Last updated July 2021
The United States’ legislative framework is a patchwork quilt of federal, state and industry regulations. While national laws such as the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm–Leach–Bliley Act (“GBLA”) protect personal identifiable information across the healthcare and financial verticals, there is no overarching and unified regulation for consumer data protection and privacy.
This means, in effect, that the collection and processing of personal data in the United States is mostly unregulated. With no central directive from Washington, there’s been little push for US-based organisations to improve their data protection and privacy practices – unless of course, they operate in the European Union (“EU”) or otherwise fall within the scope of the General Data Protection Regulation (“GDPR”).
On the whole, US citizens’ online privacy has been left on the backfoot, creating an environment where data ethics is questioned, data breaches and loss are more likely, and consumers are becoming more mistrustful of the companies they interact with. Business like Apple, that aren’t making money through advertising, are using this as a differentiator for their products, such as through the changes to app tracking in iOS 14.5.
Interestingly, things are beginning to change, however. Inspired by international movements to improve privacy protections – such as the EU GDPR – states in the US are implementing their own privacy laws.
Unlike a federal law, which applies to all US citizens, state laws solely protect their own residents. In line with this, lawmakers in each state can choose exactly what they want their law to cover, meaning each state’s rules differ slightly. Moreover, progress in passing these laws varies widely by geography.
For organisations with a US-based presence – particularly an inter-state one – understanding the mosaic of regulations and their position in the legislative process is becoming essential for compliance.
With that in mind, let’s dive into the current state of play.
Thus far, only two states have officially enacted broad, consumer-focused data privacy laws.
The California Privacy Rights Act (“CPRA”) was passed into law in November of last year and will come into force in January 2023. It was voted in by California residents during the 2020 General Election. The act builds on the state’s already comprehensive data privacy legislation: the California Consumer Privacy Act (“CCPA”), which passed in 2018 and took effect in 2020.
The CCPA borrows many principles from the EU’s GDPR. For example, it includes restrictions around how companies can track and collect citizens’ data, enforced transparency between businesses and consumers on how data is processed, and rules for data protection and security. In turn, the act also gives more direct power to consumers over their data: the right to notice, right to access, right to opt-in/opt-out and the right to equal services.
The CPRA is an addendum to the CCPA. It further strengthens the data privacy rights of California residents, including:
- A new sub-category, called “sensitive” personal information, requires additional safeguards. Consumers also have the right to limit the use and disclosure of this category to businesses.
- The establishment of a new government agency to enforce state-wide data privacy laws called the California Privacy Protection Agency (CPPA).
- A mandate for businesses to inform consumers about the length of time they intend to keep their personal data.
The CCPA was the first law of its kind in the US. The fact that it has already been revised and strengthened with the CPRA underscores California’s position as a leader in data privacy and protection. With tech titans such as Facebook, Uber, Google and Apple all headquartered in the state, this momentum is seen as a big step in regulating Big Tech and putting consumer privacy front of mind for digital-native companies.
Passed just earlier this year and set to come into effect in January 2023, Virginia’s Consumer Data Protection Act (“CDPA”) mostly follows the framework of California and the EU’s respective laws. It gives consumers similar rights over controlling their data, including opt-out rights for targeted advertising.
As well as this, it requires businesses – excluding state and local government entities – to reduce personal data collection to what is only “adequate, relevant, and reasonably necessary.”
The main difference between Virginia and California’s laws is that, in California, citizens have a private right of action – or the right to sue – in the event of a data breach. In Virginia, only the state attorney general has this authority. This makes Virginia’s law slightly more “business-friendly”, as all lawsuits will have to be affirmed by the state before they can progress.
The Colorado Privacy Act (“CPA”) was passed in July of this year and will come into effect in July 2023. Like the CDPA, The CPA grants citizens of Colorado more rights over their data, such as the right to opt-out and the right to access their personal data that has been collected.
It also places new obligations on businesses as data controllers and/or data processors. For example, it mandates privacy-by-design principles and special safeguards for sensitive data.
The main difference within this legislation is the businesses that it applies to. The CPA is applicable to businesses that collect data from 100,000 Colorado residents or more, or to businesses who collect the data of at least 25,000 Colorado residents and gain revenue from selling that data.
Furthermore, the CPA introduces a distinctive “universal opt-out” requirement. This mandates data controllers to enable citizens to opt out through a “user selected universal opt-out mechanism.” Currently, not much information has been given on how this mechanism will be implemented, and what it will entail.
Like Virginia’s act, the CPA can only be enforced by the Colorado Attorney General and district attorneys. It does not provide a private right of action.
The below bills are, at the time of writing, moving through the state legislative process. Despite progress being made on these bills, it’s worth noting that most state legislative sessions end between May – June of each year. This means that the bills have a limited time period for approval. For example, Washington’s data privacy regulation has failed to pass for the last three years in a row.
If the bills fail to pass this year, they can be re-introduced in the 2022 state legislative sessions. For now, here is the current standing.
The Nevada data privacy bill was heard by the Assembly Commerce and Labour Committee in April, where it currently remains under review. While this bill is a positive step for data privacy, it is notably less comprehensive than the CCPA and CDPA. For example, it does not give consumers rights of access, portability, deletion, or non-discrimination. It also has no opt-in requirements for age consent.
New Jersey’s data privacy bill is very similar to the CDPA. It was heard by the Assembly Science, Innovation and Technology Committee in March. No further progress has been made on the bill since then.
The below bills have been formally submitted to their respective states for review and consideration. It can be speculated that these bills have less chance of becoming law this year, due to the lack of review and attention they have received from their state legislatures. Despite this, it’s still encouraging to see progress being made by so many states towards better data privacy.
Massachusetts’s Data Privacy Act was introduced on March 29. As of May 2021, it is sitting with the joint committee on Advanced Information Technology, the Internet and Cybersecurity. This bill is extremely similar to the CCPA.
The proposed New York Privacy Act (“NYPA”) builds on the frameworks of the GDPR and CCPA. It is considered by some to be the most comprehensive bill yet, because it also includes a clause on “data fiduciary”, meaning that organisations have a duty to uphold personal data protection over stakeholder obligations.
Like Alabama’s law, it also applies to all businesses that operate in New York, or interact with its citizens, regardless of the company’s vertical, turnover or size.
North Carolina’s Consumer Privacy Act would complement the existing North Carolina Identity Theft Protection Act. While the latter bill focuses on data breach responsibilities, the new Act gives consumers proactive abilities to control their data, just like the GDPR. Currently, the bill is with the Rules and Operations Committee.
The Pennsylvania Consumer Data Privacy Act was introduced on April 7. It was then referred to the Consumer Affairs Committee. If passed, this bill would take effect immediately. As with many of the above states, this Act is closely modelled on the CCPA.
The Rhode Island Transparency and Privacy Protection Act (TPPA) was introduced in February of this year. Unlike most state bills, it refers to data privacy within the context of ‘customers’ rather than ‘consumers’.
However, the definition of customer does not correlate directly to purchasing a service or product. Rather, it is the data of any person who is “purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service, including advertising or any other content.” The bill is currently with the House Committee on Corporations for further study.
Stalled for now
Not every bill that is introduced into the legislative system is passed. In fact, many state’s data privacy laws have either been overturned, or no action was taken on them by the deadline. This has happened in:
- North Dakota
- South Carolina
As mentioned above, the nature of the US legislative process means that lawmakers will now have to wait until the 2022 session to re-propose their bills.
But, with some bills still active, and mounting pressure on governments and organisations alike to prioritise consumer privacy, there is no doubt that we will see more changes to US state privacy laws in the coming months and years – perhaps even foreshadowing a federal law.
If you are concerned about the impact of these regulations on your business, the good news is that they tend to draw on the CCPA and CDPA which, in turn, are closely modelled on the GDPR. For organisations operating in the above states, this means that being aligned to the GDPR puts you in good stead to meet the compliance requirements of state regulations.
If you need assistance with data protection and privacy compliance, we can help. Evalian is a specialist data protection services provider, working with organisations of all sizes. Please contact us for more information.