U.S. State Privacy Laws


While not every state in the U.S. has strong privacy laws, a number of them do, and that number is growing.

Today, more states than ever before are working together in a bipartisan manner to write and pass such laws.

As technology advances, more and more governments and businesses are collecting data about their citizens and customers, including things like fingerprints, facial recognition data, and DNA information.

With the lack of national consumer privacy laws designed to protect individuals from unethical and intrusive data-collection practices, it is currently up to the states to have their own protective legislation.

This article will provide an overview of the central privacy and biometric laws each state has enacted (or may soon enact) within the United States.

States With Active Privacy Laws

As stated previously, consumer data and biometric privacy have become a hot-button issue in recent years, as governments and companies increasingly collect and sell personal information.

In response, five states - California, Colorado, Connecticut, Utah, and Virginia - have enacted comprehensive consumer data privacy laws. As states grapple with how to protect consumer data privacy best, it will be interesting to see how these laws evolve.

Below, we'll provide an overview of the privacy laws currently on the books.

California Privacy Laws

California has a long history of protecting its residents' privacy by passing and enforcing laws aimed at safeguarding personal information.

California was the first state to pass a law regulating how businesses collect and use personal data, and it continues to lead the way when it comes to data privacy.

Here are the key privacy laws from this state.

California Online Privacy Protection Act (CalOPPA)

The California Online Privacy Protection Act (CalOPPA) requires operators of commercial websites that collect personally identifiable information to conspicuously post a Privacy Policy on their website.

The law was enacted on July 1, 2004, and applies to all businesses collecting personal information from California residents, regardless of whether the company has a physical presence in the state.

A CalOPPA-compliant Privacy Policy must include specific clauses, such as the types of information collected and how it will be used.

Under CalOPPA, you must disclose how you handle Do Not Track (DNT) signals. This can be disclosed in your Privacy Policy.

By posting an appropriate Privacy Policy and taking steps to safeguard consumers' data, businesses can help ensure that they comply with CalOPPA.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a California privacy law passed on June 28, 2018, and took effect on January 1, 2020.

The CCPA applies to businesses that collect California consumers' personal information, do business in California, and meet one or more of the following thresholds:

  • Have annual gross revenues over $25 million,
  • Annually buy, receive for commercial purposes, sell, or share for commercial purposes, in combination or alone, the personal information of 50,000 or more California consumers, households, or devices, or
  • Derive 50% or more of their annual revenues from selling California consumers' personal information

It requires certain businesses to disclose what personal information they collect about California consumers. The best way to do this is via a Privacy Policy.

It also gives California consumers a number of rights including the right to know what personal data is being collected about them, the right to delete their personal information, and the right to opt out of the sale of their personal information.

Businesses that violate the CCPA may be subject to enforcement actions by the California Attorney General and civil penalties of up to $7,500 per violation.

California Consumer Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) expands upon and amends the CCPA, making it more comprehensive and stringent. As a result, it has been dubbed "CCPA 2.0."

The CPRA permits consumers to take a number of actions with respect to their personal information including the following:

  • Prevent businesses from sharing personal information
  • Correct inaccurate personal information
  • Limit businesses' use of "sensitive personal information" including precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information

The CPRA (just like the CCPA) applies to any for-profit organization, which may do business in the State of California, that collects or maintains the personally identifiable information (PII) of California residents.

The CPRA also creates a new private right of action that allows Californians to sue companies for up to $750 per violation if their personal information is sold without their consent.

The "Shine the Light" Law

California's "Shine the Light" law was first proposed in 2003 to protect the privacy of California residents. The law was amended multiple times in both the State Senate and the State Assembly and finally passed in 2003. The law went into effect on January 1, 2005.

If your business meets the following criteria, you must comply with this law:

  • If your company has 20 or more employees,
  • Has any customers who are residents of California, and
  • Has, within the past calendar year, shared personal information from any of your customers with a third party for the purpose of marketing or advertising

Colorado Privacy Laws

The Colorado Privacy Act (CPA) is a comprehensive framework that imposes specific responsibilities on companies that collect or process Colorado residents' personal data.

Companies that fail to comply with the C.P.A. could face stiff penalties, including fines that range from $2,000 to $20,000 per violation.

The CPA requires companies to disclose what personal data they collect, why they collect it, and with whom they share it. Companies must also provide Colorado residents with the right to access their data, the right to have their personal data erased, and the right to opt-out of having their personal data sold.

In addition, the CPA establishes strict requirements for companies that process children's personal data.

Connecticut Privacy Laws

The Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) is a comprehensive consumer privacy law that was signed into law by Gov. Ned Lamont on May 10, 2022 and goes into effect on July 1, 2023.

The law has several requirements for data controllers and processors, including obligations to maintain accurate records, provide consumers with notice of their rights, and obtain consent before collecting or using sensitive personal data.

You must also post a "reasonably accessible, clear and meaningful" Privacy Policy on your website.

The law also gives consumers the right to access, correct, delete and obtain a copy of their personal data, and to opt out of the processing of personal data for marketing purposes.

Utah Privacy Laws

The Utah Consumer Privacy Act (UCPA) went into law on March 24, 2022.

This act gives Utah consumers the right to access, change, or delete their personal data at will. It also grants consumers the right to data portability, the right to opt out of some types of processing, and the right to opt out of the sale of their personal data.

The UCPA applies to any data controller or processor that either does business within the state of Utah, or produces a product or service that is designed to be used by residents of Utah and has an annual revenue of over $25,000,000.

Businesses that must comply and do not do so can face penalties of up to $7,500 per violation.

Virginia Privacy Laws

The Virginia Consumer Data Protection Act (CDPA) passed the Virginia House of Delegates and the state Senate on February 5, 2021.

The CDPA aims to protect the personal data of residents of the Virginia Commonwealth. It has been described as "exhaustive" in nature, and is modeled after California's CCPA.

Virginia's law on data security applies to any person that conducts business in Virginia and either:

  • Controls or processes the personal information of at least 100,000 consumers, or
  • Derives over 50 percent of their gross revenue from the sale of personal data and controls or processes the personal information of at least 25,000 consumers

The law contains provisions concerning the responsibilities of data controllers and processors. It also provides for the protection of the privacy of individuals with respect to their personal data.

The bill does not apply to state or local governmental entities, and there are exceptions for certain types of data and information governed by federal law.

The law also establishes a process for individuals to file complaints with the Data Protection Authority in relation to data controllers and processors who fail to comply with the requirements of the law.

The CDPA provides consumers with the right to access their personal data, as well as the right to correct any inaccurate data. They also have the right to delete their personal data and to obtain a copy of it for their own purposes. In addition, consumers have the right to opt out of the processing of their personal data for targeted advertising.

The law provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort.

The Virginia Attorney General's office is charged with enforcing the law and protecting consumers. In order to give companies a fair chance to cure any violations, the office must provide 30 days' notice of any infractions.

After that period has elapsed, if the company has not remedied the situation, it could be subject to fines of up to $7,500 per violation.

This process ensures that companies have an opportunity to comply with the law while also holding them accountable for any violations.

States with Privacy Laws Under Consideration (As of August 2022)

Many states are in the process of drafting privacy and biometric legislation similar in nature to privacy laws already passed in the five states previously discussed.

These states (and districts) include:

  • Massachusetts
  • Michigan
  • New Jersey
  • North Carolina
  • Ohio
  • Pennsylvania
  • Rhode Island
  • Washington, D.C.

We'll briefly review each below.

New Jersey's A-4902/S2834 is modeled after California's CCPA. However, unlike the CCPA, New Jersey's law contains a modified version of the right to access, explicitly focused on disclosing personal information to third parties.

The Senate bill, introduced in July of 2021, was referred to the Senate commerce committee. The House version was introduced in January of 2022.

As of August 2022, it has been referred to the Assembly Appropriations Committee.

North Carolina Privacy Laws

North Carolina has joined the race to enact state privacy laws by introducing the North Carolina Consumer Privacy Act.

The act is modeled after the Virginia Consumer Data Protection Act, and it includes many of the same provisions. The most important difference is that the act allows consumers to bring a private legal action against businesses that violate the law.

This could lead to treble damages, which are three times the amount of the actual damages suffered by the consumer.

Ohio Privacy Laws

Ohio legislators introduced the Ohio Personal Privacy Act (HB 376) on July 12 in an effort to join the growing number of states implementing a consumer data protection law.

Ohio's HB 376 generally requires businesses to provide consumers with certain rights and protections concerning their personal data.

However, the Ohio law is more limited in scope than similar laws enacted in other states, such as California, Colorado, and Virginia.

The law does not contain a private right of action; however, it does furnish the Ohio Attorney General with broad authority to penalize non-compliant businesses, which may include civil penalties, attorneys' fees, and investigatory costs.

Pennsylvania Privacy Laws

Pennsylvania legislators introduced a comprehensive consumer data protection bill (HB 1126) on April 7, 2021. The bill is modeled on the California Consumer Privacy Act and would apply to professional and employment-related information.

If the bill passes, Pennsylvania consumers would have the right to:

  • Request disclosure of personal information collected by a business
  • Have their personal data deleted
  • Request information about personal information sold or used for business purposes by a company, and
  • Decline or opt-out of sale of personal information to third parties

Additionally, businesses would need to provide a clear and conspicuous notice that they are collecting personal information from children and obtain parental consent prior to such collection.

The proposed regulation would require businesses to notify consumers that their personal information may be sold, as well as to provide a "Do Not Sell My Personal Information" link on their websites.

Rhode Island Privacy Laws

Rhode Island's Consumer Privacy Protection Act includes the standard privacy rights from the California Consumer Privacy Act (CCPA).

These include the following:

  • The right to opt-out (plus opt-in for kids) from the sale of personal information
  • The right to access
  • The right to delete, and
  • Other transparencies about the businesses' privacy practices

Under this legislation, a business is defined as an enterprise that meets one of the following criteria:

  • Gross annual revenue exceeding $5 million
  • Personal information on 50,000 consumers, households, or devices; or
  • Derives 50% of its annual revenue from selling personal information

The enforcement section of the bill allows consumers to file civil actions seeking actual damages or statutory damages (between $100 and $750) for data breaches resulting from violations of the duty to implement and maintain reasonable security procedures.

The legislation doesn't specify damages for consumers under other sections of the law and does not provide for enforcement by the state's attorney general.

Washington, D.C. Privacy Laws

District of Columbia Council Chairman Phil Mendelson introduced B24-0451, also known as the "Uniform Personal Data Protection Act of 2021," to the D.C. Council on October 18, 2021.

The proposed law would apply to any controller or processor that conducts business in Washington, D.C. or produces products or services purposefully directed to its residents.

The law would also apply to any resident who:

  • Maintains personal data about more than 50,000 residents of Washington, D.C.
  • Earns more than 50% of its gross annual revenue from maintaining personal data
  • Is a processor acting on behalf of a controller the processor knows or has reason to know satisfies (1) or (2); or
  • Maintains personal data, unless it processes the personal data solely using compatible data practices

The legislation is currently pending within the D.C. Council Judiciary and Public Safety Committee.

Biometric Privacy Laws in 2022

Currently, only three states have enacted specific laws regulating the use of biometric information: Illinois, Texas, and Washington.

Of these, only Illinois' Biometric Information Privacy Act (BIPA) provides individuals with a private right of action in the event of a violation.

The biometric data law in Illinois has served as a model for several other states who have introduced biometric laws in the first quarter of 2022. These states include:

  • California
  • Kentucky
  • Maine
  • Maryland
  • Massachusetts
  • Missouri, and
  • New York

California's CCPA covers biometric data but is not a law specific to that form of information.

As biometric technologies continue to spread, more states will likely enact laws governing their use.

Illinois Biometric Information Privacy Act

In 2008, the Illinois legislature unanimously passed the Biometric Information Privacy Act ("BIPA"), an initiative led by the ACLU of Illinois.

The law ensures that individuals control their biometric data and prohibits private companies from collecting it unless they satisfy certain conditions.

For instance, they must inform the person in writing of what data is being collected or stored (i.e., fingerprints, face scans, voice recordings), and they must also specify the purpose and length of time for which the data will be used. If businesses fail to comply with these requirements, they may be penalized.

BIPA has been a model for other states looking to protect the privacy of their residents and has been credited with helping to prevent identity theft and fraud.

Conclusion

Virginia, Colorado, and Utah have made headlines recently for passing comprehensive privacy legislation. These states are part of a growing trend of states enacting privacy laws in the wake of California's groundbreaking Consumer Privacy Act of 2018.

As privacy statutes evolve, it is increasingly vital for business leaders to stay up-to-date on the latest developments. This is especially true when it comes to compliance, as new statutes can have a significant impact on operations.