With the lack of comprehensive federal consumer privacy legislation, states are charting an evolving course for businesses to follow when handling data and information about their customers. Led by California, several other states have created laws to move regulations closer to the European Union’s General Data Protection Regulation. Virginia, Colorado, Utah, Connecticut, and Iowa have created their own consumer privacy protections, with Indiana, Montana, and Tennessee potentially following suit. Meanwhile, nearly a dozen other states are currently debating privacy laws.
While the handful of laws already in existence generally have a lot in common, there are some key variations for businesses operating in different states to be aware of that could make compliance more complex.
The California Consumer Privacy Rights Act (CPRA), which took effect in January 2023, is the most comprehensive consumer-oriented privacy law in the United States. The measure adds additional privacy protections to the California Consumer Privacy Act (CCPA), including those for “sensitive personal information,” and the right to opt out of “sharing” data, not just “selling” data. The law also includes privacy obligations for California employers, making it unique among states. Below are some highlights for businesses to consider:
Virginia, Colorado, Utah, Connecticut, and Iowa followed California in setting privacy laws. Each have features that overlap with California but contain their own traits. The Virginia Consumer Data Protection Act (VCDPA) took effect January 1, 2023, and applies to brick-and-mortar businesses, not just the collection of personal data electronically or over the internet. The Colorado Privacy Act (CPA), which draws heavily from the Virginia law and takes effect July 1, 2023, applies to non-profit entities. The Connecticut Data Privacy Act (CDPA), which also takes effect July 1, 2023, does not apply to nonprofits.
Utah and Iowa have adopted more business-friendly privacy laws, incorporating terms consistent with the CCPA, but without many of the more consumer-oriented terms of the CPRA. For instance, the Utah Consumer Privacy Act (UCPA) that takes effect December 31, 2023, and the Iowa Consumer Data Protection Act (ICDPA), which takes effect January 1, 2025, have no requirement for businesses to conduct data-protection assessments.
There are several areas California, Virginia, Colorado, Utah, Connecticut, and Iowa have agreed on. One area all states share is lack of private right of action, except for California’s limited private right of action related to security breaches. Thus far, states allow their respective attorneys general or other regulators, rather than consumers, to file complaints and enforce the laws. The states each allow consumers to access their data and delete at least some data, require privacy notices, and have special requirements for children’s data. However, there are a few key differences for businesses to be aware of, including the following:
Despite interest from the business community for an all-encompassing federal data privacy law, such a development has remained elusive. Several bills have been proposed over the years, but none have been successful. The American Data Privacy Protection Act, introduced in May 2022, would limit the private right of action and provide for limited preemption of state privacy laws. The measure has enough bipartisan support to have gotten out of committee, but chances for passage are unclear, as it appears to lack key support to move it farther.
To keep track of the latest developments at the state level and learn more about global privacy measures, please Morgan Lewis’s US Consumer Privacy Acts page and Global Privacy Year in Review report.