Privacy legislation in the US is evolving. California’s leading privacy law has inspired and encouraged other states to introduce similar rights and protections for their consumers. Sometimes these bills pass, other times they fail. What’s clear is that there’s a consistent stream of proposed data privacy laws to watch.
In this guide, we’ll take a look at some of the recently passed state privacy laws and the US data privacy laws to watch. Understand more about new and proposed privacy legislation, so you can feel confident that you’re prepared for the future.
While there’s no federal law that governs consumer data privacy in general, the Federal Trade Commission (FTC) still enforces the principle of it, and there are laws that cover specific elements of it. The Health Insurance Portability and Accountability Act (HIPAA) places responsibilities on healthcare providers and others around the collection, use, and sharing of protected health information. There’s also the Children’s Online Privacy Protection Act (COPPA) that protects childrens’ personal data at a federal level.
When it comes to consumer data protection, the California Consumer Privacy Act (CCPA) leads the way. This landmark privacy legislation gives California residents a collection of key privacy rights, and places responsibilities on applicable businesses to safeguard data and uphold those rights. This law features similar themes and concepts to one of the most well-known data protection laws out there — the European Union’s General Data Protection Regulation (GDPR).
As well as the existing and well known privacy law in California, there are recently passed laws to be mindful of too. Recent state privacy laws in Virginia, Nevada, and New York introduce new and expanded rights to consumers, and it’s worth understanding more about them if they apply to your business.
While some recent US state level data privacy laws haven’t made it past the first few hurdles, some have progressed all the way through and made it into state law.
Here are some of the US state privacy laws that have recently passed or come into effect. Many of these feature similar rights and responsibilities to the CCPA, but it’s still important to be aware of where they're different.
Virginia’s much anticipated Consumer Data Protection Act (CDPA) came into law in March 2021. It’s only the second state to bring into law its own privacy legislation that covers consumer protection, following California’s Consumer Privacy Act (CCPA), to which it shares similar themes and goals.
The CDPA largely mirrors the CCPA in many ways, offering a similar level of consumer protection and data privacy security. Consumers have the right to access their data, correct it, and request it to be deleted. They have the right to know it’s being collected, and for what purpose, and can opt out of the sale of data.
While the law features similarities to the CCPA, there’s a notable difference when it comes to defining the sale of data. The CDPA makes it clear that this is a transaction where there’s money involved — instead of a transaction of value. This is much closer to the average consumer’s idea of what “sale” means.
Like most privacy laws, the CDPA only applies to certain businesses or organizations. To fall under the scope of this privacy law, an organization must conduct business in Virginia, or control or process the personal data of a specified number of Virginia residents. That figure is 1000,000 residents per year, or 25,000 if a company gains 50% or more of its gross revenue from the sale of consumers’ personal information.
While the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was passed in July 2019, it didn’t become fully enforceable until recently in March 2020. Now that it’s in action, New York residents can enjoy enhanced information security and protection of their personal data.
The SHIELD Act introduces new security requirements and responsibilities for organizations that fall under its scope. Businesses should take the correct safeguards when it comes to the accuracy, confidentiality, and security of the personal data they hold — including introducing a robust data security program and someone to oversee it. The Act also seeks to increase the protections of New York residents’ personal data by expanding the categories of information for personal data, and the benchmark of what is considered a data breach.
When it comes to compliance, the SHIELD Act applies to any organization that processes the personal information of New York residents. There’s no requirement on how many residents’ data you need to collect or process for this to apply.
However, there are some exceptions to who the SHIELD Act applies to. Organizations with a data security program that’s already compliant with any of the following are exempt: the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Gramm-Leach-Bliley Act (GLBA), or New York’s Department of Financial Services Cybersecurity Regulation. There’s also an exemption for small businesses with fewer than 50 employees and a gross revenue below three million dollars. Photo by Mendy Ezagui on Unsplash
Nevada’s Senate Bill 220 (SB 220) replaces a previous state privacy law, the NRS 603A. This refreshed state law came into effect in October 2019 and gives Nevada residents greater control over their personal data.
As with the Virginia Consumer Data Protection Act, the SB 220 largely offers similar consumer protection to the existing CCPA. One area where it differs is in the definition of consumer data. Under SB 220, this is broader — making it easier for data collected to fall into the remit of the law. There’s also more flexibility around how consumers can opt out of the sale of data. Instead of a web link being a requirement, users can also make the request by email or a toll-free phone number.
Like other state privacy laws, the Senate Bill 220 can apply to organizations outside Nevada. The law applies to operators (someone that owns a commercial website and collects personal data) that purposefully directs its activities towards Nevada, does business with Nevada, or has sufficient “nexus” with the state. Examples of this would include storing or delivering goods within the state, or having a local office in Nevada.
Not every organization is considered an operator, and as with any privacy legislation there are exceptions to who the law applies to. Organizations that already comply with the GLBA or HIPAA are excluded, as are third party service providers that operate on behalf of others.
When it comes to enforcing this law, consumers face one disadvantage compared to the CCPA — there’s no private right of action. Instead, the state attorney general can look to impose an injunction or fine of up to $5,000 per violation.
Data privacy legislation is forever changing, and states are continually looking for new ways to offer their residents greater consumer rights when it comes to personal data. This means there’s always new privacy laws being proposed to regulators.
Let’s take a look at some of the US data privacy bills to keep an eye on as they move through the legislation process, along with some of the highlights of what each privacy law seeks to cover.
While the landmark US data privacy law is currently the California Consumer Privacy Act (CCPA), a new law is set to take its place when it comes into effect in 2023 — the California Privacy Rights Act (CPRA).
This new privacy law expands on the rights given to California residents, and also introduces new ones. When the law comes into effect, residents will gain the following rights:
Another notable addition that comes with the CPRA is the creation of a dedicated agency to handle enforcement. The California Privacy Protection Agency will be assembled of individuals with expertise in consumer rights, technology, and data privacy, with any funds raised through enforcement being put back into the agency’s future operationPhoto by Rich Martello on Unsplash
Like the CPRA, Colorado also has a new privacy law that comes into effect in 2023. The Colorado Privacy Act (CPA) was passed into law in July 2021 and gives consumers new rights around access to and the sale of their personal information.
Under this new Privacy Act, Colorado residents gain the following rights:
Once in effect, the Colorado Privacy Act is widely considered by experts to represent the third major privacy law in the US. A key inclusion within the CPA is a user’s right to appeal. This means that if an organization denies a request to access or delete data, for example, a consumer can appeal that denial within a 45 day time period. This gives consumers another way to enforce their request, if valid, through an appeals process.
The New York Privacy Act (NYPA) would if passed, be the fourth major US state privacy law after the CCPA and CDPA in California, and Colorado’s CPA. The bill, currently at the committee stage, would introduce new rights for New York residents — largely along the same lines as existing state privacy laws.
Under this proposed Act, consumers would gain access to the following:
For businesses, there are also some notable differences. Where the CCPA states you must allow consumers the opportunity to opt out of the sale of personal data, the NYPA introduces a requirement for consumers to opt in to give consent to the processing of personal data. This puts it closer to the consent requirements within the EU’s GDPR. There’s also a greater exposure to potential private action, with no explicit provision for a mediation stage before this occursPhoto by Joel Mott on Unsplash
In Illinois, a new consumer rights and privacy law has been introduced. The Illinois Consumer Privacy Act (ICPA) creates greater boundaries and expectations of what businesses must do with personal data, as well as greater rights to consumers.
This proposed consumer privacy Act would create the following rights for Illinoisians:
The Massachusetts Information Privacy Act (MIPA) is another state privacy law to keep an eye on. Referred to the committee in March 2021, this Act seeks to give Massachusetts residents a way to keep up with the digital age when it comes to data privacy protection.
This proposed privacy law would give residents the right to:
Like the CPRA in California, this Massachusetts privacy law would introduce a new agency to handle enforcement and regulatory activity — the Massachusetts Information Privacy Commission. The state law also seeks to reflect on and feature positive data privacy standards introduced by the CCPA and CPRA in California, and the GDPR in the EU.
One of the most recent state privacy laws on this list, the Consumer Privacy Act of North Carolina (CPA) was introduced in April 2021. While the Identity Theft Protection Act is currently in place in the state, this new legislation gives consumers greater control and rights over their data.
Under this proposed Act, North Carolina residents would enjoy the following rights:
North Carolina’s CPA also gives consumers a private right of action. Enforcement would be handled by the state attorney general as is typical with legislation, but consumers can also take civil action to seek damages that arise as a result of data breach or non-compliance with the law. This means that it’s essential to stay up to date with data compliance should this bill pass, to avoid potential private action from consumers.
The State of New Jersey currently has not one but three privacy law bills pending — AB 3255, AB 3284, and AB 5448. These bills are designed to put new responsibilities on businesses to act mindfully with personal data, to be transparent about its use, and to respect consumers’ rights.
These three bills are similar, with some key highlights as follows:
It’s worth keeping an eye on these New Jersey bills to see whether any or all of them make it the full way through the process. An interesting distinction is AB 3255’s reference to having consumers opt in to data collection and processing, where AB 5448 takes the opt out approach instead.
With privacy legislation changing and evolving as we grow more conscious of the impact of data, it becomes more essential than ever to understand what’s required of you as a business and to put steps in place to stay compliant.
Our simple privacy compliance platform gives website and eCommerce store owners an easier way to manage privacy and eliminate risks. With Enzuzo, you can manage privacy in one place — giving you greater confidence and creating a better user experience for your consumers.
Privacy legislation changes all the time, and there will always be new bills proposed by states that don’t currently feature laws that give their consumers present-day rights. It’s helpful to keep an eye on upcoming and proposed US data privacy laws to understand what might be required of you in the future, and to give you confidence that you’re on the right track.
If you’re keen to simplify your data compliance, try Enzuzo. Our privacy platform lets you manage everything in one place — including cookie consent bars, privacy policies, user requests, and more. Plus, we’ll keep the platform updated with the latest changes in privacy legislation to help make it easier for you to stay compliant.