Personal data has been called the new oil and gold of the digital era. While these comparisons are imperfect, data is without question the fuel that drives our connected and digitized world. Virtually every action a person takes online generates new data, the amount of which is staggering and continues to grow each year.
Which begs the question: what happens to all that data?
Data may be as valuable as oil or gold to the companies that collect it, but consumers often have little understanding of or control over how their data is collected, stored, and shared. The more our digital footprints expand, the more uneasy people feel about companies' data collection practices. This uneasiness is further justified by horror stories about sensitive data being hacked, sold, leaked, and otherwise abused.
In the United States, federal privacy laws mostly predate the Internet era and are insufficient to address the world of big data. Lacking a comprehensive data privacy regulation like the General Data Protection Regulation (GDPR) that protects Europeans, Americans are still very much living in the Wild West of data privacy.
However, with growing concerns creating momentum for new privacy laws, more states are proposing solutions to tame the frontier. It’s more likely that a federal privacy law is also in store for the U.S.. In this article, we examine the history and current state of privacy laws in the U.S. before exploring current and future data protection laws state by state.
Note: Before reading the full article, grab your privacy legislation tracker cheatsheet, last updated in May 2024:
For a map version, scroll down to check our U.S. State Legislation Map.
A brief history of U.S. privacy laws
The concept of privacy rights is not exactly new. As far back as 1890, writing in the Harvard Law Review, future Supreme Court Justice Louis Brandeis and his law partner published “The Right to Privacy,” considered the first major article to make the case for a legal right to privacy:
"Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual … the right ‘to be let alone’ … Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops."
- Louis Brandeis, Supreme Court Justice (Source: Brandeis University)
Nearly thirty years later, in the context of telephone technology, the Supreme Court upheld the legality of wiretapping in Olmstead v. United States, a case involving government wiretaps of a suspected bootlegger. But Brandeis dissented, arguing for a Constitutional privacy right in the Fourth Amendment, which protects people from unreasonable searches and seizures by the government.
“The progress of science in furnishing the Government with means of espionage is not likely to stop with wiretapping,” wrote Brandeis in Olmstead. “Ways may someday be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.”
Prophetic as he was, neither Brandeis, writing in 1928, nor the framers of the U.S. Constitution, writing in 1787, could have foreseen the internet technology that has sparked today’s data privacy concerns. They also failed to anticipate that private companies would one day wield powers rivaling those of governments.
However, Brandeis accurately anticipated the conflict between technology, privacy, and the law. The law is continually playing catch-up with rapidly changing technologies. This is a problem in every country, not just the United States. But in the U.S., a slow-moving legislature is a feature, not a bug.
The framers viewed a slow and difficult legislative process as a check on federal power, making it more difficult for the government to infringe on citizens' liberties and rights. Restricting power at the federal level gave individual states a great deal of authority. So, while privacy rights and technology were not, and could not have been, explicitly addressed by the framers, this federalist dynamic helps to explain why states have been quicker to enact sweeping privacy laws than Congress.
Existing federal data privacy laws in the U.S.
Data, as we understand it today, entered the lexicon in the 1940s, shortly after the invention of ENIAC, generally regarded as the first modern computer. "Data processing," "database," and "data entry" followed soon thereafter.
The U.S. Privacy Act of 1974
Computer databases, used by the federal government to hold data on private citizens, led to the nation’s first data privacy law—the U.S. Privacy Act of 1974.
Many of the privacy issues the Privacy Act addresses echo what we’re still debating today. Namely, people were concerned about the government potentially abusing its vast computer databases of individuals’ personal data. Thus, Congress enacted legislation that encoded some citizen rights pertaining to data held by U.S. government agencies, including:
- Public notice requirements about the existence of databases
- Individual access to records
- The right of an individual to make copies of their records
- The right of an individual to correct an incomplete or erroneous record
- Restrictions on the disclosure of data
- Data minimization requirements
- Limits on data sharing
- Penalties for violating the Privacy Act
The Privacy Act balanced the government's need to maintain information about citizens with citizens' rights to be protected against unwarranted privacy invasions resulting from federal agencies’ collection, maintenance, use, and disclosure of their personal information. This early privacy law laid out many provisions in modern privacy legislation.
Unfortunately, because the Privacy Act applies only to federal agencies, it is not up to the task of protecting data privacy rights in a world where the private sector collects more data than any government agency. The law also could not have foreseen the vast types of data now collected about us—everything from our location and browsing activity to our biometric and genetic data.
Other U.S. privacy laws
Additional data privacy legislation has been passed since the Privacy Act. While these laws expand on the 1974 law, they generally only restrict limited data types and the specific entities that handle them.
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates health information privacy rights. Individuals have the right to access personal information in their health records, ask to change wrong, missing, or incomplete information, know who the information is shared with, and limit sharing of it. HIPAA covers health care providers, hospitals and clinics, insurers, and certain third-party businesses, like pharmacies. It does not cover healthcare apps and wearable devices like Fitbit.
- The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, is primarily a piece of financial services reform legislation. Buried within it, though, are rules that address consumer financial privacy. The GLBA requires financial institutions to disclose to customers, in a “clear and conspicuous” privacy notice, the types of “nonpublic personal information" (NPI) it collects about them, how it’s used, and who it’s shared with. They must also provide an opt-out mechanism to customers who don’t want their information shared with unaffiliated companies. A major loophole lies: among affiliates in the same “corporate family,” customer NPI rights don’t apply.
- The Fair Credit Reporting Act (FCRA) of 1970 predates the Privacy Act and deals with the personal information contained in consumer credit reports. Under the FCRA, consumers have the right to know what information is in their credit file, dispute any errors in it, and whether it has been used against them in an “adverse action” (such as being denied employment). Entities that compile credit reports, send information contained in credit reports, and use credit reports are subject to the FCRA.
- The Children’s Online Privacy Protection Act (COPPA) regulates personal information collected from children younger than thirteen. It imposes requirements on commercial websites and online service providers that collect, disclose, or use personal information from children twelve and under. The Federal Trade Commission (FTC) enforces COPPA compliance. Violations can result in a fine. Several social media and tech companies have violated the COPPA, including TikTok ($5.7 million fine) and YouTube ($170 million fine).
In addition to these laws, a smattering of other privacy laws regulate personal information gathered by the telecommunications industry, including the Telephone Records and Privacy Protection Act (TRPPA), the Cable Communications Policy Act, the Communications Act, and the Video Privacy Protection Act (VPPA).
However, each of these laws has major shortcomings. For example, the Communications Act and the TRPPA require phone companies to play nice with phone records, but they do nothing to protect the data of smartphone users accessing the internet. The VPPA protects VHS rental records but doesn’t apply to video streaming companies. And with fewer and fewer people subscribing to cable services, cable TV data is increasingly irrelevant.
The FTC and privacy policy enforcement actions
Need more evidence that our current data privacy laws may not be sufficient for the internet age? Consider the FTC's efforts to hold Meta accountable for its privacy commitments.
The FTC, the agency that enforces the COPPA, the GLBA, and the FCRA, has the authority to impose civil penalties on companies for “deceptive practices or acts.” It did just that against Meta/Facebook in 2011 and again in 2019 due to false claims that Facebook made over its data privacy policy. The latter instance resulted in a record $5 billion fine.
But here’s the catch: the FTC was only able to hold Facebook accountable for its privacy policy because Facebook did not live up to the promises it made in that policy. If Facebook had not implemented a privacy policy in the first place, the FTC would have had no grounds to bring a complaint against the company for its “deceptive practices or acts,” which it is now doing yet again–this time for allegedly violating the terms of the agency’s 2020 privacy order Meta agreed to.
In other words, from an FTC enforcement perspective, a business has to adhere to the terms of its posted privacy only if it has one. If it doesn’t, it doesn’t have to.
However, the FTC is picking up some of the slack without a federal data privacy law. FTC Chair Linda Khan has said the agency intends to use its authority to protect consumer data. Her 2021 statement to Congress declared that policing data security and privacy is “now a mainstay of the FTC’s work.”
A 2023 report (2023 Privacy and Data Security Update) highlights what the agency calls “bold steps to deliver strong privacy protections.” These steps have included enforcement actions that address numerous privacy issues across multiple industries, including social media companies like Meta and X/Twitter, ad tech companies, and mobile app makers.
The report states that the FTC has brought 97 privacy cases since 1999. It highlights actions against Kochava, Inc., Epic Games, Inc., Drizly, LLC, GoodRx, Rite Aid, and Avast, to name just a few.
The FTC’s “commercial surveillance and data security” rulemaking, launched in August 2022, may result in more enforcement powers. The rulemaking process could end with new FTC regulations covering data collection, use, and sale, cyberattacks and data theft, dark patterns, how data practices affect vulnerable populations, biometrics, consumer consent, and much more.
Cybersecurity firm Recorded Future said in an April 2024 report it expects these rules to arrive “in the next few months.”
According to its 2023 report, the FTC has also initiated rulemaking initiatives to strengthen the COPPA, apply health breach notification rules to health apps and similar technologies, and require non-banking financial institutions to report data breaches.
Self-regulation and online advertising
The FTC’s growing interest in online data collection practices, sparked by the emergence of e-commerce in the 1990s, was addressed in a 2009 report, “Self-Regulatory Principles for Online Behavioral Advertising.”
In that report, the FTC described the ubiquitous practice of websites using cookies to track an online user’s browsing activity and deliver their ads tailored to their interests. Cookies (text files containing data) are what allow advertisers to follow users around the internet and serve custom ads based on their web browsing history. The FTC noted that tracking online activities for personalized advertising—a practice known as online behavioral advertising or interest-based advertising—raises concerns about consumer privacy.
Responding to these privacy concerns, the FTC proposed self-regulatory principles in its report. Self-regulation was favored because it provides the flexibility needed to address “evolving online business models.” The FTC’s proposed principles informed the Self-Regulatory Program for Online Behavioral Advertising, an initiative of the Digital Advertising Alliance (DAA).
The DAA initiative, introduced in 2009, applies seven principles to online behavioral advertising that cover:
- Education
- Transparency
- Consumer control
- Data security
- Material changes
- Sensitive data
- Accountability
Consumers will be familiar with the YourAdChoices Icon. Web pages that display the Icon on or near advertisements are covered by the self-regulatory program. Clicking on the icon takes consumers to a disclosure statement about data collection and use practices associated with the advertisement. They can also opt out of these practices and learn more about the company behind the ad.
Hundreds of companies participate in the DAA’s YourAdChoices program. It has an enforcement mechanism administered by DAA member organizations, the Council of Better Business Bureaus (CBBB), and the Association of National Advertisers (ANA). Consumer complaints (such as a broken opt-out link) can be made with the BBB and the ANA.
Companies that don’t cooperate with efforts to resolve a reported issue can be named publicly and referred to a federal or state law enforcement authority for further review. However, referrals are rare; only a handful have been in the DAA program's history. Noncompliance with DAA self-regulatory principles could qualify as a deceptive practice under consumer protection and false advertising laws, leading to potential fines or penalties.
A federal data privacy law could be on the horizon
Observers have long called FTC data privacy and cybersecurity enforcement actions “the new common law of privacy.”
"FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States."
- Daniel J. Solove & Woodrow Hartzog, The FTC and the new common law of privacy (Source: Columbia Law Review)
One development that could derail FTC’s mission creep in shaping U.S. privacy practices is the passage of a broad federal law. There is a general consensus about the need for such legislation, especially as the patchwork of state laws grows, creating varying obligations across state lines that, in their totality, can be confusing and difficult for organizations to comply with.
The tech industry has signaled its preference for a national law with uniform standards. Most Americans also favor federal privacy legislation over individual state regulations.
Federal privacy-related bills have been working their way through Congress for years, and the International Association of Privacy Professionals (IAPP) is optimistic that a comprehensive U.S. federal privacy law–a U.S. GDPR equivalent–is in the nation’s future.
So far, these efforts have stalled. Yet, in a nod to the fact that American data privacy is developing so fast, even the IAPP expressed surprise at the latest effort to address data privacy rights on the national level. The American Privacy Rights Act (APRA), announced in April, is the most significant attempt at federal privacy legislation since the American Data Privacy and Protection Act (ADPPA) stalled more than two years ago.
The ADPPA gained enough bipartisan support to garner real enthusiasm that a federal privacy law could finally be passed. However, the bill never made it to the House floor. The new draft regulation, on the other hand, is praised by sponsors and seems to be headed toward potential fruition:
“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information."
- Chair Cathy McMorris Rodgers (R-WA), House Committee on Energy and Commerce, Chair Maria Cantwell (D-WA), Senate Committee on Commerce, Science and Transportation (source: Committee on Energy and Commerce)
Some of the language of the APRA is standard privacy policy. Americans, for instance, would be able to opt out of targeted advertising, view what data companies have on them, and delete this data and stop its sale or transfer.
But in two key respects, the APRA is more robust than its predecessors.
Significantly, the APRA would preempt state privacy laws, a major sticking point in past bills. In an interview, Cantwell, who rejected the ADPPA in 2022, said the APRA, which incorporates parts of other state laws, including those in California, Illinois, and Washington, would be “stronger than any state law on the books.”
The APRA also contains a private right of action for violations of the law that could be exercised by the FTC, state attorneys general, and private citizens.
A discussion draft of the bill published in May 2024 is available here. IAPP provides an overview of the draft here. As the bill goes through revisions, stakeholders are adding their two cents. Among them are state attorneys general demanding that federal preemption be removed, a coalition of business interests calling for full preemption with no state carveouts, data broker deletion services, lawmakers, and state officials.
In short, the APRA heads down the long, bumpy road that has thus far proven unnavigable for comprehensive federal data privacy bills. Stay tuned.
U.S. state data protection laws comparison and map
The path forward for a national privacy law remains full of hurdles. However, while federal privacy legislation remains bogged down in Congress, at the state level, privacy laws are being passed at an increasingly rapid pace.
Indeed, as the APRA struggles to make it out of committee, four new state consumer privacy laws are scheduled to take effect in 2024. The same number of laws took effect in 2023.
Momentum towards state-level legislation has been built since California passed the first state privacy law in 2018. Eighteen additional states–and counting–have passed comprehensive data privacy laws between then and now. When these new laws enter into effect over the next year and a half, they will cover more than 50% of the U.S. population.
States like Utah and Iowa showed that new bills can be introduced and passed quickly when political alignment exists on the data privacy issue. Republican-controlled Iowa, Indiana, Montana, Tennessee, Texas, and Utah also show that data privacy is not a red or blue-state issue. It’s an issue important to all Americans.
To put the growth of state privacy laws in perspective, consider that:
- In 2018, just two comprehensive privacy bills were introduced in state legislatures. The following year, fifteen were introduced.
- In 2020, 24 comprehensive state privacy laws were introduced. The next year, it was 29 bills.
- 59 bills were introduced in 2022, and 54 were introduced in 2023.
The number of state privacy bills enacted has also grown rapidly, from just one in 2018 to seven in 2023. Less than halfway into 2024, seven more states have passed comprehensive privacy laws, bringing the total to nineteen states (twenty, if you include Florida, whose Digital Bill of Rights is mostly targeted at Big Tech due to a $1 billion revenue threshold). They are:
- California (California Consumer Privacy Act; effective January 1, 2020)
- Colorado (Colorado Privacy Act; effective July 1 2023)
- Connecticut (Connecticut Data Privacy Act; effective July 1, 2023)
- Delaware (Delaware Personal Data Privacy Act; effective January 1, 2025)
- Florida (Florida Digital Bill of Rights; effective July 1, 2024)
- Indiana (Indiana Consumer Data Protection Act; effective January 1, 2026)
- Iowa (Iowa Consumer Data Protection Act; effective January 1, 2025)
- Kentucky (Kentucky Consumer Data Protection Act; January 1, 2026)
- Maryland (Maryland Online Data Privacy Act; effective October 1, 2025)
- Minnesota (Minnesota Consumer Data Privacy Act; effective July 31, 2025)
- Montana (Montana Consumer Data Privacy Act; effective October 1, 2024)
- Nebraska (Nebraska Data Privacy Act; effective January 1, 2025)
- New Hampshire (New Hampshire Privacy Act; effective January 1, 2025)
- New Jersey (New Jersey Data Privacy Law; effective January 15, 2025)
- Oregon (Oregon Consumer Privacy Act; effective July 1, 2024)
- Tennessee (Tennessee Information Protection Act; effective July 1, 2025)
- Texas (Texas Data Privacy and Security Act; effective July 1, 2024)
- Utah (Utah Consumer Privacy Act; effective December 31, 2023)
- Vermont (Vermont Data Privacy Act; effective July 1, 2025)*
- Virginia (Virginia Consumer Data Protection Act; effective January 1, 2023)
(*Passed legislature but not yet signed into law by the governor, who is said to be considering a veto.)
Given the trends of Congressional fiddling and state action, businesses realistically face the prospect of a 50-state privacy regime in the not-too-distant future.
The matrix of state laws has always posed a compliance challenge for the companies subject to them. Up until this year, organizations generally managed their growing privacy obligations by conforming to California’s strongest-in-the-nation consumer data protections.
However, according to a Reuters analysis of the patchwork of privacy obligations, the passage of state laws in Maryland, Minnesota, and Vermont could be “the straw that broke the camel’s back." According to the study, Maryland’s, Minnesota’s, and Vermont’s laws represent a “substantial departure from the dominant U.S. state model, introducing entirely new compliance requirements that do not exist under any U.S. state privacy law, even California's:”
- The Maryland Online Data and Privacy Act contains unique provisions related to data minimization requirements, the sale of sensitive personal data–even with consent–and data processing for under-18 subjects.
- Minnesota will require companies to keep an “inventory” of processed personal data and introduce a new consumer right regarding decisions based on “profiling,” impacting online tracking and targeting.
- The Vermont Data Privacy Act has a private right of action for consumers that goes beyond California law, allowing consumers to sue companies for collecting or sharing sensitive data without their consent and violating consumer health data provisions.
Although the melting pot of comprehensive state privacy laws could place additional pressure on Congress to finally pass a federal privacy law, merely complying with the CPRA may no longer bring companies into compliance in each state.
With even more states poised to adopt privacy legislation in 2024, the list of company obligations is only likely to grow, especially considering that comprehensive privacy legislation is just one piece of the regulatory puzzle. Over the past few years, states have also passed laws targeting specific issues and types of data, such as biometric data, health data, children’s data, and Artificial Intelligence.
Common data privacy principles
Many privacy bills die in committee or are voted down. However, comparing the proposed bills gives insight into the common privacy provisions that lawmakers are considering.
Many of them harken back to privacy concepts introduced in the 1974 Privacy Act and expanded in subsequent American privacy laws, but there are concepts that are more specific to the Internet, too.
- Right of access: Consumers have the right to access the data a business collects about them and to access the data that is shared with third parties.
- Right of rectification: Consumers can request the correction of incorrect or outdated personal data.
- Right of deletion: Consumers can request the deletion of their personal data.
- Right of restriction of processing: Consumers have the right to restrict businesses' ability to process their data.
- Right of portability: Consumers can request the disclosure of their data in a common file format.
- Right of opt-out: Consumers have the right to opt-out of the sale of their data to third parties.
- Private right of action: Consumers have the right to file a lawsuit for civil damages against a business that violates a privacy law.
Our U.S. state laws tracker lists more of the provisions that are typically found in legislative proposals. Aside from creating consumer rights, the bills that have been introduced impose obligations on businesses, including:
- Data breach notifications: Businesses must notify consumers about privacy or security breaches.
- Notice requirements: Businesses must notify consumers about data practices and privacy policies.
- Discrimination prohibitions: Businesses may not discriminate against consumers who exercise their data privacy rights.
- Data minimization policies: Businesses should only collect and/or process the minimum amount of data required for a specific purpose.
It can be helpful to look at the common provisions in state privacy laws passed to gauge where legislators are finding common ground and where privacy programs should be focused.
For example, all privacy laws passed to date grant the right to access, the right to delete, the right to portability, and the right to opt-out of data sales. All states also impose notice/transparency requirements on businesses, and no state prohibits discrimination for exercising data privacy rights.
Iowa and Utah are outliers in several areas. Neither requires risk assessments or grants the right to correct their personal data; Iowa does not give the right to opt out of certain data processing; and Utah does not impose a GDPR-style purpose/processing limitation.
Sticking points in state data privacy laws
No state has passed or proposed legislation that ticks every box in the privacy provision checklist. However, two provisions have emerged as major sticking points in passing privacy laws: a private right to action and an opt-in consent policy. Both are seen by privacy experts as more consumer-friendly.
- A private right to action means a consumer can take civil legal action against a business violating a data privacy law. Because most privacy violations aren’t isolated incidents and affect many consumers similarly, the private right to action often takes the form of a class action lawsuit, as seen in data breach litigation. Legislation has failed in several states over lawmaker disagreements on a private right to action, and this is said to be the hangup with Vermont’s bill. Those who oppose a private right of action argue that it would empower trial lawyers more than consumers. Senator Ted Cruz has expressed similar sentiments about the recently introduced APRA.
- Of the data privacy laws passed to date, only California and Vermont have a private right to action, and California’s is limited to data breaches. In Vermont, the private right of action, as written, covers three different violations: processing sensitive data without consent, selling sensitive data, and violating provisions related to confidential health data. However, the private right of action in the proposed VT law only lasts from 2027 through 2029 unless reauthorized.
- Opt-in consent refers to the idea that regulated entities must obtain consumer consent to collect, share, or sell private information to third parties. Essentially, opt-in consent shifts the consent burden from the consumer to the regulated entity, compared to opt-out consent, which places the burden on the consumer.
A strictly opt-in approach–like that found in Europe’s GDPR–favors consumers but is rare in the U.S., except in the cases of children, young teenagers, and in some states, a category of data known as “sensitive data.”
How can Didomi help you manage the growing patchwork of state privacy laws?
More states passing data protection laws is good news for consumers and further evidence that the data privacy revolution is well underway. However, growing layers of state regulations pose a greater legal challenge for businesses, especially when operating across the entire country.
Our Global Privacy UX Solutions, which include a multi-regulation Consent Management Platform (CMP), help U.S. organizations address these concerns and find the right balance between reducing operational complexity and maintaining sufficient flexibility to maximize their data practices.
Learn more about Didomi and how we can help by scheduling a call with one of our experts:
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ)
To whom do state data privacy laws apply?
This point is pretty straightforward. A state-level privacy law only applies to residents of that state. The CCPA only applies to California residents, the CPA to Colorado residents, the VCDPA to Virginia residents, and so on.
A consumer doesn’t necessarily have to be physically present in the state but must be a state resident.
What is considered covered personal information?
Here, there are considerable differences from state to state, as the following examples illustrate:
- The CCPA defines personal information as “information that identifies, relates to, or could reasonably be linked with you or your household.” California has also introduced the concept of “probabilistic identifiers.” The CPRA amends the CCPA definition of personal information by introducing “sensitive personal information” as a new category of PI.
- The VCDPA defines personal data as “information linked or reasonably linkable to an identified or identifiable individual” (and not a household or device), with the exception of de-identified and publicly available data.
- The CPA definition of covered personal information is virtually identical to Virginia’s, but with a less restrictive definition of “publicly available information.”
- The CTDPA uses the familiar criteria of information that is “linked or reasonably linkable” to an individual, with the usual exclusions for deidentified data or public information.
- The UCPA adds the term “aggregated” data to the categories of deidentified and publicly available data excluded from protections. It also has a definition of “sensitive” data.
- Iowa SF 262 refers to “personal data” and takes the same tack as Virginia, Colorado, and Connecticut, making exemptions for de-identified or aggregate data or publicly available information. It includes a “sensitive data” category as well that covers categories like race, religion, genetic data, biometric data, children’s personal data, and “precise geolocation data” (within 1,750 ft.)
- Indiana’s law requires additional consumer consent to process “sensitive personal information,” a category that, like Iowa, has a geolocation data category.
- Tennessee’s law has a long list of what qualifies as “personal information.” Notably, it considers an “alias” to be an identifier and financial, medical, and health insurance information to be identifying personal information. Also in the TN personal information category are commercial information, protected legal classifications, biometric data, geolocation data, employment data, and even “olfactory” and “thermal” information.
- Montana SB 384 uses the term “personal data” instead of “personal information” in its definitions section.
- Texas’ TDPSA includes pseudonymous as a type of “personal data” when such data can be used with other information to link it to an individual. Texas also recognizes the category of “sensitive data.”
- Oregon has a more inclusive definition of “sensitive data” than other states that includes a person’s status as a crime victim or somebody of transgender or nonbinary status.
What is a “controller” or “processor”?
“Controllers” and “processors” are terms lifted from the European GDPR. In the United States, the terms have near-identical meanings, but there are subtle variations in statutory language.
For example, under Virginia law, a controller is a “natural or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.” A processor in Virginia is an entity that processes data on behalf of a controller.
Colorado and Iowa use these same terms in their laws, but defining them refers to a “person” rather than a “natural or legal entity.” Legally, the terms mean the same thing. Yet the different wordings show how legalese, without intending to, can make parsing these statutes something of a head-spinning experience.
To illustrate this point further, California foregoes the language of “controller” and “processor” altogether, opting instead to use the terms “businesses” and “service providers.” These might seem like minor differences, but the CCPA/CPRA has narrow definitions for “business” and “service provider.”
The devil is in the details.
Are there exemptions?
State data privacy laws provide exemptions at several levels. Consumer activity outside the state where the regulation applies is generally exempt, as is data specifically governed by other laws, including HIPAA, the GLBA, and state laws like the California Financial Information Privacy Act (CalFIPA).
The CPA and the OCPA do not have a HIPAA exemption. Connecticut and Iowa have nonprofit exemptions, while Oregon and Delaware only exempt nonprofits with certain missions.
Employment data is exempt in all states except for California, where the CPRA gives privacy protection rights to employees of covered businesses. Finally, the laws apply to private entities—not government agencies or public institutions like higher education institutions.
What are the penalties for violating state data protection laws?
State enforcement authorities generally give businesses that violate their state’s data protection law a period of time, known as a “cure period,” to come into compliance. These periods can range from 30 to 90 days. Failure to cure a violation subjects a company to further enforcement measures at the hands of state authorities. Some states have cure period provisions that expire on a certain date.
State enforcement penalties generally range from $2,500 to $7,5000 per violation. Some states, like Colorado, have steeper penalties that can run up to $20,000 per violation, with a maximum penalty of $500,000 for a series of related violations. In California, data breach victims can recover damages for $150 to $750 per individual.