What’s going on with data privacy legislation in the US?
Answer: There’s a lot going on. Besides the whispers of federal data privacy legislation in the future, there’s a lot in the works for a majority of states in the US. If you know about California and CCPA, think along those lines - but for every state, each with their own intricacies and penalties.
Let’s get right into it.
A Quick Guide to Data Privacy Legislation in the U.S.
Last Updated 5/10/2021
California: California Consumer Protection Act (CCPA)
California’s CCPA is the mother of modern privacy legislation in the United States. It shares a lot of similarities with Europe’s General Data Protection Regulation (GDPR), which you can read more about here.
CCPA aims to give more consumers greater control over their personal information. It sets new standards that businesses need to follow regarding how they use and store user data, and is finally a way for consumers to fight back against big businesses like Facebook and Google who use personal information for multiple purposes without consent. CCPA passed all the way back in 2018 and has been enforceable since July 2020.
Despite being a ground breaker in privacy legislation, CCPA is not without its flaws. To combat these flaws, and to introduce clarity for both consumers and businesses, California recently passed the California Privacy Rights Act (CPRA), which is often referred to as “CCPA version 2.0.” And I know – those acronyms are very similar. CPRA will help to supplement and clarify CCPA, but it doesn’t take effect until January 2023 and will be made enforceable in July 2023.
We’ll go a bit more in-depth for California than other states, as most states have modelled their own legislation in its likeness.
California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA)
CCPA went into effect in July 2020, leading data privacy in the U.S. As mentioned, its goal is to give consumers more control over their personal information.
To follow are a few notable parts of CCPA, regarding rights that are granted to consumers and their personal information. The type of “personal information” that CCPA applies to is anything that identifies or can be linked to you, including your name, social security number, email address, internet browsing history, etc.
You’ll see a lot of these same clauses in other proposed legislation.
Right to know: Consumers can request to know which of their personal information is being collected and stored
Right to delete: Consumers can ask for the collected personal information to be deleted
Right to opt-out: Consumers can opt-out of the sale of their personal information
Right to non-discrimination: Consumers cannot be discriminated against for exercising their rights under CCPA
Who does CCPA and CPRA apply to?
Companies that do business in California that meet any of the following criteria:
- Have a gross annual revenue of over $25 million; or
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
What are the potential penalties for violations?
Under CCPA, your business can’t be sued by an individual for a violation (you can however, be sued for a data breach). The Attorney General of California can file action against your business for misconduct on behalf of the collective legal interests of the people of California.
Once CPRA goes into effect, it will be a whole other story. CPRA establishes an enforcement authority, named the California Privacy Protection Agency (CPPA). (Keep all those acronyms organized, yeah?) The CPPA has power to fine businesses who violate rules, hold hearings, and help to clarify any guidelines that might be unclear. They can also inform businesses if they are in violation, proactively giving them a chance to reform before being fined.
Additionally, the action required by companies in violation is much greater. Not only will businesses in violation have to pay fines, but they must also demonstrate that they have a sustainable solution for the future. Gone are the days of paying a fine for a data breach and then forgetting about it. For a good analogy: “If the cows escape the barn, businesses have to put them back in if they want to avoid legal trouble. Merely putting a lock on the door so nothing gets out next time, will not suffice.”1 Oh, and the CPPA has a huge budget.
Virginia: Virginia Consumer Data Protection Act (VCDPA)
Virginia follows California with their very similar bill, VCDPA. It also goes into effect on Jan 1, 2023.
The five main consumer rights that VCDPA provides are Right to Know, Right to Correct, Right to Delete, Right to Data Portability, and Right to Opt-out. To prepare for this act, companies will likely need to update their internal compliance policies. Learn more about VCDPA
Who does it apply to?
Entities that conduct business in Virginia or produce products and services that target Virginia residents and:
(i) control or process personal data of 100,000 or more Virginia consumers; or
(ii) control or process the personal data of 25,000 or more Virginia consumers and derive over 50% of gross revenue from the sale of personal data.
Exemptions: entities that are subject to other privacy laws, such as Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act (FCRA
These are the states that have legislation that are still in deliberation stages still (so, they may or may not pass). The following will be in alphabetical order.
Alaska: Consumer Data Privacy Act (SB 116 and HB 159)
This act would provide consumers with Right to Know, Right to Disclosure, Right to Delete, and Right to Opt-Out. Notably, it would also give parents the power to approve or reject the sale of minor’s data. There are a few pieces of this act that may need to be revised or edited for clarity if passed, much like CPRA did for CCPA. Read more
Who does it apply to?
Entities that do business in Alaska that:
- have $25 million annual revenue; or
- purchase or disclose of the personal information of 100,000 consumers, households, or devices; or
- have sold the personal information of a consumer, household, or device—even just one consumer, household, or device—during the past year
Connecticut: Connecticut Act Concerning Consumer Privacy
Same story, different state. This act would “establish a framework for controlling and processing personal data, and include the now-typical consumer rights to access, correct, delete, and know how businesses are using their personal data.1” Read more about it here
Who does it apply to?
People who conduct business in Connecticut or produce products or services that are targeted to residents of Connecticut that:
- During a calendar year, control or process the personal data of not less than 100,000 consumers; or
- Control or process the personal data of not less than 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data.
Exemptions: Higher education institutions, non-profits, entities government under GLBA and HIPAA, and State agencies
Illinois: Right to Know Act and Consumer Privacy Act
Illinois has introduced two possible pieces of legislation. Naming conventions are everything here, as the Consumer Privacy Act is just a modified version of CCPA.
Who does it apply to?
The Consumer Privacy Act would apply to for-profit businesses that:
- Do business in Illinois;
- Collect personal information about consumers, or is the entity on behalf of which the information is collected; and
- Determine the purposes and means of processing consumer's personal information
AND meet at least one of the following thresholds:
- Have annual gross revenues in excess of $25 million; or
- Alone or jointly with others engage with the data of 50,000 or more consumers; or
- Derive 50% or more of its annual revenue from the sale of consumers' personal information
Also applies to any business that controls or is controlled by a business that shares common branding with the business.
Minnesota: Consumer Data Privacy Act (MCDPA)
MCDPA is based on the Washington Privacy Act and Virginia Consumer Data Protection Act. Read more about MCDPA
Who does it apply to?
MCDPA would apply to companies doing business in Minnesota, including those that provide products or services to Minnesota residents, so long as these companies:
- process personal data of at least 100,000 consumers; or
- generate more than 25% of their gross revenue from the sale of personal data, while also processing the personal data of at least 25,000 Minnesota consumers
New Jersey: New Jersey Disclosure and Accountability Transparency Act (DATA)
New Jersey have attempted to introduce several bills over the past year with no success however, notably DATA is one of those that is still in committee. The bill would establish requirements for use of personally identifiable information (PII) and establish an Office of Data Protection and Responsible Use. Learn more about the other bills introduced in NJ
New York: New York Privacy Act (NYPA) (+ others)
New York is another state that has introduced a plethora of privacy bills in the past year. The New York Privacy Act is similar to Europe’s GDPR, and its tough regulations would significantly impact businesses that operate in New York. This could pose an issue for passage of the bill. Learn More
South Carolina: South Carolina Biometric Data Privacy Act (BDPA)
A relatively limited bill, the BDPA restricts protections to biometric information. Biometric information is information based on biometric identifiers such as fingerprint, face geometry, and retina scan, that can be used to identify an individual. Learn More
Alabama: Alabama Consumer Privacy Act (ACPA)
Another CCPA copycat, with Right to Delete, Right to Opt-Out, and Right to Know (the category of information). The types of consumer information it aims to protect are identifying information such as name, email address, biometric, and medical information. Read more
Who does it apply to?
Any business, or entity controlled by the business and sharing common branding that:
- Does business in Alabama;
- Is for-profit;
- Collects consumers' personal information; and
- Determines the purposes and means of processing consumers' personal information
To note: ACPA does not list minimum thresholds for aspects such as revenue, much like CCPA and other proposed privacy legislation.
Colorado: Colorado Privacy Act
Similar to Virginia Consumer Data Protection Act, but with slightly less rights to consumers. Read more about it here
Who does it apply to?
The bill applies to controllers that conduct business in Colorado or produce products or services that are intentionally targeted to residents of Colorado and that
(1) control or process the personal data of 100,000 or more consumers during a calendar year and/or
(2) derive revenue or receive a discount on the price of goods or services from the “sale” of personal data and process or control the personal data of 25,000 or more consumers.
Massachusetts: Information Privacy Act (SD 1726 and HD 3847)
This bill for Massachusetts proposes some tight requirements to protect consumers. The language is interesting in that it is slightly more aggressively pushing companies to be vigilant in their practices. “Entities may not use personal information, or information derived from personal information, in any way that: (i) benefits themselves to the detriment of an individual; (ii) results in reasonably foreseeable and material physical or financial harm to an individual; or (iii) would be unexpected and highly offensive to a reasonable individual that provided consent.” Read More
Texas: HB 3741 (+ others)
Texas introduced six different bills, the most notable being HB 3741 (the Data Privacy Omnibus), which would focus on “protection of personal identifying information collected, processed, or maintained by certain businesses in the private sector1” Learn More
Pennsylvania: Pennsylvania Consumer Data Privacy Act (HB 1126)
This bill, similar to CCPA, is described as being “an act providing for consumer data privacy, for rights of consumers and duties of businesses relating to the collection of personal information and for duties of the Attorney General.” Read More
Who does it apply to?
For-profit businesses that:
- Do business in Pennsylvania;
- Collect, sell, or share consumers' personal information;
- Alone, or jointly with others, determine the purposes and means of processing consumers' personal information; and
- Meet at least one of the following thresholds:
- Have an annual gross revenue of at least $10 million;
- Annually buys, sells, or shares, alone or in combination, the personal information of 50,000 consumers, households, or devices; or
- Derives 50% of its annual revenues from the sale of consumers' personal information.
Rhode Island: Rhode Island Data Transparency and Privacy Protection Act (TPPA)
While this isn’t the most comprehensive bill, we’ll include it in this list anyway. It provides Right to Know for consumers yet misses out on key rights such as Right to Opt-out and Right to Delete. It is described as an act “to identify information collected by online service providers and commercial websites.” Read More
The Rhode Island bill would apply to website operators that:
- Collect and maintain personally identifiable information from a customer who uses or visits the website or online service for a commercial purpose; and
- Employ more than 10 individuals.
Vermont: House Bill 160
This one paragraph long bill “proposes to adopt consumer privacy protections, give Vermonters more control over the amount and type of data that personal device manufacturers and service providers collect about them, and adopt other protections provided in the California 12 Consumer Privacy Act.”
RECENTLY DIED IN COMMITTEE
Florida: Florida Privacy Protection Act (HB 969 and SB 1734)
(HB 969 passed in House on April 21, 2021)
Florida unexpectedly pushed for privacy legislation that would impact big businesses heavily. Similar to CCPA, it aimed to protect users’ personal information and restrict the use of user data. It would have given power to individuals to sue marketers and data brokers for violations. Learn More
Who would it have applied to?
- For-profit entities that do business in Florida and have annual global revenue of over $25 million; or
- Entities that either buy, sell, receive, or share the personal information of over 50,000 Florida residents, households or devices annually; or
- Derive at least half of their global annual revenues from selling or sharing information about Florida residents
Washington: Washington Privacy Act (WPA)
(UPDATE: WPA failed to pass in the House on April 11th and officially died on April 25th)
WPA was similar to California’s CPRA and Virginia’s CDPA. This is the third year in a row that WPA failed to pass. Read more about WPA
Oklahoma: Oklahoma Computer Data Privacy Act
(Passed in the House on March 5th 2021.)
(UPDATE: The bill died in the Senate on April 8th, 2021.)
This act is similar to CCPA. It focuses on consumer rights and protection, such as Right to Know and Right to Delete. One notable difference from CCPA is that it would “require any Oklahoma business covered to obtain the consumer’s opt-in consent before collecting, using or selling their personal information2” Read more.
Why did it die?
The main reason that this bill was prevented from passing is said to be the active opposition from big tech and communications companies. Specifically, “a provision that required businesses in most cases to obtain the consent of consumers prior to collecting, using or selling personal information about them.1” They may not want this legislation but… it’s coming one way or another.
We know it’s hard to keep track of. No matter what industry or what stage your business is in, Verif-y is here to make it simple. Our solution is different from others. Instead of addressing each detail for every new piece of privacy legislation, you’re proactively protected by not storing any personal records locally. User-owned and permissioned data; out of your hands.
We’ll keep things as up-to-date as possible to keep you informed. In addition, both iapp and Husch Blackwell provide updates on bill status. If your preferred method of getting updates is through Twitter, iapp’s Joe Duball keeps things fresh on his feed.