Introduction
As a business owner, you know that compliance with federal and state laws is essential for the success and legality of your operations. One area that is particularly complex and ever-evolving is privacy law. In the United States, privacy laws vary from state to state, creating a patchwork of rules and regulations that can be difficult to navigate. While the U.S. does not yet have a comprehensive federal privacy law like the General Data Protection Regulation (GDPR) in the European Union, some states, such as California, have enacted strong privacy legislation. However, other states have not yet enacted similar laws, leaving a patchwork of protection for consumers.
To complicate matters further, new privacy laws are constantly being proposed and enacted at the state level. As a result, it’s important for me to stay informed and up-to-date on the latest developments in state privacy laws.
In this blog post, I will provide an overview of the current state of privacy laws in the U.S. I will highlight the key privacy laws in various states, as well as provide information on active privacy bills under consideration. I will also discuss biometric privacy laws, which regulate the collection, use, and storage of biometric data such as fingerprints and facial scans.
Finally, I will offer tips and resources for staying informed about state privacy laws, as well as answer common questions that businesses may have about compliance with these laws. By the end of this post, you should have a better understanding of your obligations under state privacy laws and how to meet them.
California
As the most populous state in the U.S., California has long been a leader in privacy legislation. The California Consumer Privacy Act (CCPA) is the most comprehensive privacy law in the state, and it went into effect on January 1, 2020. The CCPA grants California consumers the right to request that businesses disclose the personal information they have collected about them, and to request that this information be deleted. The CCPA also prohibits businesses from selling the personal information of minors under the age of 16 without explicit parental consent.
In addition to the CCPA, California has also enacted the California Privacy Rights Act (CPRA), which expands on the CCPA’s provisions and goes into effect on January 1, 2023. The CPRA grants California consumers additional rights, such as the right to opt out of the sale of their personal information and the right to non-discrimination for exercising their privacy rights.
Other privacy laws in California include the California Online Privacy Protection Act (CalOPPA), which requires businesses to post a privacy policy on their website if they collect personal information from users, and the “Shine the Light” Law, which allows California consumers to request that a business disclose any personal information it has shared with third parties for marketing purposes.
Overall, California has some of the strongest privacy protections in the U.S., and businesses operating in the state should be sure to familiarize themselves with these laws and comply with their requirements.
Colorado
Colorado is another state that has enacted strong privacy legislation. The Colorado Privacy Act (CPA) went into effect on September 1, 2021, and it grants Colorado consumers similar rights to those provided by the CCPA and CPRA in California. These rights include the right to request that businesses disclose the personal information they have collected about them, and to request that this information be deleted.
Under the CPA, businesses are also required to provide clear and conspicuous notice to consumers at the point of data collection, informing them of their rights under the law. In addition, businesses must honor consumer requests to opt out of the sale of their personal information and must not discriminate against consumers for exercising their privacy rights.
Like California, Colorado has a broad definition of personal information that includes any information that can be used to identify a consumer, either alone or in combination with other information. This includes not only traditional personal data such as name, address, and email address, but also less obvious types of data such as IP addresses and device identifiers.
Businesses operating in Colorado should be sure to familiarize themselves with the CPA and comply with its requirements in order to avoid potential legal liabilities.
Connecticut
Connecticut has also enacted a strong privacy law in the form of the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA). The CTDPA went into effect on October 1, 2021, and it grants Connecticut consumers the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted.
The CTDPA also requires businesses to provide clear and conspicuous notice to consumers at the point of data collection, informing them of their rights under the law. In addition, businesses must honor consumer requests to opt out of the sale of their personal information and must not discriminate against consumers for exercising their privacy rights.
Like the CCPA, CPRA, and CPA, the CTDPA has a broad definition of personal information that includes any information that can be used to identify a consumer, either alone or in combination with other information. This includes traditional personal data such as name, address, and email address, as well as less obvious types of data such as IP addresses and device identifiers.
Businesses operating in Connecticut should be sure to familiarize themselves with the CTDPA and comply with its requirements in order to avoid potential legal liabilities.
Florida
Florida has enacted a privacy law in the form of the Florida Information Protection Act (FIPA). FIPA went into effect on July 1, 2022, and it grants Florida consumers the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted.
FIPA also requires businesses to provide clear and conspicuous notice to consumers at the point of data collection, informing them of their rights under the law. In addition, businesses must honor consumer requests to opt out of the sale of their personal information and must not discriminate against consumers for exercising their privacy rights.
Like other state privacy laws, FIPA has a broad definition of personal information that includes any information that can be used to identify a consumer, either alone or in combination with other information. This includes traditional personal data such as name, address, and email address, as well as less obvious types of data such as IP addresses and device identifiers.
Businesses operating in Florida should be sure to familiarize themselves with FIPA and comply with its requirements in order to avoid potential legal liabilities.
Illinois
Illinois has a specific privacy law that regulates the collection, use, and storage of biometric data, such as fingerprints and facial scans. The Illinois Biometric Information Privacy Act (BIPA) went into effect on January 1, 2008, and it requires businesses to obtain written consent from individuals before collecting, using, or storing their biometric data.
Under BIPA, businesses must also develop and publish a publicly available retention schedule and guidelines for permanently destroying biometric data. In addition, businesses must not sell, lease, or trade biometric data without the explicit consent of the individual.
Violations of BIPA can result in legal action by the Illinois Attorney General or private lawsuits, so it is important for businesses operating in Illinois to familiarize themselves with the law and comply with its requirements.
Massachusetts
The state of Massachusetts has a comprehensive data privacy law known as Chapter 93H of the Massachusetts General Laws. This law went into effect on March 1, 2010 and applies to any business that owns, licenses, or stores personal data of Massachusetts residents.
Under Chapter 93H, businesses must develop and implement reasonable security measures to protect personal data from unauthorized access, disclosure, or misuse. This includes implementing technical, physical, and administrative safeguards, as well as regularly testing and monitoring the effectiveness of these measures.
In addition, businesses must report any breach of personal data to affected Massachusetts residents and to the Office of Consumer Affairs and Business Regulation (OCABR) within five business days of discovery. The law also requires businesses to provide clear and conspicuous notice to consumers about their privacy rights and the business’s data collection and use practices.
Businesses operating in Massachusetts should be sure to familiarize themselves with Chapter 93H and comply with its requirements in order to avoid potential legal liabilities.
Nevada
Nevada has enacted a privacy law in the form of the Nevada Privacy Law (SB 220). SB 220 went into effect on October 1, 2021, and it grants Nevada consumers the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted.
SB 220 also requires businesses to provide clear and conspicuous notice to consumers at the point of data collection, informing them of their rights under the law. In addition, businesses must honor consumer requests to opt out of the sale of their personal information and must not discriminate against consumers for exercising their privacy rights.
Like other state privacy laws, SB 220 has a broad definition of personal information that includes any information that can be used to identify a consumer, either alone or in combination with other information. This includes traditional personal data such as name, address, and email address, as well as less obvious types of data such as IP addresses and device identifiers.
Businesses operating in Nevada should be sure to familiarize themselves with SB 220 and comply with its requirements in order to avoid potential legal liabilities.
New York
New York has enacted a comprehensive privacy law in the form of the New York Privacy Act (NYPA). NYPA went into effect on January 1, 2023, and it grants New York consumers the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted.
NYPA also requires businesses to provide clear and conspicuous notice to consumers at the point of data collection, informing them of their rights under the law. In addition, businesses must honor consumer requests to opt out of the sale of their personal information and must not discriminate against consumers for exercising their privacy rights.
Like other state privacy laws, NYPA has a broad definition of personal information that includes any information that can be used to identify a consumer, either alone or in combination with other information. This includes traditional personal data such as name, address, and email address, as well as less obvious types of data such as IP addresses and device identifiers.
Businesses operating in New York should be sure to familiarize themselves with NYPA and comply with its requirements in order to avoid potential legal liabilities.
Texas
Texas has a specific privacy law that regulates the capture or use of biometric identifiers, such as fingerprints and facial scans. The Texas Capture or Use of Biometric Identifier Act (“CUBI”) went into effect on September 1, 2021, and it requires businesses to obtain written consent from individuals before collecting, using, or storing their biometric data.
Under CUBI, businesses must also develop and publish a publicly available retention schedule and guidelines for permanently destroying biometric data. In addition, businesses must not sell, lease, or trade biometric data without the explicit consent of the individual.
Violations of CUBI can result in legal action by the Texas Attorney General or private lawsuits, so it is important for businesses operating in Texas to familiarize themselves with the law and comply with its requirements.
Utah
Utah has enacted a privacy law in the form of the Utah Consumer Privacy Act (UCPA). UCPA went into effect on May 1, 2022, and it grants Utah consumers the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted.
UCPA also requires businesses to provide clear and conspicuous notice to consumers at the point of data collection, informing them of their rights under the law. In addition, businesses must honor consumer requests to opt out of the sale of their personal information and must not discriminate against consumers for exercising their privacy rights.
Like other state privacy laws, UCPA has a broad definition of personal information that includes any information that can be used to identify a consumer, either alone or in combination with other information. This includes traditional personal data such as name, address, and email address, as well as less obvious types of data such as IP addresses and device identifiers.
Businesses operating in Utah should be sure to familiarize themselves with UCPA and comply with its requirements in order to avoid potential legal liabilities.
Virginia
Virginia has enacted a privacy law in the form of the Virginia Consumer Data Protection Act (CDPA). CDPA went into effect on January 1, 2022, and it grants Virginia consumers the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted.
CDPA also requires businesses to provide clear and conspicuous notice to consumers at the point of data collection, informing them of their rights under the law. In addition, businesses must honor consumer requests to opt out of the sale of their personal information and must not discriminate against consumers for exercising their privacy rights.
Like other state privacy laws, CDPA has a broad definition of personal information that includes any information that can be used to identify a consumer, either alone or in combination with other information. This includes traditional personal data such as name, address, and email address, as well as less obvious types of data such as IP addresses and device identifiers.
Businesses operating in Virginia should be sure to familiarize themselves with CDPA and comply with its requirements in order to avoid potential legal liabilities.
Washington
Washington has a specific privacy law that regulates the collection, use, and storage of biometric data, such as fingerprints and facial scans. The Washington Biometric Privacy Protection Act (HB 1493) went into effect on July 1, 2017, and it requires businesses to obtain written consent from individuals before collecting, using, or storing their biometric data.
Under HB 1493, businesses must also develop and publish a publicly available retention schedule and guidelines for permanently destroying biometric data. In addition, businesses must not sell, lease, or trade biometric data without the explicit consent of the individual.
Violations of HB 1493 can result in legal action by the Washington Attorney General or private lawsuits, so it is important for businesses operating in Washington to familiarize themselves with the law and comply with its requirements.
Biometric Information Privacy Laws
Several states in the US have enacted privacy laws that specifically regulate the collection, use, and storage of biometric data, such as fingerprints and facial scans. These laws typically require businesses to obtain written consent from individuals before collecting, using, or storing their biometric data, and they may also require businesses to develop and publish a publicly available retention schedule and guidelines for permanently destroying biometric data.
In addition, these laws generally prohibit businesses from selling, leasing, or trading biometric data without the explicit consent of the individual. Violations of these laws can result in legal action by the state Attorney General or private lawsuits, so it is important for businesses operating in these states to familiarize themselves with the relevant laws and comply with their requirements.
The states that currently have biometric privacy laws on the books include Illinois (BIPA), Texas (“CUBI”), and Washington (HB 1493). Businesses operating in these states should be sure to familiarize themselves with the applicable laws and comply with their requirements in order to avoid potential legal liabilities.
Conclusion: The Patchwork of U.S. State Privacy Laws
As the patchwork of U.S. state privacy laws illustrates, the landscape of data privacy regulation in the United States is complex and constantly evolving. With the increasing importance of personal data in the digital age, it is crucial for businesses to stay up-to-date on the privacy laws that apply to their operations and to implement appropriate measures to protect the personal data of their customers and clients.
While the European Union has taken a more comprehensive approach to data privacy with the General Data Protection Regulation (GDPR), the U.S. has left it up to individual states to legislate in this area. As a result, businesses operating in multiple states may be subject to a variety of different privacy laws, each with its own requirements and limitations.
To ensure compliance with all relevant privacy laws, it is important for businesses to carefully review the applicable laws and seek legal counsel if necessary. By taking proactive steps to protect personal data and respect the privacy rights of individuals, businesses can protect themselves from potential legal liabilities and build trust with their customers and clients.
Frequently Asked Questions
What is personal data?
Personal data is any information that can be used to identify a specific individual, either alone or in combination with other information. This includes traditional personal information such as name, address, and email address, as well as less obvious types of data such as IP addresses and device identifiers.
What are the main privacy laws in the U.S.?
The main privacy laws in the U.S. include the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) in the European Union, and various state privacy laws.
What are the main privacy rights granted to consumers under these laws?
Consumers generally have the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted. Consumers may also have the right to opt out of the sale of their personal information and to not be discriminated against for exercising their privacy rights.
What are the main obligations of businesses under these laws?
Businesses have an obligation to protect the personal data of consumers and to respect their privacy rights. This includes providing clear and conspicuous notice to consumers about their privacy rights and the business’s data collection and use practices, as well as honoring consumer requests to opt out of the sale of their personal information and not discriminating against consumers for exercising their privacy rights.
What are the potential consequences for businesses that fail to comply with these laws?
Businesses that fail to comply with privacy laws may face legal action by regulatory authorities or private lawsuits. They may also face reputational damage and a loss of customer trust.
Are all U.S. states required to follow the same privacy laws?
No, U.S. states have the authority to enact their own privacy laws, and as a result, there is a patchwork of different privacy laws in place across the country. This means that businesses operating in multiple states may be subject to a variety of different privacy laws, each with its own requirements and limitations.
Do U.S. privacy laws apply to businesses operating outside of the U.S.?
It depends on the specific laws and the nature of the business’s operations. Some privacy laws, such as the GDPR, have extraterritorial application and can apply to businesses operating outside of the EU if they offer goods or services to EU residents or if they monitor the behavior of EU residents. Other laws, such as the CCPA, only apply to businesses operating within the state of California.
What is the role of the Federal Trade Commission (FTC) in U.S. privacy regulation?
The Federal Trade Commission (FTC) is the primary federal agency responsible for protecting consumers from deceptive or unfair practices, including those related to privacy and data security. The FTC has the authority to take enforcement action against businesses that violate federal privacy laws or engage in deceptive or unfair practices.
How can businesses ensure compliance with U.S. privacy laws?
To ensure compliance with U.S. privacy laws, businesses should carefully review the applicable laws and seek legal counsel if necessary. They should also implement appropriate measures to protect the personal data of their customers and clients, including developing and implementing reasonable security measures and regularly testing and monitoring the effectiveness of these measures. In addition, businesses should provide clear and conspicuous notice to consumers about their privacy rights and the business’s data collection and use practices, and they should honor consumer requests to opt out of the sale of their personal information and not discriminate against consumers for exercising their privacy rights.
Are there any federal privacy laws in the U.S.?
Yes, there are several federal privacy laws in the U.S., including the Children’s Online Privacy Protection Act (COPPA), which regulates the collection of personal information from children under the age of 13, and the Health Insurance Portability and Accountability Act (HIPAA), which regulates the use and disclosure of protected health information.
The U.S. also has a federal anti-spam law, known as the CAN-SPAM Act, which regulates the use of commercial emails and requires businesses to provide recipients with the ability to opt out of future emails.
Can a state privacy law be preempted by a federal privacy law?
Yes, a state privacy law can be preempted by a federal privacy law if the federal law specifically supersedes or overrides the state law. This can happen if the federal law addresses the same issue as the state law and if the federal law occupies the field, meaning it comprehensively regulates the issue and leaves no room for state regulation.
How often do state privacy laws change?
State privacy laws can change frequently, as new laws are introduced and old laws are amended or repealed. Some states have passed multiple privacy laws in a short period of time, while others have not updated their privacy laws in many years. It is important for businesses to keep track of changes to state privacy laws, as they may be required to comply with new requirements or may have new obligations to consumers.
Is the GDPR the only comprehensive privacy law in the EU?
No, the GDPR is not the only comprehensive privacy law in the EU. The EU also has the ePrivacy Directive, which regulates the processing of personal data in the electronic communications sector, and the Network and Information Systems Directive (NIS Directive), which addresses cybersecurity risks in critical infrastructure sectors.
Do U.S. privacy laws provide the same level of protection as EU privacy laws?
U.S. privacy laws do not provide the same level of protection as EU privacy laws, such as the GDPR. While the U.S. has a patchwork of state and federal privacy laws that provide some protection for personal data, these laws are generally not as comprehensive as the GDPR and do not provide the same level of rights to individuals.
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a privacy law that went into effect on January 1, 2020. It applies to businesses operating in California that collect personal information from California residents and that meet certain thresholds for annual gross revenue, personal information collected, or number of consumers. The CCPA gives California residents the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted. It also gives consumers the right to opt out of the sale of their personal information and prohibits businesses from discriminating against consumers for exercising their privacy rights.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a comprehensive privacy law that went into effect on May 25, 2018. It applies to businesses operating within the European Union (EU) and to businesses outside of the EU that offer goods or services to EU residents or that monitor the behavior of EU residents. The GDPR gives EU residents the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted or corrected. It also gives consumers the right to object to the processing of their personal data and the right to data portability, which allows them to request a copy of their personal data in a commonly used format. The GDPR imposes strict penalties for non-compliance, including fines of up to 4% of a company’s global annual revenue or €20 million (whichever is greater).
What is the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (CPRA) is a privacy law that was approved by California voters in November 2020 and that went into effect on January 1, 2021. It builds on the California Consumer Privacy Act (CCPA) and provides additional protections for personal information. The CPRA gives California residents the right to request that businesses disclose the personal information they have collected about them, as well as the right to request that this information be deleted. It also gives consumers the right to opt out of the sale of their personal information and prohibits businesses from discriminating against consumers for exercising their privacy rights. In addition, the CPRA requires businesses to provide consumers with the option to opt out of the collection and use of their sensitive personal information, such as precise geolocation data and racial or ethnic origin.
What is the California Online Privacy Protection Act (CalOPPA)?
The California Online Privacy Protection Act (CalOPPA) is a privacy law that applies to businesses operating in California that operate a commercial website or mobile app and that collect personal information from California residents. The law requires businesses to conspicuously post a privacy policy on their website or app that describes the types of personal information they collect and the purposes for which they collect it. The privacy policy must also describe the process by which consumers can review and request changes to their personal information, as well as the process by which the business will notify consumers of any material changes to the policy.
What is the “Shine the Light” Law?
The “Shine the Light” Law is a California privacy law that gives California residents the right to request that businesses disclose the personal information they have collected about them and the categories of third parties with whom the information has been shared. The law applies to businesses operating in California that have disclosed personal information about California residents to third parties for marketing purposes during the preceding calendar year. Businesses that receive such requests are required to provide the requested information to the consumer free of charge within 30 days.
