US Data Privacy Laws: A Brief Guide for Businesses

When the California Consumer Privacy Act, or CCPA was passed in 2018, it was the first of its kind data privacy legislation in the United States. As the US currently lacks a federal data privacy law, CCPA became a blueprint for several states to enact their own consumer privacy legislation. In 2021, Virginia became the second state to pass a privacy law, while more and more states have joined the list and several have an active bill in place.

To date, 12 US states have a data privacy law in place – California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Montana, Tennessee, Texas, Oregon and Delaware.

Here’s a timeline of the US state data privacy legislation and the effective dates.

In this article, we will explore all the 5 US state privacy laws that begin enforcement in 2023.

• California Privacy Rights Act 
• Virginia Consumer Data Protection Act 
• Colorado Privacy Act 
• Connecticut Data Privacy Act 
• Utah Consumer Privacy Act 

CPRA is an amendment to the California Consumer Privacy Act (CCPA), California’s landmark legislation that paved the way for other states to follow suit. The CPRA grants California residents rights over their personal information and imposes obligations on businesses that collect and process personal data.

Who does it apply to

CPRA applies to any for-profit company that processes the personal information of California residents and meets one of the following criteria:

• You have annual gross revenue exceeding $25 million.
• Buys, sells, or shares the personal information of 100,000 or more consumers or households
• Derives at least 50% of your annual revenue from selling or sharing consumers’ personal information.

The CPRA expands the rights under CCPA and provides the following rights – (1) the right to access personal data, (2) the right to correct inaccuracies, (3) the right to request to delete personal data, (4) the right to obtain a portable copy of the data, (5) the right to non-discrimination for exercising rights and (6) the right to opt out of the sale or sharing of personal data.

Non-compliance and fines

Businesses may be granted a cure period for a violation of CPRA at the discretion of the Attorney General and the California Privacy Protection Agency (CPPA). Violation of CPRA leads to a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation. Consumers also have a private right of action, under certain circumstances.

Virginia was the second state to enact a data privacy legislation with the Virginia Consumer Data Protection Act (VCDPA). The VCDPA provides Virginia residents with certain rights over their data and imposes obligations on businesses that collect and process their information.

Who does it apply to

The CDPA applies to for-profit businesses that conduct business in Virginia or market their goods and services to Virginia residents and either:

• Controls or processes the personal data of at least 100,000 consumers in a year or
• Controls or processes the personal data of at least 25,000 consumers and derives at least 50% of its gross revenue from the sale of personal data.

Similar to California’s CPRA, the VCDPA grants consumers (1) the right to access personal information, (2) the right to correct, (3) the right to delete, (4) the right to data portability and (5) the right to opt out of data processing for purposes of targeted advertising, the sale of personal data, or profiling. A sale under VCDPA is defined more narrowly than under the CPRA to include the exchange of personal data for monetary consideration alone.

Non-compliance and fines

The VCDPA has a 30-day cure period for alleged violations. Non-compliance can result in a civil penalty of up to $7,500 for each violation. Unlike California, Virginia does not have a private right of action.

Colorado is another state that has taken steps to protect consumer data through the enactment of the Colorado Privacy Act (CPA). The CPA, which went into effect in July 2023, establishes requirements for businesses that collect and process the personal data of Colorado residents.

Who does it apply to

Colorado Privacy Act (CPA) applies to any company that conducts business in Colorado and produces products or services that intentionally target the residents of the state and that either:

• Process the personal data of more than 100,000 individuals in any calendar year or 
• Derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals. 

The CPA provides the same consumer rights as the VCDPA. However, individuals acting in the commercial or employment context, including job applicants are not covered under consumer rights.

CPA provides the following rights – (1) the right to access, (2) the right to correction, (3) the right to delete, (4) the right to data portability, and (5) the right to opt out of targeted advertising, sale and certain types of profiling. CPA also requires that beginning July 1, 2024, a business should honour universal opt-out signals as a method for consumers to exercise their opt-out rights.

Non-compliance and fines

The Colorado Privacy Act provides a 60-day cure period for alleged violations (in effect until January 1, 2025). The CPA has a higher possible penalty for violations compared to CPRA or VCDPA. Non-compliance can be subject to maximum civil penalties of up to $20,000 per violation with a total maximum penalty of $500,000. There is no private right of action.

Connecticut has joined the ranks of states with comprehensive data privacy laws with the passage of the Connecticut Privacy Act. This act, which became effective on October 1, 2023, aims to enhance data privacy protections for Connecticut residents and establish guidelines for businesses that collect and process their personal information.

Who does it apply to

The Connecticut Data Privacy Act (CTDPA) applies to entities that conduct business in Connecticut or provide goods or services targeted at Connecticut consumers who either:

• Controls or processes personal data of at least 100,000 Connecticut consumers
• Process personal data for 25,000 or more consumers and receive over 25% of annual gross revenue from selling personal data.

The consumer rights in CTDPA are consistent with the ones in Colorado – (1) the right to access, (2) the right of correction, (3) the right to delete, (4) the right to data portability, and (5) the right to opt out of targeted advertising, the sale of personal data or profiling in connection with automated decisions.

Non-compliance and fines

The CTDPA provides a 60-day cure period for alleged violations, until January 1, 2024. Non-compliance can incur civil penalties of up to $5,000 per violation with a maximum of $500,000 per incident. The CTDPA does not provide for a private right of action.

Utah has taken a proactive approach to data privacy with the passage of the Utah Consumer Privacy Act (UCPA). The UCPA, which became effective on May 5, 2022, grants Utah residents certain rights over their personal data and imposes obligations on businesses that collect and process their information.

Who does it apply to

UCPA applies to any company that conducts business in Utah and produces products or services that target the residents of the state and –

• Has an annual revenue of $25,000,000 or more and
• Satisfies one or more of the following thresholds:
  • During a calendar year, has processed the personal data of 100,000 or more consumers:
  • Derives 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.

Under the UCPA, consumer rights are similar to those in Virginia and Colorado’s data privacy laws but are more restricted. For instance, the right to delete personal data is only available for personal data that the consumer has provided to the controller. UCPA also does not provide the right to opt out of profiling.

Non-compliance and fines

All alleged violations of the UCPA will be granted a 30-day cure period. Failure to comply and rectify it can lead to civil penalties of up to $7,500 per violation. The Act does not provide a private right of action.

As laws in California, Virginia, Colorado and Connecticut are already in place and the operative date for Utah is nearing by the end of 2023, you need to be prepared for compliance. It is important to carefully assess the differences and nuances of the law(s) that apply to your business, through a legal counsel.

Here are the foundational steps that you can build upon to achieve compliance with specific provisions of laws that apply to your business. 

Data mapping: Perform a comprehensive data inventory to identify the types of personal information your business collects, uses, and shares. Map how personal information moves through your business processes and systems.

Data processing impact assessments: Evaluate the risks associated with the processing of personal data and the potential impact on consumer privacy. This is especially important for processing sensitive personal data.

Review and update privacy policies: Implement clear and transparent privacy policies that inform consumers about the types of personal information collected, how it is used, and who it is shared with, including disclosures of consumer rights that apply to the respective privacy law.

Establish an opt-out mechanism: Implement a consent management platform (CMP) for users to opt out of the sale or sharing of personal data for targeted advertising and profiling (in the case of Colorado, Connecticut, and Virginia). States of California and Colorado require at least two opt-out methods such as online forms, email, telephone, and CMPs.

Respect universal opt-out signals: Receive and honour user choices made through universal opt-out browser signals on or global privacy controls (GPC), a requirement under California, Colorado, and Connecticut privacy laws.

Handle consumer data requests: Establish processes to handle consumer data requests, such as providing access to their data, deleting their data, or opting out of data sharing. You should address consumer requests within the stipulated time period of the respective laws. 

Implement data security: Implement robust data security measures to ensure compliance with CIS controls or other industry standards to protect consumer data from unauthorized access, use, or disclosure. 

Update third-party agreements: Conduct audits of third-party processors, vendors and service providers who have access to or process personal information on your behalf. Review and update data processing agreements to include contain specific provisions and obligations required by the respective laws.

Train your employees: Educate employees on best practices for handling consumer data securely and responsibly. Implement internal policies and procedures to ensure that your organization responds to consumer requests as required by the law.

While there is an absence of a unified federal data privacy law in the US, there are federal privacy laws addressing specific areas like healthcare, financial services, and credit reporting.

Privacy Act of 1974

The Privacy Act of 1974 regulates the collection, use, and disclosure of personal information by the federal government and agencies. The act establishes guidelines for federal agencies on how they can collect and maintain personal information and provides individuals with the right to access and correct their records.

Children’s Online Privacy Protection Act (COPPA) 

COPPA is a federal law enacted in 1998 that aims to protect the online privacy of children under the age of 13. It requires websites, online platforms and service providers to obtain parental consent before collecting any personal information from children and to have a clear privacy policy that explains how they collect, use, and disclose personal information. 

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) 

CAN-SPAM is a legislation that came into effect in 2003 to protect individuals from the onslaught of unsolicited emails and online marketing campaigns. The act established various obligations for sending commercial email messages, including the need for accurate sender information, clear identification of advertisement or commercial content, and an unsubscribe mechanism. 

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a federal law in the United States that was enacted in 1996 and governs the privacy and security of individuals’ protected health information (PHI). HIPAA sets standards to safeguard PHI and applies to healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. 

The Gramm-Leach-Bliley Act (GLBA) 

GLBA is a federal legislation that was enacted in 1999 and governs the privacy and security of consumer financial information. It requires financial institutions and companies that offer consumers financial products or services like loans, financial or investment advice, or insurance to implement various measures to protect the personal information of their customers. 

The Fair Credit Reporting Act (FCRA)

FCRA is a federal law that was passed in 1970 and regulates the collection, accuracy, and use of consumer credit information. It aims to promote fairness, accuracy, and privacy in the credit reporting system and establishes guidelines for credit reporting agencies, creditors, and consumers.

American Data Privacy Protection Act (ADPPA) – Proposed bill

ADDPA is a proposed federal law that was introduced in 2022 aimed at safeguarding the privacy of individuals’ personal information. If enacted into law, this bill will establish comprehensive regulations for collecting, using and processing personal data by businesses and organizations operating in the United States.

Does the US have a privacy law?

The US does not have a single federal privacy law for all states. At the state level, several US states have consumer data privacy laws in place. These include – California (CCPA and its amendment, CPRA), Virginia (VCDPA), Colorado (CPA), Utah (UCPA) and Connecticut (CTDPA).

The US also has industry-specific federal laws that govern the use of personal data in specific sectors, such as the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare sector, The Fair Credit Reporting Act (FCRA) for credit reports and the Gramm-Leach-Bliley Act (GLBA) for financial information.

What are the 5 state privacy laws?

The first five states that have enacted comprehensive consumer data privacy laws in the US are California, Virginia, Colorado, Utah and Connecticut.

On January 1, 2023, the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) became operative. Shortly thereafter, the Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) became operative on July 1, 2023. The Utah Consumer Privacy Act (UCPA) is set to come into effect on December 31, 2023.

What is the US equivalent of the GDPR?

The United States does not have an equivalent to the EU’s General Data Protection Regulation (GDPR). Currently, the US does not have a federal data privacy law, instead, there is a patchwork of laws and regulations at the state level such as the California Privacy Rights Act, Virginia Consumer Data Protection Act, Colorado Privacy Act and Connecticut Data Privacy Act.

There are also sector-specific laws such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare data, the Gramm-Leach-Bliley Act (GLBA) for financial information and the Children’s Online Privacy Protection Act (COPPA) for children’s data.

What is the difference between GDPR and US privacy laws?

GDPR is a comprehensive data protection law and provides a solid framework for the processing of personal data in the EU. The US, in contrast, does not have a federal law that is as comprehensive as the GDPR. 

The GDPR has extraterritorial reach, applying to organizations that process the personal data of EU citizens, regardless of its location. US privacy laws have a more limited scope, focusing on specific sectors or industries. In the case of state laws, the applicability thresholds are narrowed, unlike GDPR which has a broad scope.

Another key difference is the GDPR’s approach to consent as a legal basis for processing. GDPR has strict opt-in consent requirements for data processing, especially for tracking and targeted advertising. The US laws have an opt-out consent mechanism and do not require businesses to establish a lawful basis for processing.

The GDPR imposes substantial fines for non-compliance, with penalties of up to €20 million or 4% of annual global turnover, whichever is higher. In the US, enforcement and penalties are generally not as severe as those under the GDPR and vary depending on the specific state laws.

Read: GDPR vs CCPA: What’s the difference

Is a privacy policy required in the US?

Yes, a privacy policy is a requirement under several state privacy laws in the US, including for sector-specific regulations. For instance, if your business collects personal information from California residents, the CCPA and its amendment CPRA require you to have a privacy policy that discloses your data collection practices.

Additionally, federal data privacy laws such as HIPAA for healthcare providers and the GLBA for financial institutions, also require the implementation of privacy policies.