How do state privacy laws govern the US data landscape?
As the need for robust data protection measures has grown, individual US states are enacting their own privacy laws, resulting in a patchwork of regulations nationwide.
As the first state to pass comprehensive data privacy legislation, California is arguably at the forefront of US data privacy, thanks to its pioneering spirit and influential tech industry presence. In the last year, at least 16 states have introduced privacy bills covering areas such as biometric identifiers and health data, and with some provisions differing from California’s approach. It's anticipated that more states will follow suit with their own legislation to safeguard individual data rights.
These state laws create a complex interplay where stricter state laws can offer heightened protection while still adhering to the overarching framework of federal guidelines.
What are all the state privacy laws and how do they work separately and together to govern visual data in particular? Introducing our overview on US state data privacy legislation.
California: The California Consumer Privacy Act (CCPA)
The first state to pass comprehensive data privacy legislation, the CCPA grants consumers in California enhanced control over their personal information. Consumers can know what personal data is collected and how it is used, the ability to opt out of the sale or sharing of their information, and protection against discrimination for exercising their CCPA rights.
In 2020, the California Privacy Rights Act (CPRA) introduced additional privacy protections to the CCPA. Effective as of January 2023, consumers gained new rights, including the right to correct inaccurate personal information held by businesses and the right to restrict the use and disclosure of sensitive personal data.
You can learn more about the CCPA and CPRA here.
Virginia: The Virginia Consumer Data Protection Act (VCDPA)
Under the VCPDA, consumers in Virginia have rights such as confirming whether a controller is processing their personal data, accessing and correcting their personal data, and deleting provided or obtained personal data. They can also opt out of targeted advertising, the sale of personal data, or profiling.
The law applies to businesses that operate in Virginia or target residents of Virginia and meet certain thresholds of consumer data control or processing.
You can learn more about the VCDPA here.
Connecticut: The Personal Data Privacy and Online Monitoring Act
Effective from July 2023, it covers any business that collects personal information from Connecticut residents. Similar to other state privacy laws, the law grants consumers several privacy rights and imposes privacy protection regulations on data controllers and processors, requiring them to take reasonable security measures to protect personal data.
Businesses must promptly respond to consumer requests within 45 days, with the option to extend the deadline by an additional 45 days under certain circumstances.
Colorado: The Colorado Privacy Act (CPA)
Effective from July 1, 2023, the CPA requires businesses to disclose their data collection and sharing practices to consumers and gives Colorado residents more control over their data. The law also imposes strict penalties for companies and authorises the state Attorney General to bring enforcement actions.
It applies to businesses that operate in Colorado or target Colorado residents and meet certain criteria, such as processing the personal data of 100,000 or more consumers or deriving revenue from the sale of personal data, and processing the data of 25,000 or more consumers.
The CPA demands clear and accessible privacy notices, consent for processing sensitive data, specifies the purpose of data collection, the need to minimise data collection to what is reasonably necessary, and implement proper data security measures.
Notably, the law does not exempt non-profits, distinguishing it from privacy laws in California and Virginia.
Illinois: The Biometric Information Privacy Act (BIPA)
While lacking comprehensive data privacy legislation, the Illinois Biometric Information Privacy Act (BIPA) is a landmark legislation that focuses on protecting individuals' biometric data within the state of Illinois.
Under BIPA, private entities are required to obtain written consent from individuals before collecting their biometric information, including written notice which outlines the purpose and length of time for which the data will be collected and stored. Entities have to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric data when no longer needed.
One notable aspect of BIPA is its provision for a private right of action; individuals can file lawsuits against organisations that fail to comply with the law's requirements. BIPA allows for the recovery of statutory damages, which can range from $1,000 to $5,000 per violation. Notably, Texas and Washington also have their own biometric privacy laws, but neither enables the same private right of action.
New York: The New York Privacy Act (NYPA) and The New York SHIELD Act
The New York Privacy Act is a comprehensive data privacy law that sets forth provisions for companies conducting business in New York and handling the personal data of residents to do so responsibly and lawfully.
Amongst similar privacy rights to California’s CCPA, the NYPA also requires companies to conduct annual risk assessments, disclose automated decision-making processes, and dispose of data that is no longer needed. Non-compliance can result in fines and penalties, with the maximum penalty being up to $15,000 per violation.
On the other hand, The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act is a data breach notification and data security law, which aims to enhance data security practices and protect the personal information of New York residents.
It applies to any person or business that owns or licences computerised data that includes private information of New York residents, regardless of whether the person or business conducts business in New York.
The SHIELD Act requires the implementation of reasonable safeguards to protect the security, confidentiality, and integrity of private information, i.e. social security numbers, driver's license numbers, financial account information, and biometric information. These safeguards include the development of a data security program that assesses risks, implementing security measures, and providing employee training on data security practices. Additionally, covered entities are required to notify affected individuals and the New York State Attorney General in the event of a data breach that compromises private information.
Indiana: The Consumer Data Protection Act (INDPA)
Indiana’s INCDPA applies to companies conducting business in Indiana or targeting Indiana residents. In comparison to other state laws, the INDPA takes a business-friendly approach by narrowly defining disclosures of personal data requiring opt-in consent, and providing a mandatory right to cure, i.e. a remedy.
The INCDPA distinguishes between controllers and processors, requires confidentiality and compliance with the INCDPA in processor contracts, and mandates clear and meaningful privacy notices from controllers.
The law clearly defines the term "sale" of personal data and provides consumers rights to access, correct, delete, obtain a copy of personal data, and opt out of the sale of personal data. Notably, there is no private right of action for consumers under the INCDPA.
Iowa: The Consumer Data Protection Act (ICDPA)
Similar to other state-level privacy laws, the Iowa Consumer Data Protection Act applies to businesses operating in Iowa or targeting Iowa residents and follows an opt-out model.
The ICDPA grants consumers four main rights, including access to their personal data, the right to delete their data, the right to data portability, and the right to opt out of the sale of personal data.
There are exemptions for entities governed by existing federal laws, such as HIPAA and COPPA, as well as state government entities, financial institutions, higher education institutions, and non-profit organisations. Unlike the CCPA, the law does not include rights such as correction, opting out of automated decision-making and profiling, or granting consumers a private right of action.
Montana: The Consumer Data Privacy Act (MTCDPA)
The MTCDPA grants consumers the right to revoke their consent to data processing, opt out of sales of personal data and targeted advertising, and request the deletion of all personal data held by businesses. It also prohibits the sale or processing of personal data of minors aged 13 to 16 for targeted advertising without consent.
The law applies to companies that control or process the personal data of at least 50,000 Montana residents or at least 25,000 Montana residents while deriving more than 25% of gross revenue from the sale of personal data.
This law will be in effect in October 2024.
Tennessee: The Information Protection Act (TIPA)
Passed by the Tennessee State Senate in April 2023 and becoming effective in July 2025, the TIPA introduces various requirements for businesses operating in Tennessee - including risk assessments, data minimisation, clear privacy notices, and obtaining opt-in consent for processing sensitive personal information.
The TIPA grants consumers several personal information rights, including the right to know, access, correct, and delete. As well as data portability, the right to opt out of sales, targeted advertising, and profiling.
Like Connecticut’s data privacy law, businesses must respond to consumer requests within 45 days, with a possible extension of an additional 45 days. They are also required to conduct data protection assessments for certain processing activities, such as targeted advertising, sale of personal information, profiling, and processing of sensitive data.
Enforcement of the TIPA will be carried out by the Tennessee Attorney General, with a 60-day cure period provided for violations. Failure to remediate violations within this period may result in civil penalties of up to $7,500 per violation. There is no private right of action under this law.
Utah: The Consumer Privacy Act (UCPA)
The UCPA is similar in some aspects to the consumer privacy laws in California, Virginia, and Colorado but takes a lighter and more business-friendly approach to consumer privacy.
The law applies to controllers or processors who conduct business in Utah, have an annual revenue of $25 million or more, and either control or process personal data of 100,000 or more consumers or derive over 50% of their gross revenue from the sale of personal data and control or process personal data of 25,000 or more consumers.
The UCPA provides consumer rights including the right to access, delete, and obtain a copy of personal data, as well as the right to opt out of targeted advertising and the sale of personal data. However, the right to correct inaccuracies in personal data is absent from the UCPA.
The law contains both entity-level and data-level exemptions, exempting institutions of higher education, nonprofits, covered entities under HIPAA, financial institutions under the Gramm-Leach-Bliley Act, government entities, and certain other categories.
In comparison to other laws, the UCPA does not require consent for processing sensitive personal data, though controllers must clearly notify consumers and provide the opportunity to opt out of this processing.
Until comprehensive federal legislation is enacted, organisations must navigate the intricacies of state-specific data privacy laws to ensure compliance and avoid potential fines. Data privacy is a dynamic and evolving field, and adapting practices to align with the changing legal landscape is important. By proactively engaging with privacy regulations, organisations can safeguard consumer data, build trust with their customers, and mitigate the risk of penalties.