The State of U.S. State Privacy Laws: A Comparison
In the continuing absence of Congressional action on a comprehensive U.S. federal privacy law, five states have now enacted their own laws. We previously provided a summary of the California, Virginia, and Colorado laws (available here), and Utah and Connecticut have since enacted new privacy laws. The Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) was signed into law on May 10, 2022 and is scheduled to take effect on July 1, 2023. The Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022 and is scheduled to take effect on December 31, 2023. As reflected in the comparison chart below, the CTDPA and UCPA are similar to the recently enacted Colorado Privacy Act (CPA) and Virginia Consumer Data Protection Act (VCDPA) in many respects, but there are some key differences among these laws and the California Consumer Privacy Act (CCPA), which took effect in 2020 and was amended by the California Privacy Rights Act (CPRA).
On April 11, 2022, Virginia’s Governor signed three amendments to the VCDPA into law, although the law has not yet gone into effect. The amendments: eliminate a previously established Consumer Privacy Fund; make it simpler for businesses that obtain personal data about consumers from sources other than the consumers to comply with consumer deletion requests; and broaden the definition of non-profits that are exempt from the law.
All the new state laws define the term “personal information” or “personal data” broadly. Unlike the CCPA, however, the CTDPA, UCPA, CPA , and VCDPA borrow terms and definitions from the EU General Data Protection Regulation, such as “controller” and “processor,” when referring to covered entities and their service providers, respectively, and “personal data.” In addition, all of the state laws except the UCPA require covered entities to conduct data security assessments for processing activities that present a “heightened” risk of harm, such as profiling, selling personal data, processing sensitive personal data, and engaging in targeted advertising.
The CCPA is currently the only one of the five new state laws that allows a private right of action, and the right is limited to breaches of “personal information” (as that term is defined in a separate California data breach notification law, which is more narrowly defined than the term “personal information” in the CCPA). The CPRA extends the CCPA private right of action to data breaches that compromise a username and password and creates a new enforcement body, the California Privacy Protection Agency (CPPA). The state has already created and funded the CPPA, and the CPPA has held informational and stakeholder meetings as part of the process of implementing rules.
The California, Virginia, Colorado, Utah, and Connecticut privacy laws and any implementing regulations, when adopted, must be reviewed in detail to assess application to a specific entity’s operations, but the chart below offers a high-level comparison of key features of each law. In addition, businesses are subject to a host of other U.S. federal and state privacy, data security, and data breach notification laws in addition to these new comprehensive laws.
THIS SUMMARY IS INTENDED TO PROVIDE GENERAL INFORMATION ABOUT APPLICABLE LAWS AND DOES NOT CONSTITUTE LEGAL ADVICE REGARDING SPECIFIC FACTS OR CIRCUMSTANCES.
| California Consumer Privacy Act (CCPA) | California Privacy Rights Act (CPRA) | Virginia Consumer Data Protection Act (VCDPA) |
Connecticut Act Concerning Personal Data Privacy and Online Monitoring |
Utah Consumer Privacy Act (UCPA) | ||
| Effective Date | January 1, 2020 (12-month lookback period) | January 1, 2023 (12-month lookback period, but for personal information collected after 1/1/2022, consumers may request information beyond 12-month period) | January 1, 2023 | July 1, 2023 | July 1, 2023 | December 31, 2023 |
| Covered Entities | Businesses; requires contracts between Businesses and Service Providers | No change to CCPA | Controllers and Processors; requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations | Controllers and Processors; requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations | Controllers and Processors; requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations | Controllers and Processors; requires contracts between Controllers and Processors and Processors must assist Controllers in performing their obligations |
| Threshold Requirements | Any legal entity organized or operated for the profit or financial benefit of its shareholders/owners that does business in CA and: (1) Has annual gross revenues > $25 mil; (2) Annually buys, sells, or shares personal information of 50,000 or more consumers or households; or (3) Derives 50% or more annual revenues from selling personal information |
Increases threshold number of consumers and households to 100,000 and applies to any legal entity that derives 50% or more annual revenues from selling or sharing personal information |
Person conducts business in VA or produces products or services targeted to VA residents and: |
Controller conducts business in CO or produces products or services targeted to CO residents and: |
Person conducts business in CT or produces products or services targeted to CT residents and during preceding calendar year: |
Controller or processor conducts business in the state or produces products or services targeted to UT residents and: (1) has annual revenue of $25,000,000 or more; and (2) Controls or processes personal data of 100,000 or more consumers or derives > 50% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers |
| Definition of Consumer | CA resident; many provisions pertaining to commercial contacts and employees deferred until 1/1/2023 | No change to CCPA | VA resident, excluding commercial contacts and employees | CO resident, excluding commercial contacts and employees | CT resident, excluding commercial contacts and employees | UT resident, excluding commercial contacts and employees |
| Definition of Personal Information/Data | Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household | No change to CCPA | Information that is linked or reasonably linkable to an identified or identifiable individual | Information that is linked or reasonably linkable to an identified or identifiable individual | Information that is linked or reasonably linkable to an identified or identifiable individual | Information that is linked or reasonably linkable to an identified or identifiable individual |
| Personal Information/Data Excludes De-Identified Data and Publicly Available Information |
🗸 |
No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
| Sensitive Information/Data | ||||||
|
🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
|
🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
|
🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
|
🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
|
🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
|
X Personal information pertaining to children is not defined as “sensitive,” but parental consent is required for the “sale” of personal information pertaining to children under 13, and teens under 16 must opt-in to a “sale” of their personal information |
No change to CCPA | 🗸 | 🗸 | 🗸 |
X |
|
🗸 | No change to CCPA | 🗸 | X | 🗸 | 🗸 |
|
🗸 | No change to CCPA | X | X | X | X |
|
🗸 | No change to CCPA | X | X | X | X |
|
🗸 | No change to CCPA | X | X | X | X |
|
🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
| Consent Required to Process Sensitive Personal Information/Data | X Personal information pertaining to children is not defined as “sensitive,” but parental consent is required for the “sale” of personal information pertaining to children under 13, and teens under 16 must opt-in to a “sale” of their personal information |
X No, but right to limit use and disclosure of sensitive personal information |
🗸 Consent required to process sensitive data, and consent from parent or guardian required to process sensitive data pertaining to a child |
🗸 Consent required to process sensitive data, and consent from parent or guardian required to process sensitive data pertaining to a child |
🗸 Consent required to process personal data for targeted advertising or sell personal data if Controller has actual knowledge, and willfully disregards, that the consumer is 13-16 years of age |
X Controller must provide consumer with notice and right to opt-out of data collection Children’s data is not defined as “sensitive,” but controllers must comply with COPPA |
| What Constitutes a Sale of Personal Information/Data | Selling, renting, releasing, disclosing, disseminating, making available, transferring, or communicating personal information for monetary or other valuable consideration | Adds “sharing” to definition and clarifies that behavioral advertising constitutes a sale | Exchange of personal data for monetary consideration | Exchange of personal data for monetary or other valuable consideration | Exchange of personal data for monetary or other valuable consideration | Exchange of personal data for monetary consideration |
| What Does Not Constitute a Sale |
|
|
|
|
|
|
| Privacy Notice Required |
🗸 |
No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
| Consumer Rights Regarding Personal Information/Data Collected | ||||||
|
🗸 Right to know categories, specific pieces of personal information collected, and categories of sources and parties with whom information is shared Business must provide at least two methods for making requests, including toll-free number |
No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
|
🗸 Business must provide at least two methods for making requests, including toll-free number |
No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
|
X | 🗸 Business must provide at least two methods for making correction requests, including toll-free number |
🗸 | 🗸 | 🗸 | X |
|
Right to opt-out of sale of personal information
|
Right to opt-out of sale or sharing of personal information Websites must include "Limit the Use of My Sensitive Personal Information” link in addition to “Do Not Sell or Share My Personal Information” link |
Right to opt-out of sale of personal data, targeted advertising, and profiling |
Right to opt-out of sale of personal data, targeted advertising, and profiling Contemplates a user-selected universal opt-out mechanism effective 7/1/2024 |
Right to opt-out of processing personal data for targeted advertising, the sale of personal data, or profiling Methods employed to allow consumers to exercise their rights must include a website link to a page that enables a consumer or agent to opt-out of targeted advertising or a sale of personal data No later than 1/1/2025, Controllers must allow consumers to opt-out of targeted advertising or a sale of personal data through an opt-out preference signal sent, with a consumer's consent, by a platform, technology, or mechanism indicating the intent to opt-out |
Right to opt-out of sale of personal data and targeted advertising |
|
🗸 | 🗸 Data should be provided in a format easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format |
🗸 | 🗸 | 🗸 | 🗸 |
| Timeframe for Responding | Access and Deletion Requests: Acknowledge within 10 business days; respond within 45 days Opt-Out Requests: Respond within 15 business days |
Adds 45 days to respond to correction requests 45 days |
45 days | 45 days | 45 days | 45 days |
| Data Minimization | 🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
| Non-Discrimination | 🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
| Authorized Agent Can Invoke Rights on Behalf of Consumer | 🗸 | No change to CCPA | X | X | 🗸 Agent can invoke right to opt-out of a sale, targeted advertising, or profiling |
X |
| Parent Can Invoke Rights on Behalf of Child | 🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
| Parental Consent for Collection of Personal Information/Data from Children Under 13 | X Parental consent is not required for the collection of personal information from children, but parental consent is required for the “sale” of personal information pertaining to children under 13, and teens under 16 must opt-in to a “sale” of their personal information |
No change to CCPA | 🗸 | 🗸 | 🗸 Defers to COPPA |
🗸 Defers to COPPA |
| Written Contracts with Service Providers/Processors and Others Required | 🗸 Requires contracts between Businesses and Service Providers |
🗸 New defined term of “Contractor” and new requirements for contracts between Businesses and Contractors |
🗸 Requires contracts between Controllers and Processors |
🗸 Requires contracts between Controllers and Processors |
🗸 Requires contracts between Controllers and Processors |
🗸 Requires contracts between Controllers and Processors |
| Recordkeeping | 🗸 At least 24 months |
🗸 | X | X | X | X |
| Data Impact Assessments Required | X | 🗸 | 🗸 | 🗸 | 🗸 | X |
| Implement and Maintain Reasonable Administrative, Technical, and Physical Data Security Practices | 🗸 | No change to CCPA | 🗸 | 🗸 | 🗸 | 🗸 |
| Private Right of Action | 🗸 Only in the event of a security breach that compromises “personal information” (as that term is defined in a separate California data breach notification law) |
🗸 Extends CCPA private right of action to breach of a username and password that permits access to an account |
X | X | X | X |
| Enforcement | AG | Creates new California Privacy Protection Agency | AG | AG, District Attorneys | AG | Division of Consumer Protection will investigate and refer to AG |
| Opportunity to Cure | 30 days | Eliminates CCPA right to cure effective 1/1/2023 | 30 days | 60 days (expires 12/31/2024) | 60 days (expires 12/31/2024, but within AG’s discretion after such date) | 30 day |
Federal Legislation
While states forge ahead with privacy legislation, members of Congress continue to put forth their own federal privacy bills, several of which focus on children’s privacy. Recently, Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) introduced The Kids Online Safety Act in February 2022. This bill, aimed at large tech companies, requires social media platforms to give children tools for protecting their personal information and makes proprietary algorithms available to researchers studying harms to the safety and well-being of minors. Other children’s privacy bills, such as the Children and Teens’ Online Privacy Protection Act introduced by Senator Ed Markey (D-MA), would amend the Children’s Online Privacy Protection Act (COPPA). Markey’s bill expands the COPPA age threshold from 13 to 16 and prohibits targeted advertising directed to children. The Protecting the Information of our Vulnerable Children and Youth Act, introduced by Representative Kathy Castor (D-Fl), raises the age threshold to 18 and broadens COPPA’s “actual knowledge” standard to cover online services “targeted to or attractive to children.”
Both businesses and consumers would benefit from a clear, comprehensive federal privacy law. Many businesses believe it is crucial that any new federal privacy law work with existing federal privacy laws, such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and COPPA, along with others. To establish the goal of a uniform national standard, most businesses agree that, like the aforementioned laws, new federal privacy legislation must explicitly preempt state and local laws. The business community also opposes creating a private right of action, favoring instead strong enforcement by a central federal agency, such as the FTC, with state attorneys general also given enforcement authority.
Data is the engine of a significant part of today’s economy, and the 2022 state and federal legislative landscape promises more attention on privacy and data security. Creating a common national U.S. legal standard to maintain consumer privacy and data security is critically important to promote consumer confidence and foster a competitive global economy. It is hoped that stakeholders will work together to forge federal legislation that establishes a fair and workable national privacy framework in the United States.
For more information on privacy and data security matters, please contact us:
Sheila Millar: 202.434.4143, millar@khlaw.com
Tracy Marshall: 202.434.4234, marshall@khlaw.com