US Data Privacy Laws Explained

What’s going on with data privacy legislation in the US?

Answer: There’s a lot going on. Besides the whispers of federal data privacy legislation in the future, there’s a lot in the works for a majority of states in the US. If you know about California and CCPA, think along those lines - but for every state, each with their own intricacies and penalties.

Click here to see how Verif-y can help your business deal with every state’s privacy legislation, with ONE simple solution.

Let’s get right into it.

A Quick Guide to Data Privacy Legislation in the U.S.

Last Updated 07/20/2021

PASSED

California: California Consumer Protection Act (CCPA)

California’s CCPA is the mother of modern privacy legislation in the United States. It shares a lot of similarities with Europe’s General Data Protection Regulation (GDPR), which you can read more about here.

CCPA aims to give more consumers greater control over their personal information. It sets new standards that businesses need to follow regarding how they use and store user data, and is finally a way for consumers to fight back against big businesses like Facebook and Google who use personal information for multiple purposes without consent. CCPA passed all the way back in 2018 and has been enforceable since July 2020.

Despite being a ground breaker in privacy legislation, CCPA is not without its flaws. To combat these flaws, and to introduce clarity for both consumers and businesses, California recently passed the California Privacy Rights Act (CPRA), which is often referred to as “CCPA version 2.0.” And I know – those acronyms are very similar. CPRA will help to supplement and clarify CCPA, but it doesn’t take effect until January 2023 and will be made enforceable in July 2023.

We’ll go a bit more in-depth for California than other states, as most states have modelled their own legislation in its likeness.

California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA)

CCPA went into effect in July 2020, leading data privacy in the U.S. As mentioned, its goal is to give consumers more control over their personal information.

To follow are a few notable parts of CCPA, regarding rights that are granted to consumers and their personal information. The type of “personal information” that CCPA applies to is anything that identifies or can be linked to you, including your name, social security number, email address, internet browsing history, etc.

You’ll see a lot of these same clauses in other proposed legislation.

Right to know: Consumers can request to know which of their personal information is being collected and stored

Right to delete: Consumers can ask for the collected personal information to be deleted

Right to opt-out: Consumers can opt-out of the sale of their personal information

Right to non-discrimination: Consumers cannot be discriminated against for exercising their rights under CCPA

Who does CCPA and CPRA apply to?

Companies that do business in California that meet any of the following criteria:

• • Have a gross annual revenue of over $25 million; or
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

What are the potential penalties for violations?

Under CCPA, your business can’t be sued by an individual for a violation (you can however, be sued for a data breach). The Attorney General of California can file action against your business for misconduct on behalf of the collective legal interests of the people of California.

Once CPRA goes into effect, it will be a whole other story. CPRA establishes an enforcement authority, named the California Privacy Protection Agency (CPPA). (Keep all those acronyms organized, yeah?) The CPPA has power to fine businesses who violate rules, hold hearings, and help to clarify any guidelines that might be unclear. They can also inform businesses if they are in violation, proactively giving them a chance to reform before being fined.

Additionally, the action required by companies in violation is much greater. Not only will businesses in violation have to pay fines, but they must also demonstrate that they have a sustainable solution for the future. Gone are the days of paying a fine for a data breach and then forgetting about it. For a good analogy: “If the cows escape the barn, businesses have to put them back in if they want to avoid legal trouble. Merely putting a lock on the door so nothing gets out next time, will not suffice.”¹ Oh, and the CPPA has a huge budget.

Virginia: Virginia Consumer Data Protection Act (VCDPA)

Virginia follows California with their very similar bill, VCDPA. It also goes into effect on Jan 1, 2023.

The five main consumer rights that VCDPA provides are Right to Know, Right to Correct, Right to Delete, Right to Data Portability, and Right to Opt-out. To prepare for this act, companies will likely need to update their internal compliance policies. Learn more about VCDPA

Who does it apply to?

Entities that conduct business in Virginia or produce products and services that target Virginia residents and:

(i) control or process personal data of 100,000 or more Virginia consumers; or

(ii) control or process the personal data of 25,000 or more Virginia consumers and derive over 50% of gross revenue from the sale of personal data.

Exemptions: entities that are subject to other privacy laws, such as Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act (FCRA

Colorado: Colorado Privacy Act

Passed on 6/08/2021

Colorado becomes state number three to pass comprehensive privacy legislation, joining trailblazers California and Virginia. Luckily for me, the Colorado Privacy Act shares many similarities to the Virginia Consumer Data Act (with just slightly less rights to consumers.) It is set to go into effect on July 1st, 2023. Read more about it here

It includes consumers':

• Right to opt out
• Right to access, correct, or delete data
• Right to obtain a portable copy of data

Who does it apply to? 

The bill applies to controllers that conduct business in Colorado or produce products or services that are intentionally targeted to residents of Colorado and that either

1. Control or process the personal data of 100,000 or more consumers during a calendar year and/or
2. Derive revenue or receive a discount on the price of goods or services from the “sale” of personal data and process or control the personal data of 25,000 or more consumers.

The bill does not apply to a few things, including “certain specified entities, personal data governed by certain state and federal laws, listed activities, and employment records.”

How will it be enforced?

The bill specifies that “a violation of its requirements is a deceptive trade practice”, but these violations can only be enforced by the attorney general or district attorneys. This may cause some similar enforcement issues that CCPA faced before the changes of CPRA came along. 

________________________________________________________

IN COMMITTEE

As of the latest update, almost all state legislatures have adjourned for the summer. This means any of these bills that haven’t been passed yet in those states, will be sent to the Failure bin. However, there are still a few key states that have not yet adjourned.  

These are the states that have legislation that are still in deliberation stages still (so, they may or may not pass). The following will be in alphabetical order.

Illinois: Right to Know Act and Consumer Privacy Act

Illinois has introduced two possible pieces of legislation. Naming conventions are everything here, as the Consumer Privacy Act is just a modified version of CCPA.

Read about Right to Know Act    |   Read about Consumer Privacy Act

Who does it apply to?

The Consumer Privacy Act would apply to for-profit businesses that:

• • Do business in Illinois;
  • Collect personal information about consumers, or is the entity on behalf of which the information is collected; and
  • Determine the purposes and means of processing consumer's personal information

AND meet at least one of the following thresholds:

• • Have annual gross revenues in excess of $25 million; or
  • Alone or jointly with others engage with the data of 50,000 or more consumers; or
  • Derive 50% or more of its annual revenue from the sale of consumers' personal information

Also applies to any business that controls or is controlled by a business that shares common branding with the business.

New Jersey: New Jersey Disclosure and Accountability Transparency Act (DATA)

New Jersey have attempted to introduce several bills over the past year with no success however, notably DATA is one of those that is still in committee. The bill would establish requirements for use of personally identifiable information (PII) and establish an Office of Data Protection and Responsible Use. Learn more about the other bills introduced in NJ

New York: New York Privacy Act (NYPA) (+ others)

New York is another state that has introduced a plethora of privacy bills in the past year. The New York Privacy Act is similar to Europe’s GDPR, and its tough regulations would significantly impact businesses that operate in New York. This could pose an issue for passage of the bill. Learn More

Massachusetts: Information Privacy Act (SD 1726 and HD 3847)

This bill for Massachusetts proposes some tight requirements to protect consumers. The language is interesting in that it is slightly more aggressively pushing companies to be vigilant in their practices. “Entities may not use personal information, or information derived from personal information, in any way that: (i) benefits themselves to the detriment of an individual; (ii) results in reasonably foreseeable and material physical or financial harm to an individual; or (iii) would be unexpected and highly offensive to a reasonable individual that provided consent.” Read More

Pennsylvania: Pennsylvania Consumer Data Privacy Act (HB 1126)

This bill, similar to CCPA, is described as being “an act providing for consumer data privacy, for rights of consumers and duties of businesses relating to the collection of personal information and for duties of the Attorney General.” Read More

Who does it apply to?

For-profit businesses that: 

• • Do business in Pennsylvania;
  • Collect, sell, or share consumers' personal information;
  • Alone, or jointly with others, determine the purposes and means of processing consumers' personal information; and
  • Meet at least one of the following thresholds:

1. 1.  Have an annual gross revenue of at least $10 million;
   2. Annually buys, sells, or shares, alone or in combination, the personal information of 50,000 consumers, households, or devices; or
   3. Derives 50% of its annual revenues from the sale of consumers' personal information.

________________________________________________________

INTRODUCED:

Ohio: Personal Privacy Act (HB 376)

Late to the game is Ohio’s Personal Privacy Act. 

This bill would require certain companies (mainly,  larger companies) to inform consumers about what data they collect, if/how they are selling that data, and provide the option to opt out. 

Who would it apply to?

Companies doing business in Ohio that:

1. Have sales above $25 million or
2. Keep records on more than 100,000 customers

Read more about it here. 

________________________________________________________

FAILED

Alabama: Alabama Consumer Privacy Act (ACPA)

(UPDATE: Bill did not pass before legislature adjourned.)

Another CCPA copycat, with Right to Delete, Right to Opt-Out, and Right to Know (the category of information). The types of consumer information it aims to protect are identifying information such as name, email address, biometric, and medical information. Read more

Who would it have applied to?

Any business, or entity controlled by the business and sharing common branding that:

• • Does business in Alabama;
  • Is for-profit;
  • Collects consumers' personal information; and
  • Determines the purposes and means of processing consumers' personal information

To note: ACPA does not list minimum thresholds for aspects such as revenue, much like CCPA and other proposed privacy legislation.

Alaska: Consumer Data Privacy Act (SB 116 and HB 159)

This act would have provided consumers with Right to Know, Right to Disclosure, Right to Delete, and Right to Opt-Out. Notably, it would have also given parents the power to approve or reject the sale of minor’s data. Read more

Who would it have applied to?

Entities that do business in Alaska that:

• • have $25 million annual revenue; or
  • purchase or disclose of the personal information of 100,000 consumers, households, or devices; or
  • have sold the personal information of a consumer, household, or device—even just one consumer, household, or device—during the past year

Florida: Florida Privacy Protection Act (HB 969 and SB 1734)

(HB 969 passed in House on April 21, 2021)

Florida unexpectedly pushed for privacy legislation that would impact big businesses heavily. Similar to CCPA, it aimed to protect users’ personal information and restrict the use of user data. It would have given power to individuals to sue marketers and data brokers for violations. Learn More

Who would it have applied to?

• • For-profit entities that do business in Florida and have annual global revenue of over $25 million; or
  • Entities that either buy, sell, receive, or share the personal information of over 50,000 Florida residents, households or devices annually; or
  • Derive at least half of their global annual revenues from selling or sharing information about Florida residents

Minnesota: Consumer Data Privacy Act (MCDPA)

(Update: the Minnesota legislature adjourned without the passing the bill.)

MCDPA is based on the Washington Privacy Act and Virginia Consumer Data Protection Act. Read more about MCDPA

Who would it have applied to?

MCDPA would apply to companies doing business in Minnesota, including those that provide products or services to Minnesota residents, so long as these companies:

• • process personal data of at least 100,000 consumers; or
  • generate more than 25% of their gross revenue from the sale of personal data, while also processing the personal data of at least 25,000 Minnesota consumers

South Carolina: South Carolina Biometric Data Privacy Act (BDPA)

A relatively limited bill, the BDPA restricts protections to biometric information. Biometric information is information based on biometric identifiers such as fingerprint, face geometry, and retina scan, that can be used to identify an individual. Learn More

Texas: HB 3741 (+ others)

(UPDATE: Texas House Bill 3741 did not pass before session adjourned. To note, House Bill 3746 did pass, but has little effect on consumer rights. It merely requires more information to be made public about data breaches.)

Texas introduced six different bills, the most notable being HB 3741 (the Data Privacy Omnibus), which would focus on “protection of personal identifying information collected, processed, or maintained by certain businesses in the private sector¹” Learn More

Washington: Washington Privacy Act (WPA)

(UPDATE: WPA failed to pass in the House on April 11^th and officially died on April 25^th)

WPA was similar to California’s CPRA and Virginia’s CDPA. This is the third year in a row that WPA failed to pass. Read more about WPA

Oklahoma: Oklahoma Computer Data Privacy Act

(Passed in the House on March 5^th 2021.)

(UPDATE: The bill died in the Senate on April 8^th, 2021.)

Overview:

This act is similar to CCPA. It focuses on consumer rights and protection, such as Right to Know and Right to Delete. One notable difference from CCPA is that it would “require any Oklahoma business covered to obtain the consumer’s opt-in consent before collecting, using or selling their personal information²” Read more.

Why did it die?

The main reason that this bill was prevented from passing is said to be the active opposition from big tech and communications companies. Specifically, “a provision that required businesses in most cases to obtain the consent of consumers prior to collecting, using or selling personal information about them.¹” They may not want this legislation but… it’s coming one way or another.

Rhode Island: Rhode Island Data Transparency and Privacy Protection Act (TPPA)

While this isn’t the most comprehensive bill, we’ll include it in this list anyway. It provides Right to Know for consumers yet misses out on key rights such as Right to Opt-out and Right to Delete. It is described as an act “to identify information collected by online service providers and commercial websites.” Read More

The Rhode Island bill would apply to website operators that:

• • Collect and maintain personally identifiable information from a customer who uses or visits the website or online service for a commercial purpose; and
  • Employ more than 10 individuals.

Vermont: House Bill 160

This one paragraph long bill “proposes to adopt consumer privacy protections, give Vermonters more control over the amount and type of data that personal device manufacturers and service providers collect about them, and adopt other protections provided in the California 12 Consumer Privacy Act.”

________________________________________________________

We know it’s hard to keep track of. No matter what industry or what stage your business is in, Verif-y is here to make it simple. Our solution is different from others. Instead of addressing each detail for every new piece of privacy legislation, you’re proactively protected by not storing any personal records locally. User-owned and permissioned data; out of your hands.

Let’s chat about how Verif-y can help your business

We’ll keep things as up-to-date as possible to keep you informed. In addition, both iapp and Husch Blackwell provide updates on bill status. If your preferred method of getting updates is through Twitter, iapp’s Joe Duball keeps things fresh on his feed.