What Businesses Should Know About State Consumer Privacy Laws

With the lack of comprehensive federal consumer privacy legislation, states are charting an evolving course for businesses to follow when handling data and information about their customers. Led by California, several other states have created laws to move regulations closer to the European Union’s General Data Protection Regulation. Virginia, Colorado, Utah, Connecticut, and Iowa have created their own consumer privacy protections, with Indiana, Montana, and Tennessee potentially following suit. Meanwhile, nearly a dozen other states are currently debating privacy laws.

While the handful of laws already in existence generally have a lot in common, there are some key variations for businesses operating in different states to be aware of that could make compliance more complex.

California Remains the Trendsetter

The California Consumer Privacy Rights Act (CPRA), which took effect in January 2023, is the most comprehensive consumer-oriented privacy law in the United States. The measure adds additional privacy protections to the California Consumer Privacy Act (CCPA), including those for “sensitive personal information,” and the right to opt out of “sharing” data, not just “selling” data. The law also includes privacy obligations for California employers, making it unique among states. Below are some highlights for businesses to consider:

• In a departure from Federal Trade Commission privacy principals, a retailer needs to have a consumer’s explicit consent before using their personal information gleaned from the purchase of a product to market that retailer’s other products.
• The CPRA modified the downstream contractual obligations that apply to service providers, contractors, and third parties. The law strongly incentivizes business to conduct due diligence of service providers and contractors because the regulations state that a business cannot rely on a defense that it did not have reason to believe that a downstream vendor intended to violate the CCPA.
• If a third party controls the collection of personal information on behalf of a business, then both the business and third party have to provide notice of collection to consumers. However, the notices can be combined into a single notice. The regulations also require that a privacy notice specify the length of time a business intends to retain types of personal information.
• Employees, job applicants, and business-to-business contacts are now “consumers” under the law and have the same rights as all other consumers. Employee and job candidate privacy notices must explain how employees, applicants, and business contacts can exercise those rights. Businesses have generally handled new B2B data rights in two ways: either through an update of their general website privacy policy to include business contacts with other consumers or by including it in a separate section, especially if business contact personal information is handled differently and/or kept in a separate database.

Other States Follow

Virginia, Colorado, Utah, Connecticut, and Iowa followed California in setting privacy laws. Each have features that overlap with California but contain their own traits. The Virginia Consumer Data Protection Act (VCDPA) took effect January 1, 2023, and applies to brick-and-mortar businesses, not just the collection of personal data electronically or over the internet. The Colorado Privacy Act (CPA), which draws heavily from the Virginia law and takes effect July 1, 2023, applies to non-profit entities. The Connecticut Data Privacy Act (CDPA), which also takes effect July 1, 2023, does not apply to nonprofits.

Utah and Iowa have adopted more business-friendly privacy laws, incorporating terms consistent with the CCPA, but without many of the more consumer-oriented terms of the CPRA. For instance, the Utah Consumer Privacy Act (UCPA) that takes effect December 31, 2023, and the Iowa Consumer Data Protection Act (ICDPA), which takes effect January 1, 2025, have no requirement for businesses to conduct data-protection assessments.

Similarities and Key Fault Lines

There are several areas California, Virginia, Colorado, Utah, Connecticut, and Iowa have agreed on. One area all states share is lack of private right of action, except for California’s limited private right of action related to security breaches. Thus far, states allow their respective attorneys general or other regulators, rather than consumers, to file complaints and enforce the laws. The states each allow consumers to access their data and delete at least some data, require privacy notices, and have special requirements for children’s data. However, there are a few key differences for businesses to be aware of, including the following:

• California has a broad expansion of the law to cover employees. Most states focus on “true consumers,” not employees or business contacts. That is a key distinction and complicates compliance in California.
• Virginia, Colorado, and Connecticut are more restrictive than California with respect to requiring sensitive data consent in advance. The laws in Virginia, Colorado, and Connecticut prohibit processing of sensitive data without first obtaining the consumer’s consent. “Sensitive data” includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; processing of genetic or biometric data for the purpose of uniquely identifying a person; personal data collected from a known child; and precise geolocation data. The CPRA, UCPA, and ICDPA contain no comparable opt-in requirement, but California, Utah, and Iowa have the right to limit the use of their sensitive personal by submitting a request to a business.
• Virginia, Colorado, Utah, and Connecticut give consumers the right to opt out of, and require controllers to disclose, the processing of personal data for the purposes of targeted advertising. Iowa lacks such a requirement. The California law, meanwhile, addresses “cross-context behavioral advertising,” and treats sharing of personal information for that advertising in the same way as a “sale” of personal information under the CCPA.

Federal Action Uncertain

Despite interest from the business community for an all-encompassing federal data privacy law, such a development has remained elusive. Several bills have been proposed over the years, but none have been successful. The American Data Privacy Protection Act, introduced in May 2022, would limit the private right of action and provide for limited preemption of state privacy laws. The measure has enough bipartisan support to have gotten out of committee, but chances for passage are unclear, as it appears to lack key support to move it farther.

To keep track of the latest developments at the state level and learn more about global privacy measures, please Morgan Lewis’s US Consumer Privacy Acts page and Global Privacy Year in Review report.