A Guide to Privacy Laws in the US

The privacy landscape in the United States is seeing significant changes in the last few years. There is no federal-level privacy law in the US like the European Union’s General Data Protection Regulation (GDPR) yet. But, states are embracing new privacy laws to ensure data protection and data privacy. 

A quick search on LegiScan reveals hundreds of bills and amendments on privacy, cybersecurity and data breaches are pending across the US. This is a clear indication that more and more states are currently debating and proposing state-level privacy legislation. 

Although the US lacks a uniform federal data privacy law, consumers still have protections under industry-focused federal laws. The Health Insurance Portability and Accountability Act (HIPAA) protects personal health information, the Children’s Online Privacy Protection Act (COPPA) took the first step at regulating personal information collected from minors. 

The Family Educational Rights and Privacy Act (FERPA) protects student education records and Gramm-Leach-Bliley Act (GLBA) protects financial information. Businesses that operate abroad, especially in the EU are also subject to the GDPR.

The US Congress has debated a federal privacy law for decades. The Federal Trade Commission (FTC) called on Congress to pass a federal data privacy law way back in 2000.  In 2020, the US Chamber of Commerce noted that federal inaction has stalled a federal law and advocated a nationwide data privacy policy. It is at this juncture that states have gone ahead with their own privacy laws. 

The push for state-level privacy laws gained momentum after California took the lead with the California Consumer Privacy Act in 2018. California has since passed an amendment  — the California Privacy Rights Act. Following California’s lead, Virginia recently passed the Consumer Data Protection Act. It becomes the second state to pass a data privacy law in the US. As of now, Virginia and California are not the only two states in the US with consumer privacy regulations signed into law.

The California Consumer Privacy Act (CCPA) is touted as the first major consumer privacy law in the USA. Passed in 2018, CCPA gives residents of California comprehensive rights to protect their data privacy. Businesses are required to inform a consumer about the personal information they collect and the purpose for which the information will be used. It gives consumers more control over the sharing of their data. 

Consumers have the right to access and delete their personal data that businesses use. The most important provision is that consumers have the right to opt-out of selling their personal data to third parties.

Who is affected by the CCPA?

The CCPA will apply to any organization doing business in California, whether the business has a physical presence or employees in the state. Businesses have to comply with CCPA if they meet any of the requirements:

• Has at least $25 million in annual revenue
• Obtains personal information of at least 50,000 California residents, households and/or devices per year
• Has at least 50% of their annual revenue through the sale of personal information of California residents

What are the penalties for non-compliance?

Failure to comply with CCPA can invite a fine up to $2,500 for each unintentional violation. The penalty can go up to $7500 per violation in case of a data breach. 

Under CCPA, consumers have the right to sue. Consumers can initiate class action claims for no less than $100 and up to $750 per consumer in case of a data breach. 

Effective Date: January 1, 2020

Read the official text. 

The California Privacy Rights Act (CPRA) amends the California Consumer Protection Act (CCPA) and substantially increases the rights of consumers and puts more regulations on businesses that handle personal information. The CPRA (also referred to as CCPA 2.0) expands consumer rights and third party compliance.

The Act defines a new category of sensitive personal information and increases the penalty for violating the privacy of minors. The biggest change in CPRA is the creation of a distinct enforcement arm for the implementation of California’s privacy laws – California Privacy Protection Agency (CalPPA).

 Who is affected by the CPRA?

While the requirements under CPRA are in line with the CCPA, there are a few minor yet noticeable changes.

• Has annual gross revenues over $25 million in the preceding calendar year
• Buys, or sells, or shares the personal information of 100,000 or more consumers or households
• Gets 50% or more of its annual revenues from selling, or sharing consumer’s personal information

What are the penalties for non-compliance?

The CPRA increases fines for privacy violations of minors (under the age of 16). Businesses that violate the rights of minors can be fined $7,500 for each violation. 

Like CCPA, non-compliance with CPRA can invite a fine up to $2,500 for each unintentional violation. Both the original CCPA and the new CPRA allow consumers to sue businesses in the event of a data breach.

Effective Date: January 1, 2023

Read the official text.

Virginia passed the Consumer Data Protection Act (CDPA) in March 2021. It is the second state to pass a data privacy legislation in the United States, after California. The CDPA borrows from CCPA, CPRA and the GDPR.

The Act defines key aspects of data privacy such as personal data, sensitive data, consent, targeted advertising, and sale of personal data.  With CDPA, consumers will have the right to access, correct, delete, and receive a copy of their personal data and a right to opt-out of any profiling.

Businesses have to demonstrate proof of consent to process a consumers’ personal data. They will also be subject to third party compliance rules.

Who is affected by the CDPA?

The CDPA applies to businesses in Virginia that: 

• Control or process personal data of at least 100,000 consumers during a calendar year
• Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data

CDPA also identifies categories of organizations that are completely exempt from the Act. These include state and local government organizations, financial institutions or data covered by the Gramm-Leach-Bliley Act (GLBA), organizations subject to Health Insurance Portability and Accountability Act, non-profit organizations, and higher education institutes. 

What are the penalties for non-compliance?

Businesses can be fined $7,500 for each violation if they fail to rectify the alleged violation within the 30-days cure period. 

While California’s privacy laws give consumers the right of action for data breaches, Virginia’s law is subject to enforcement only through the Attorney General’s office.

Effective Date: January 1, 2023

Read the official text. 

The data privacy trend has been accelerating as several states have introduced data privacy and consumer protection laws in 2021. Even though they are not far‑reaching as those of California and now Virginia, it is a step in the direction.

The state laws have been evolving at a breakneck pace. To keep track of the continuous developments you may refer to this privacy law tracker. For a bird’s eye view of the current bills, refer to this infographic. 

Note that this blog is not a comprehensive list. It will give you an overview of the major developments in 2021.

New York

The New York State Legislature is currently considering two privacy bills — SB 567 and AB A680 (the New York Privacy Act). Unlike the CDPA, both bills contain a private right of action, and Assembly Bill A680 would create an opt-in consent requirement for all processing activities and third-party disclosures.

SB 567 is nearly a clone of the CCPA, but notably includes a private right of action. The bill includes a consent requirement like that of the GDPR – for all processing activities and third-party disclosures, with no exceptions. It also gives consumers rights such as access, rectification/correction, deletion, and data portability.

Washington

Washington has been trying to enact the Washington Privacy Act (SB 5062) for 2 years and counting. The updated draft of the Washington Privacy Act was re-introduced for the state legislative session of 2021.

The Act grants consumers the right to access, transfer, correct, and delete their personal data. Consumers can also opt out of targeted advertising and the sale of their personal data under the legislation. The Act also seeks to protect the use of personal and public health data during global pandemics, especially concerning contact tracing.

Colorado

In March 2021, Colorado introduced SB 21-190, entitled “an Act Concerning additional protection of data relating to personal privacy”. Under SB 21-190 consumers have the right to opt-out of the processing of their personal data. It gives consumers a slew of rights including the right to access, correct, or delete the data and also the right to data portability.

Similar to Virginia’s CPDA, the bill requires data controllers to conduct a data protection assessment for processing activities that can cause risk to consumers, such as processing of sensitive data and targeted advertising.

Texas

In March, Texas lawmakers introduced six consumer privacy bills aimed at addressing data privacy, data crimes, and data breaches. The bill (HB 3741), is very similar to CCPA but has unique features including its creation of three “categories” of data.

The bill will give Texas residents the right to know, to correct inaccurate information, to access, to data portability, and deletion.  The bill will restrict businesses’ sale and collection of certain types of data and require “express written consent” for the collection and sale of geolocation data. 

Nevada

Nevada introduced two new bills (AB 323 and SB 260) in March 2021. It would transform the state’s laws towards CCPA-like privacy regulation. In 2019, Nevada had officially approved Senate Bill 220 (SB 220) – an “act relating to internet privacy”. The legislation gives consumers the power to opt out of the resale of their personal information. Consumers have the right to instruct website operators not to sell their data. 

The many upcoming state frameworks may pressurize the US Congress and pave the way for federal privacy law shortly. 

As businesses wait for the passage of federal privacy legislation, it will be beneficial to take proactive steps to keep up with state-level privacy laws.

• Continue to monitor the status of the particular bills that may impact your business.
• Consult a legal specialist to understand which data privacy regulations apply to your business, and how to comply with the regulations.
• Conduct a comprehensive data inventory to understand what data you have, how it’s used and stored, and where and how it’s shared across the data lifecycle.
• Perform timely audits to review and update data mapping efforts including the tracking and security of sensitive personal information.
• Adopt cybersecurity and data privacy compliance frameworks to secure consumer data and ensure data confidentiality. 
• Keep detailed records of your compliance activities as it will help you demonstrate your compliance as well as risk mitigation mechanisms.

Businesses that are already complying with the CCPA or the GDPR are in for good news. While it will not automatically put you in compliance with the new privacy laws, it will give you a considerable advantage. 

If you do not comply with either, get started now! CookieYes is a cookie consent solution that will help you to comply with data privacy laws like the GDPR and CCPA. 

CCPA Compliance with CookieYes

GDPR Compliance with CookieYes

With CookieYes, you can easily add a fully customizable cookie consent banner, automatically scan your website for cookies and add it to your site’s list of cookies. 

You can also access a record of users’ consents and their cookie preferences in a consent log. This can help you demonstrate your compliance during audits. 

The Free Privacy Policy Generator allows you to create a Privacy Policy exclusively for your business, all in a few clicks.

Sign up for free today!