An introduction to U.S. data compliance laws
Due to technological advances like the rise of cloud storage and social media, there is an increasing concern over privacy — especially when it comes to how businesses collect and use customer data. While the U.S. does not presently have an all-encompassing privacy law for the entire country, more and more states are establishing their own privacy laws, following the lead of California, which has the CPRA (superseding the CCPA).
Breaking down U.S. compliance laws by state
At present, there are four notable state privacy laws that have been passed into law and are already being implemented or are expected to be soon.
California Consumer Privacy Act (CCPA): This law went into effect on January 1, 2020. It includes rules like informing data subjects of when and how their personal data will be used and empowers consumers to communicate with businesses when personal information should be modified, corrected, or deleted. The CCPA applies to businesses that gross an annual revenue of more than $25 million; purchase, obtain, or sell personal information of 50,000 or more California residents, households, or devices; or derive half or more of their annual revenue from selling California residents’ personal information.
California Privacy Rights Act (CPRA) or CCPA-Plus: The CPRA, also referred to as CCPA-plus or CCPA 2.0, passed the ballot in November 2020 and will be operative in January 2023. Its purpose is to expand on the principles of the CCPA, which protects individuals’ personal data. However, there are a few distinguishers to the act. The CPRA gives consumers the right to request organizations to correct false information on file. It will also establish the California Privacy Protection Agency (CPPA), and it redefines keywords like “breach.”
Virginia’s Consumer Data Protection Act (CDPA): The CDPA went into effect March 2, 2021. It borrows aspects from the CCPA and GDPR. The CDPA applies to any entity doing business in the state or doing business with Virginian consumers. It applies to entities that conduct business in Virginia or that produce products or services that are targeted to Virginia residents. Additionally, it applies to companies that control or process personal data of 100,000 or more consumers in a calendar year, or those that control or process personal data of at least 25,000 consumers and derive over half of their gross revenue from the sale of personal data.
Colorado Privacy Act (CPA): Businesses that operate out of Colorado or collect personal information from Colorado residents must comply with the CPA. It emphasizes the need for organizations to follow existing data protection policies such as HIPAA, and it gives consumers the right to opt out of targeted advertising and having their data sold, among other benefits. Unlike the CCPA, the CPA does not require a business to meet a revenue threshold to hold them accountable for protecting consumer data. The CPA law went into effect in June 2020.
More state privacy laws to come
Each state has a unique lens to address consumer data privacy and must consider their constituent base as they continue to develop and amend legislation. Here you will find privacy laws in the works:
Massachusetts Information Privacy Act (MIPA): MIPA was proposed by the state senate in March 2021 to give consumers more power over their personal data. MIPA also gives individuals the right to access, rectify, or request the deletion of data. Like the CPRA, MIPA also calls for the establishment of a state information privacy commission to enforce the law.
New York Privacy Act: This act was introduced in 2019, but recently (May 18, 2021) passed out of the New York Senate Consumer Protection Committee. It is awaiting approval by a majority of the full senate and verification by the Assembly. The New York Privacy Act is New York’s premier comprehensive privacy bill, which applies to all businesses regardless of size or income. It also makes businesses legally responsible for any consumer data they possess. This bill still awaits approval by the general senate and New York Assembly before being enacted.
Hawaii Consumer Privacy Protection Act: Offering almost all the same protections and rights as the CCPA, the Hawaii Consumer Privacy Protection Act, was introduced in January 2019 and remains with the senate. This act asks businesses to disclose third parties with who they share data, to inform consumers what data has been collected on them, and delete personal information if requested by the consumer, among other rules.
Maryland Online Consumer Protection Act: The Maryland Online Consumer Protection Act was proposed in February 2021. This law would allow consumers to probe businesses about the specific pieces of information that are on file and the names of third parties to which data has been shared. It would also grant the ability for consumers to opt-out of third-party data sharing, among other rules that may even expand beyond the regulations the CCPA has enforced.
North Dakota Privacy Law: The House Bill 1485 is also referred to as “the Act” and it was introduced in January 2019. Like the Maryland Online Consumer Protection Act, this legislation would restrict websites from passing on personal information to third parties without user consent.
Don’t navigate U.S. data compliance laws without a strategy
The list of data compliance laws to monitor and understand is growing each year. Although we shared only a brief highlight for each state privacy law and many of them do overlap in expectations, there are a plethora of more rules and factors to be aware of. With the right strategies and planning, U.S. state data compliance can be met.
Your organization should consider investing in dedicated data security leadership roles such as a CISO, training employees on the importance of data protection, and deploying data mapping and scanning technology to fully understand where personal information resides so that it can be safeguarded.