US Consumer Privacy Acts

Influenced by California’s Consumer Privacy Act (CCPA) and Europe Union’s General Data Protection Regulation (GDPR), a wave of new data privacy legislation has been introduced across the United States, including updates in California. Visit this page for the latest developments during this critical juncture in US privacy regulation.


The far-reaching CCPA of 2018 is now in full effect for nonemployee information. The CCPA can be enforced by the California Attorney General with the possibility of statutory penalties for noncompliance. Private plaintiffs can sue in certain circumstances. In the future, the CCPA will be enforced by a new California privacy regulator, the California Privacy Protection Agency.

The CCPA created an array of new consumer privacy rights that require many companies doing business in California to reassess their collection and use of personal information and modify their business processes to accommodate the new rights of consumers. It allows California consumers to make requests of businesses to disclose what personal information the business has shared and also to delete or no longer share that information.


Virginia is the second US state to pass a comprehensive data privacy law, the Virginia Consumer Data Protection Act (VCDPA). The VCDPA has a number of key similarities to the CCPA, CPRA, and GDPR, and it follows a similar framework with proposed data privacy bills pending in other statehouses. The VCDPA, which takes effect on January 1, 2023, will require companies doing business in Virginia to reassess their collection and use of consumer personal information and modify their business practices to account for Virginia’s new requirements. Among other requirements, the VCDPA gives Virginia consumers the right to request access, correct, or delete their personal information. It requires companies to offer consumers an opt-out and mandates express consent for certain uses of personal information. The VCPDA will be enforced by the Virginia Attorney General. 


Colorado, the third state to enact comprehensive privacy legislation, signed into law the Colorado Privacy Act (CPA) on July 8, 2021. The CPA is effective on July 1, 2023. Like the CCPA and other state laws, the CPA will require companies to respond to rights requests from Colorado consumers and take other steps to ensure privacy and reasonable security. It will also require companies to allow consumers to opt-out of targeted advertising, the sale of their personal information, and profiling decisions. Consumers will have the right to access, correct, delete, and obtain a copy of their personal information on a portable format. Like other state laws, Colorado will require companies to provide a privacy notice, minimize use of personal information, and process sensitive personal information only after obtaining consent. The CPA will be enforced by the Colorado Attorney General, with violations considered deceptive and unfair trade practices.

In addition to California, Virginia, and Colorado, many other state legislatures have introduced privacy bills inspired to varying degrees by the CCPA.

States Where Consumer Privacy Legislation Has Been Passed or Introduced

Consumer Privacy Legislation Map

Morgan Lewis is prepared to guide companies and institutions of all sizes through the challenges they face in this new regulatory environment. We will closely follow developments in all 50 states as data privacy legislation is proposed, enacted, and amended. Our lawyers assist clients in virtually all the major industries around the globe in understanding how these important changes affect their businesses and how to navigate the changing data privacy landscape.