In 2018, the European Union spearheaded the process of establishing regulations for the personal data protection of internet users with the General Data Protection Regulation (GDPR). In recent years, with the rise of technology and the internet, privacy has also become an increasingly important issue in the United States. There has been a growing concern about how this information is collected, used, and shared.
If your company currently conducts business in the United States or plans to do it in the future, you need to stay up to date on the evolving and rapidly changing US state privacy laws. In this blog post, we will discuss the current state of US privacy laws.
What Are Data privacy laws?
Data privacy laws regulate how entities, both private businesses and organizations, must collect, manage, use, share, and protect personal data or users, called consumers.
The United States, in contrast to Europe, doesn’t have a single comprehensive federal law that covers the privacy of all types of data. Just a few US states have comprehensive data privacy laws on the books. Instead, it has several laws with acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA, that target only specific types of data in special circumstances, which are often outdated.
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA), established in 1996, is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed. It regulates the flow of healthcare information, stipulates how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. However, not all health data is covered by HIPAA. For example, the law does not restrict who can ask for your COVID-19 vaccination status.
The Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA) covers information collected by consumer reporting agencies such as credit bureaus, medical information companies, and tenant screening services. The law regulates who is allowed to see your credit report, what the credit bureaus can collect, and how information is obtained.
The Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions, which are companies that offer consumers financial products or services like loans, financial or investment advice, or insurance, to explain how they share data, to safeguard sensitive data, and to provide the right to customers to opt out of data sharing. However, it doesn’t restrict how companies use the collected data if they disclose such usage beforehand.
The Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA) determines who can request student education records. This could be parents, eligible students, and other schools that have the right to check education records maintained by a school.
The Electronic Communications Privacy Act
The Electronic Communications Privacy Act (ECPA) applies to email, telephone conversations, and data stored electronically, protecting wire, oral, and electronic communications. It sets broad rules concerning how employers can monitor employee communications. Since the law was passed in 1986, well before the rise of the internet, it is considered outdated. It doesn’t protect against modern surveillance tactics such as cookies, tracking pixels, and other tracking technologies, access of data stored on servers, in cloud storage documents, and search queries.
The Children’s Online Privacy Protection Rule
The Children’s Online Privacy Protection Rule (COPPA) limits data collection of children under 13 years old.
Driver’s Privacy Protection Act
The Driver's Privacy Protection Act (DPPA), introduced in 1994, regulates Departments of Motor Vehicles and other authorized recipients of personal information and imposes record-keeping requirements for personal data.
The Video Privacy Protection Act
The Video Privacy Protection Act (VPPA) is a law that places regulates video providers' abilities to disclose the titles of the videos, such as a movie or TV show, that a person requested or obtained from the provider in combination with the person's name. The law was passed in 1988 and is also considered outdated.
The Federal Trade Commission Act
The Federal Trade Commission Act (FTC Act) empowers the FTC agency to investigate and prevent unfair methods of competition, and unfair or deceptive acts or practices affecting commerce. It allows the investigation of cases when an app or website violates its own Privacy Policy or violations of marketing language related to privacy.
US States with Comprehensive Data Privacy Laws
Different US states have privacy laws in different legislative stages. As of April of 2023, only five US states have comprehensive data privacy laws:
California (effective Jan. 1, 2020)
The California Consumer Privacy Act (CCPA) was the first data privacy law in the US, which took effect on January 1, 2020. The CCPA regulates how businesses treat California's consumers' personal information and privacy. Consumers have these main rights under the CCPA:
- Right to notice. Consumers have the right to know what personal data is being collected about them and the purposes for which the information is being used.
- Right to know. Consumers have the right to know the third parties with whom the business shares the information and whether their personal data is sold or disclosed.
- Right to disclosure. Consumers have the right to access their personal data upon request.
- Right to opt-out. Consumers have the right to agree or disagree to collect, manage, or sell their personal data.
- Right to deletion. Consumers have the right to ask for the deletion of their personal data.
- Right to equal services and prices. Consumers must not be discriminated against for exercising their privacy rights.
Read more details about the CCPA .
The California Privacy Rights Act (CPRA) went into effect on January 1, 2023. The CPRA amends existing provisions by creating new and expanded rights for California consumers and increasing obligations on businesses. It also establishes the California Privacy Protection Agency to implement and enforce the law.
Read more details about the CPRA.
Need to be CCPA and CPRA compliant? Use CookieScript plugin that allows you to stay compliant with CCPA, CPRA, and other privacy laws.
Virginia (effective Jan. 1, 2023)
Virginia was the second US state to regulate consumers’ data privacy. The Virginia Consumer Data Protection Act (VCDPA) was signed on March 2, 2021, and became effective on January 1, 2023.
Virginia consumers have six main rights under the VCDPA:
- Right to access. Consumers have the right "to confirm whether or not a controller is processing the consumer's personal data and to access such personal data."
- Right to correct. Consumers have the right to correct inaccuracies in their personal data, regarding the nature and the purposes of the personal data.
- Right to delete. Consumers have the right to delete the personal data provided by them or obtained about them.
- Right to data portability. Consumers have the right to obtain a copy of the consumer's personal data in a usable format and to the extent technically feasible.
- Right to opt-out. Consumers have the right to choose between explicit or implied consent modes for the processing of their personal data for purposes of targeted advertising, the sale of personal data, and profiling in decisions that produce legal or other significant effects concerning the consumer.
- Right to appeal. Consumers have the right to appeal a business's denial to act within a reasonable time.
Read more details about the VCDPA.
Colorado (effective July 1, 2023)
Colorado was the third state to enact a comprehensive US data privacy law. Colorado Privacy Act (CPA) will go into effect on July 1, 2023.
Similarly to VCDPA, Colorado consumers have these main rights under the CPA:
- Right of access.
- Right to correct.
- Right to delete.
- Right to data portability.
- Right to opt-out.
- Right to appeal.
Read more details about the CPA.
Connecticut (effective July 1, 2023)
Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023. It mostly resembles the California Consumer Privacy Act, the Colorado Privacy Act, and the Virginia Consumer Data Protection Act, with many of the law’s provisions falling between these laws.
Connecticut consumers have these main rights under the CTDPA:
- Right of access.
- Right to correct.
- Right to delete.
- Right to data portability.
- Right to opt-out.
Read more details about the CTDPA.
Utah (effective Dec. 31, 2023)
Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. The Utah privacy law has more differences from the above-mentioned privacy laws and is considered one of the most business-friendly US data privacy laws so far.
Utah consumers have these main rights under the UCPA:
- Right of access.
- Right to delete.
- Right to data portability.
- Right to opt-out of certain processing.
The UCPA does not provide the right to opt out of profiling. Also, unlike the CCPA, CPA, or VCDPA, the Utah privacy law does not grant Utah consumers the right to correct inaccuracies in their personal data.
The law also differs from other US data privacy laws in that companies must meet multiple criteria for applicability. Either of several criteria alone is not enough for the UCPA applicability.
Read more details about the UCPA.
US States with Limited Data Privacy Laws
Michigan
Even if Michigan does not have an effective data privacy law, in September 2022, Michigan Senator Rosemary Bayer and eight fellow Senate Democrats introduced Senate Bill 1182, which would create the Michigan Personal Data Privacy Act.
Michigan consumers will have the following rights:
- Right to disclosure.
- Right to notice.
- Right to deletion.
- Right to correction.
- Right to opt-out.
Find out more about the proposed Michigan Personal Data Privacy Act (MPDPA) to be prepared.
Nevada
Nevada privacy law (SB260) was enforced on Oct 1st, 2021. Nevada’s Senate Bill 220 requires organizations that run websites that collect and maintain data to comply with requirements set by the law. Organizations must provide designated request addresses where consumers can submit requests for the operator not to sell any of their information.
Illinois
Illinois has multiple privacy laws whisch state entities must comply:
- Personal Information Protection Act (PIPA).
- Student Online Personal Protection Act (SOPPA).
- Biometric Information Privacy Act (BIPA).
- Protecting Household Privacy Act (PHPA), enforced on Jan 1st, 2022.
Other US states
There are over 20 other US states where privacy laws are in different legislative stages. The current status of the privacy law of each US state could be checked at the US states’ privacy legislation tracker.
How to Ensure Compliance?
The absence of a comprehensive federal law means that consumers' privacy protections can vary significantly depending on where they live. Each state has distinct privacy rules and regulations regarding to data collection, processing, and selling or sharing. Individuals and businesses alike will need to stay informed about the evolving landscape of privacy laws and regulations to ensure they remain compliant and respectful of individuals' privacy.
The easiest way to stay compliant with privacy laws is to use CookieScript Consent Management Platform (CMP).
First, CookieScript CMP uses geo-targeting functionality, the method of delivering different Cookie Banners and different privacy notices to consumers based on their geographic locations. Website visitors will be presented with the right banners, which are required for privacy laws compliance by a particular US state.
Second, CookieScript is a complete compliance management tool aimed to help your website or business adapt to the ever-changing landscape of data privacy on the internet, regardless of which regulatory law is in question - CCPA, VCDPA, CPA, CTDPA, or any other.
Third, CookieScript has a full set for your compliance, including a privacy policy generator, Cookie Scanner, consent manager, integrations with CMS platforms, script manager, and others.
Lastly, CookieScript CMP has a user-friendly interface, prepared templates, and privacy laws compliance checklist hints, that allow you to stay compliant in minutes.
Frequently Asked Questions
Which US states have comprehensive data privacy laws?
As of April of 2023, only five US states have comprehensive data privacy laws: California (CCPA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA). Use CookieScript, a complete compliance management solution aimed to help your website or business to stay compliant, regardless of which regulatory law is in question.
What Are Data Privacy Laws?
Data privacy laws regulate how entities must collect, manage, use, share, and protect personal data. The US doesn’t have a single comprehensive federal law that covers the privacy of all types of data. Instead, it has several laws that target only specific types of data in special circumstances. Just a few US states have comprehensive data privacy laws.
How can companies ensure US privacy laws compliance?
Each US state has distinct privacy rules and regulations regarding data collection, processing, and selling or sharing, so individuals and businesses alike will need to stay informed about the evolving landscape of privacy laws. The easiest way to stay compliant with the privacy laws is to use CookieScript Consent Management Platform, which uses geo-targeting functionality, has a full set for your compliance, and has a user-friendly interface.
How to know the current status of US states’ privacy laws?
As of April of 2023, only five US states have comprehensive data privacy laws: California (CCPA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA). There are over 20 other US states where privacy laws are in different legislative stages. The current status of the privacy law of each US state could be checked at the US states’ privacy legislation tracker.