Note to readers: In the coming months, we will regularly update this guidance in line with legislative movements.
Update February 2022
The United States’ legislative framework is a patchwork quilt of federal, state and industry regulations. While national laws such as the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm–Leach–Bliley Act (“GBLA”) protect personal, identifiable information across the healthcare and financial verticals, there is no overarching and unified regulation for consumer data protection and privacy.
This means, in effect, that the collection and processing of personal data in the United States are mostly unregulated. With no central directive from Washington, there’s been little push for US-based organisations to improve their data protection and privacy practices – unless, of course, they operate in the European Union (“EU”) or otherwise fall within the scope of the General Data Protection Regulation (“GDPR”).
On the whole, US citizens’ online privacy has been left on the backfoot, creating an environment where data ethics is questioned, data breaches and loss are more likely, and consumers are becoming more mistrustful of the companies they interact with. Businesses like Apple, that aren’t making money through advertising, are using this as a differentiator for their products, such as through the changes to app tracking in iOS 14.5.
Interestingly, things are beginning to change, however. Inspired by international movements to improve privacy protections – such as the EU GDPR – states in the US are implementing their own privacy laws.
Unlike a federal law, which applies to all US citizens, state laws solely protect their own residents. In line with this, lawmakers in each state can choose exactly what they want their law to cover, meaning each state’s rules differ slightly. Moreover, progress in passing these laws varies widely by geography.
For organisations with a US-based presence – particularly an inter-state one – understanding the mosaic of regulations and their position in the legislative process is becoming essential for compliance.
With that in mind, let’s dive into the current state of play.
Thus far, only two states have officially enacted broad, consumer-focused data privacy laws.
The California Privacy Rights Act (“CPRA”) was passed into law in November of last year and will come into force in January 2023. It was voted in by California residents during the 2020 General Election. The act builds on the state’s already comprehensive data privacy legislation: the California Consumer Privacy Act (“CCPA”), which passed in 2018 and took effect in 2020.
The CCPA borrows many principles from the EU’s GDPR. For example, it includes restrictions around how companies can track and collect citizens’ data, enforced transparency between businesses and consumers on how data is processed, and rules for data protection and security. In turn, the act also gives more direct power to consumers over their data: the right to notice, right to access, right to opt-in/opt-out and the right to equal services.
The CPRA is an addendum to the CCPA. It further strengthens the data privacy rights of California residents, including:
- A new sub-category, called “sensitive” personal information, requires additional safeguards. Consumers also have the right to limit the use and disclosure of this category to businesses.
- The establishment of a new government agency to enforce state-wide data privacy laws called the California Privacy Protection Agency (CPPA).
- A mandate for businesses to inform consumers about the length of time they intend to keep their personal data.
The CCPA was the first law of its kind in the US. The fact that it has already been revised and strengthened with the CPRA underscores California’s position as a leader in data privacy and protection. With tech titans such as Facebook, Uber, Google and Apple all headquartered in the state, this momentum is seen as a big step in regulating Big Tech and putting consumer privacy front of mind for digital-native companies.
Passed just earlier this year and set to come into effect in January 2023, Virginia’s Consumer Data Protection Act (“CDPA”) mostly follows the framework of California and the EU’s respective laws. It gives consumers similar rights over controlling their data, including opt-out rights for targeted advertising.
As well as this, it requires businesses – excluding state and local government entities – to reduce personal data collection to what is only “adequate, relevant, and reasonably necessary.”
The main difference between Virginia and California’s laws is that, in California, citizens have a private right of action – or the right to sue – in the event of a data breach. In Virginia, only the state attorney general has this authority. This makes Virginia’s law slightly more “business-friendly”, as all lawsuits will have to be affirmed by the state before they can progress.
The Colorado Privacy Act (“CPA”) was passed in July of this year and will come into effect in July 2023. Like the CDPA, The CPA grants citizens of Colorado more rights over their data, such as the right to opt-out and the right to access their personal data that has been collected.
It also places new obligations on businesses as data controllers and/or data processors. For example, it mandates privacy-by-design principles and special safeguards for sensitive data.
The main difference within this legislation is the businesses that it applies to. The CPA is applicable to businesses that collect data from 100,000 Colorado residents or more, or to businesses that collect the data of at least 25,000 Colorado residents and gain revenue from selling that data.
Furthermore, the CPA introduces a distinctive “universal opt-out” requirement. This mandates data controllers to enable citizens to opt-out through a “user-selected universal opt-out mechanism.” Currently, not much information has been given on how this mechanism will be implemented, and what it will entail.
Like Virginia’s act, the CPA can only be enforced by the Colorado Attorney General and district attorneys. It does not provide a private right of action.
The below bills are, at the time of writing, moving through the state legislative process. Despite progress being made on these bills, it’s worth noting that most state legislative sessions end between May – June of each year. This means that the bills have a limited time period for approval. For example, Washington’s data privacy regulation has failed to pass for the last three years in a row.
If the bills fail to pass this year, they can be re-introduced in the 2022 state legislative sessions. For now, here is the current standing.
Massachusetts’s Data Privacy Act was unanimously approved by the Legislature’s Committee on Advanced Information Technology in February 2021. This bill is extremely similar to the CCPA. For example, it would require organisations to contain citizen consent for selling sensitive personal data relating to race, biometric information or geolocation.
The law would also empower citizens with more rights over their data, like the right to detect and correct data personal data that companies store. Organisations would also have to publish straightforward privacy notices, giving citizens visibility into how their data is collected and used – and also giving citizens the right to opt-out. To become law, the bill must be approved by the House and Senate, as well as signed by the Republican Governor.
The Massachusetts legislature is open throughout the year, so the bill has been carried over into 2022.
The below bills have been formally submitted to their respective states for review and consideration.
Alaska has two data privacy laws currently sitting with the Labour and Commerce Committee. These bills were introduced during the 2021 session and have carried over into 2022.
Combined, these regulations are similar to the CCPA, although they are slightly less expansive. For example, they do not give consumers the right to correct inaccurate information, nor the right to restrict personal information that is shared for digital behavioural advertising.
New Jersey’s data privacy bill is very similar to the CDPA. It stalled last year, but has since been reintroduced for the 2022 legislative session.
The proposed New York Privacy Act (“NYPA”) builds on the frameworks of the GDPR and CCPA. It was proposed in 2021 and has been carried over into the 2022 legislative session.
This bill is considered by some to be the most comprehensive bill yet, because it also includes a clause on “data fiduciary”, meaning that organisations have a duty to uphold personal data protection over stakeholder obligations.
Like Alabama’s law, it also applies to all businesses that operate in New York, or interact with its citizens, regardless of the company’s vertical, turnover or size.
North Carolina’s Consumer Privacy Act would complement the existing North Carolina Identity Theft Protection Act. While the latter bill focuses on data breach responsibilities, the new Act gives consumers proactive abilities to control their data, just like the GDPR.
As in New York, this bill has carried over into the 2022 legislative session.
The Ohio Personal Privacy Act was introduced on July 13, 2021. While there was discussion about the bill throughout Autumn, no conclusive decision was made and the bill has been carried over into 2022.
As in Ohio, Oklahoma’s privacy legislation has been carried over into the 2022 legislative session.
The Pennsylvania Consumer Data Privacy Act was introduced on April 7. It was then referred to the Consumer Affairs Committee. If passed, this bill would take effect immediately. As with many of the above states, this Act is closely modelled on the CCPA.
The bill was also carried over into 2022 and will be reviewed after the legislature reconvenes on April 1, 2022.
Stalled for now
Not every bill that is introduced into the legislative system is passed. In fact, many states’ data privacy laws have either been overturned, or no action was taken on them by the deadline in 2021. This has happened in:
- North Dakota
- Rhode Island
We expect that many, if not all, of the above states, will re-propose their bills during the 2022 session. There are some exceptions: Montana, Nevada, North Dakota, and Texas. The legislatures in these states meet every other year, so there will not be in session in 2022.
Regardless, with mounting pressure on governments and organisations alike to prioritise consumer privacy, there is no doubt that we will see more changes to US state privacy laws in the coming months and years – perhaps even foreshadowing a federal law.
If you are concerned about the impact of these regulations on your business, the good news is that they tend to draw on the CCPA and CDPA which, in turn, are closely modelled on the GDPR. For organisations operating in the above states, this means that being aligned to the GDPR puts you in good stead to meet the compliance requirements of state regulations.
If you need assistance with data protection and privacy compliance, we can help. evalian® is a specialist data protection services provider, working with organisations of all sizes. Please contact us for more information.