PII) by websites. The law obligates businesses with websites that collect PII to have a privacy policy with explicit disclosures. The privacy law in Nevada defines the following information as PII in combination with a natural person's first name or initial and last name:
- Social Security number
- Driver's license number
- Account number
- Health insurance identification number
- Email address or other unique identifiers with password
- Credit or debit card details with a password or access code
Key Provisions
- NRS 603A.200 Destruction of certain records: Businesses are mandated to securely dispose of records containing personal identifiable information (PII) when these records are no longer required. The law specifies that the destruction methods must render the data unreadable or undecipherable, such as through shredding or erasing. This applies to all types of businesses operating in Nevada, ensuring the protection of customer privacy. Compliance with this regulation is crucial for businesses to maintain data privacy and security.
- NRS 603A.210 Security measure: All entities handling data, including retail operators, higher education institutions, government agencies, corporations, and financial institutions, must uphold reasonable measures to secure the personal data and Personally Identifiable Information (PII) of customers.
- NRS 603A.220 Disclosure of breach: Upon a security breach, the data collector must promptly disclose the occurrence and notify Nevada residents potentially affected, particularly those with unencrypted personal data at risk.
Applicability
The Nevada privacy law is applicable to all individuals and organizations owning or operating a business website, as well as those collecting and maintaining personal data of Nevada residents.
Penalties Implication
The Nevada privacy law includes provisions for civil action, restitution, injunctions, and a civil penalty of up to $5,000 per violation.
6. Maine Privacy Law
The Maine Privacy Law 2020 emphasizes on protecting the personal information of customers in Maine who use or have used broadband Internet access services. It defines the following as customer personal information:
- PII such as name, billing information, social security number, etc.
- Web browsing and application usage history
- Geolocation data
- Financial and health information
- Information on customer's children
- Device details
- IP address
Key Provisions
- Customer consent: The law forbids broadband Internet service providers from using, sharing, selling, or giving access to personal data without the clear permission of the customer.
- Security of personal information: Under Maine's privacy law, providers are required to implement reasonable steps to protect customer personal data from breach or unauthorized access.
- Notification: The provider must inform customers about the provider's obligations and the customers' rights, utilizing point-of-sale mediums and a publicly accessible website for these notifications.
Applicability
Maine's privacy law is applicable to all broadband Internet access service providers catering to customers who are physically located and billed within the state.
Penalties Implication
Maine's Privacy Law does not specify the exact penalty for non-compliance. Currently, cases of non-compliance or enforcement of private rights of action are subject to adjudication in legal courts.
7. Virginia Consumer Data Protection Act (VCDPA)
The VCDPA was legislated to establish a comprehensive framework for the protection of the personal data of Virginia residents. This Act, effective as of January 1, 2023, delineates rights afforded to consumers and delineates duties imposed upon businesses in relation to the handling of personal data.
Key Provisions
- Right of Access: The Act confers upon consumers the right to ascertain whether a business entity processes their personal data and to request detailed information regarding such usage.
- Right to Rectification: Consumers are entitled to seek rectification of any inaccuracies in their personal data maintained by business entities.
- Right of Erasure: The Act permits consumers to demand the deletion of their personal data under specified conditions.
- Right to Data Portability: Consumers have the prerogative to obtain copies of their personal data from business entities.
- Right to Opt-out: Consumers are empowered to prohibit the use of their data for purposes such as targeted advertising, the sale of data, or extensive profiling.
Obligations of Business Entities
- Disclosure Requirements: Businesses must provide transparent notices regarding collecting, utilizing, and sharing consumer data. This includes securing consent to process sensitive data and elucidating opt-out options for targeted advertising and data sales.
- Data Security Mandates: Business entities must implement reasonable safeguards to protect consumer data from unauthorized access, usage, or disclosure.
- Data Protection Impact Assessments: Businesses must evaluate the privacy risks associated with activities like targeted advertising and profiling.
- Compliance with Consumer Requests: Businesses are required to provide consumers with a clear, accessible privacy notice and must respond to consumer data requests within 45 days (extension of an additional 45 days). If a business decides to decline a consumer's request, it must justify the decision and provide clear instructions for appealing the decision. Appeals should be addressed within 60 days, and if denied, businesses must offer a mechanism for consumers to contact the Attorney General for complaints.
Important Note: The Virginia Consumer Data Protection Act (VCDPA) differs from other data privacy laws like the CCPA and CPRA, particularly in its terminology. It refers to 'personal data rights' instead of 'consumer rights.' The VCDPA emphasizes 'purpose limitation' and 'data minimization,' meaning companies can only hold necessary data for specific purposes and for a limited time.
Applicability
The VCDPA applies to business entities that engage in commercial activities within Virginia and satisfy either of the following criteria:
- Manage or process the personal data of no fewer than 100,000 consumers or
- Generate over fifty percent of gross revenue from the sale of personal data and manage or process the personal data of at least 25,000 consumers.
Penalties Implication
Non-compliance with the VCDPA may result in civil penalties of up to $7500 per violation. Aggravated breaches or recurrent non-compliance may attract heightened financial penalties. The Attorney General of Virginia is vested with the authority to investigate and enforce the provisions of the VCDPA.
8. Utah Consumer Privacy Act (UCPA)
The Utah Consumer Privacy Act (UCPA) is a legislative measure enacted to regulate the processing of personal data of Utah residents. This Act, set to come into force on December 31, 2023, confers specific rights on consumers and imposes corresponding duties on businesses about the handling of personal data.
Key Provisions
- Right of Access: The Act enables consumers to verify if a business entity retains their personal data and to request detailed information on its utilization.
- Right to Rectification: Consumers possess the right to request the correction of inaccuracies in their data.
- Right of Erasure: Under stipulated conditions, consumers can request the deletion of their personal data.
- Right to Data Portability: Consumers are entitled to receive a portable copy of their data from businesses.
- Right to Opt-out: The Act allows consumers to prevent their data from being used for targeted advertising or sale.
Responsibilities of Businesses
- Notice Requirements: Businesses are required to transparently disclose their practices of collection, use, and sharing of consumer data. This includes securing consent for the processing of sensitive data and clearly explaining opt-out mechanisms.
- Data Security Obligations: Businesses must implement reasonable measures to safeguard consumer data from unauthorized access, theft, use, or disclosure.
- Compliance with Consumer Requests: Businesses are obligated to promptly comply with consumer requests in exercising their rights under the UCPA.
- Data Protection Impact Assessments: Businesses are mandated to conduct assessments to determine the privacy risks associated with targeted advertising and profiling.
Applicability
The UCPA is applicable to businesses that engage in commercial activities in Utah and meet one of the following thresholds:
- Manage or process the personal data of at least 100,000 consumers or
- Make more than half of their total income from selling personal data and handle or deal with the personal data of at least 25,000 consumers.
Penalties Implication
Violations of the UCPA may incur civil penalties of up to $7500 per violation, with the potential for escalated fines for aggravated breaches or recurrent violations. The Attorney General of Utah holds the authority to investigate and enforce the UCPA's provisions.
9. Washington Biometric Privacy Law
The Washington Biometric Privacy Law, officially known as House Bill 1493 ("H.B.1493"), was enacted in 2017 to govern how individuals and non-government organizations collect, use, and store "biometric identifiers" of Washington citizens. The law defines biometric identifiers as the data generated by automatic measurements of a person's biological traits like fingerprints, eye retinas, voiceprints, etc., which can identify that individual.
Key Provisions
- Citizen's consent: The law mandates businesses to obtain individuals' explicit consent before collecting their biometric data. It obligates businesses to disclose how they use biometric data and notify individuals of any changes in the use of their data.
- Non-disclosure of biometric identifiers: Individuals' biometric data cannot be sold, leased, or otherwise disclosed for a commercial purpose without express consent.
Applicability
The Washington Biometric Privacy Law applies to all individuals and non-government entities who collect biometric data for commercial purposes.
Penalties Implication
Washington Biometric Privacy Law is silent on penalties for non-compliance and does not include a private right of action. Although, the law allows for enforcement of private rights of action by the state's attorney general.
Consumers' "Right to Delete": What US Data Privacy Laws Entail?
A majority of data privacy laws in the United States, including the CPRA and the Virginia Consumer Data Protection Act (VCDPA), have provisions that allow individuals to request the deletion of their data. This "right to deletion" obligates businesses to delete the consumers' personal information, with a few exceptions where companies can retain the information when they need to comply with federal regulations, cooperate with law enforcement agencies, defend legal claims, etc. Specific clauses and proposals, such as CCPA 999.313 (d) (2), in US privacy laws also mandate businesses to permanently erase personal data on their system.
Briefly, this would mean businesses with a well-defined data erasure strategy would have a firm grip on their "data deletion" obligations. Nonetheless, navigating the maze of US data privacy laws is imperative for businesses to understand the "legislative patchwork" and play by the rules.
+1-844-775-0101
