Updated May 5, 2022.
A data privacy wave is making its way across the US, washing over state legislatures and challenging the adtech industry’s mass-collection of personal data for profit.
In the absence of a federal law, a state-by-state patchwork of data protection bills have begun to take shape. Four major bills have been signed into law so far and looking to the horizon, dozens more are on their way.
In this blogpost, we gaze out at the rapidly changing landscape of US data privacy law to give you an overview of what’s up and down, and what’s next.
A catalyst for the wave now rolling across the US was the passing of California’s two data privacy bills – the California Consumer Privacy Act (CCPA) in 2018 and the supplementary California Privacy Rights Act (CPRA) in 2020 – setting in motion a ripple-effect across the rest of the country with data protection bills now being drafted in a dozen states.
The speed with which the US data privacy law wave is spreading from state to state also seems to be increasing – it took California several years to get its CCPA/CPRA legal regime in place (and some would argue that it’s still a moving target), while Virginia became the second state to enact a comprehensive US data privacy law with the Virginia Consumer Data Protection Act (VCDPA).
After Virginia’s VCDPA and California’s CCPA/CPRA, a dozen US data privacy laws are on the horizon.
Each state’s draft US data privacy law looks different from the next – some with prior consent requirements akin to the EU’s GDPR and others with broader opt-out rights; some with larger scopes and some with sectoral exemptions – and no state has so far simply copied California’s model.
Looming over the prospect of an uneven collage of state-level data protection across the country is the absence of a standardized federal US data privacy law, and the difficult path ahead for getting one passed and enacted.
State-level US data privacy laws springing up left and right across the country will increase the federal momentum, argues Future of Privacy Forum Senior Fellow Peter Swire to IAPP, since a jagged patchwork of state laws with fundamentally different models create a headache of compliance and competition issues.
On March 2, 2021, Virginia’s Consumer Data Protection Act (VCDPA) was signed into law, making the Old Dominion the second state to enact a broad and comprehensive US data privacy law (third if you count Nevada’s smaller and more limited SB220, scheduled to be overhauled soon).
Virginia’s Consumer Data Protection Act (VCDPA) came about after a surprisingly short legislative session (less than two months) and borrows provisions and principles from both California’s Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR).
Virginia’s Consumer Data Privacy Act (VCDPA) will take effect on January 1, 2023 and will be enforced by the Virginia Attorney General.
Virginia’s VCDPA is the second US data privacy law to be signed into law, taking effect in January 2023.
Virginia’s Consumer Data Protection Act (VCDPA) quick breakdown –
Website owners and companies who have dealt with becoming compliant with California’s CCPA over the past two years will likely be familiar with the California Attorney General’s frequently changing draft regulations on enforcement, often the cause for the CCPA to be described as a “moving target” in the data privacy industry.
But, as IAPP notes, Virginia’s VCDPA avoids this process altogether by not including any requirements for rule making. Rather, it rests with the Virginia Attorney General to enforce Virginia’s Consumer Data Protection Act (CDPA) as it’s written, with fines for non-compliance up to $7,500.
A review of potential legislative modifications has been scheduled for later in 2021.
In addition to the quick breakdown overview above, let’s have a look at what rights the second comprehensive US data privacy law brings for Virginia residents.
The Virginia Consumer Data Privacy Act (CDPA) empowers Virginia residents with the following rights –
Virginia’s Consumer Data Protection Act (CDPA) builds on the waves of data privacy legislation that have washed over the world in the past years, most notably California’s and the EU’s GDPR.
Building on the first comprehensive US data privacy law, California’s CCPA, Virginia’s VCDPA also empowers state residents with the right to opt out of having personal data sold to third parties, but interestingly enough, it goes a bit further than California’s by also allowing users to opt out of personal data processing done for data profiling and targeted advertisement purposes.
US data privacy laws are shaping up in many states simultaneously, forming a patchwork of state-by-state data protection across America in the absence of a federal data privacy law.
Looking across the Atlantic, Virginia’s VCDPA borrows provisions from another major piece of data privacy legislation, namely the EU’s GDPR.
Like the EU’s GDPR, Virginia’s VCDPA requires you to obtain explicit and affirmative consent from your website’s users when processing sensitive data. This makes the VCDPA's consent provision broader and stricter than California’s CCPA/CPRA, which only applies to minors.
The VCDPA's definition of consent is even word-for-word taken from the EU’s GDPR, requiring the “freely given, specific, informed and unambiguous agreement” to constitute a valid end-user consent.
Also inspired by the EU’s GDPR, Virginia’s VCDPA requires you to perform data protection assessments for so-called “high risk processing” of personal data, which covers if you engage in targeted advertisement, the selling of personal data and profiling (though a bit different in practice from the GDPR’s provision).
When comparing Virginia’s VCDPA to California’s CCPA/CPRA, as we did in the introduction of this article, it becomes clear that (although inspired by California’s model) Virginia has gone its own way with its US data privacy law.
The biggest differences between Virginia’s VCDPA and California’s CCPA/CPRA are –
The two US data privacy laws offer different models with California’s applying to more businesses than Virginia’s.
With a faster legislative session and a, in many ways, tighter and more straight-forward bill in hand, Virginia now offers a different roadmap for US data privacy laws than California’s model.
On July 8, 2021, the state of Colorado officially enacted the Colorado Privacy act, making the centennial state the third state to enact a broad and comprehensive US data privacy law following California in 2018 and Virginia earlier in 2021.
The enactment of Colorado’s CPA is a continuation of the trend of state legislatures directing the progress of the general consumer data privacy framework in the U.S.
Colorado’s Privacy Act will take effect on July 1, 2023.
Colorado became the third state to enact a broad and comprehensive US data privacy law.
After the quick breakdown, let’s now look at what rights the third comprehensive US data privacy law brings for Colorado consumers.
The Colorado Privacy Act (CPA) empowers Colorado consumers with the following five rights –
Not unlike Virginia’s CDPA, the CPA also gives the consumers the right to appeal a business’ denial to take action within a reasonable time period. Under the CPA, a business has to respond to a consumer request within 45 days.
If a business fails to take action, the CPA dictates that the controller provide an appeal process that must be visibly available and easy to use.
Colorado’s CPA has a controller to determine the purposes for and means of processing personal data. Colorado’s CPA has obligations that are similar to the ones defined in California’s CCPA and Virginia’s CDPA.
These obligations will be explained in more detail here:
Besides these obligations, the controller also has to be governed by a contract between the controller and the processor.
The purpose of the contract is to establish the processing instruction to which the processor is bound, including the nature of the processing and its duration. Similar requirements are stated in the EU’s GDPR and Virginia’s CPDA as well.
Overall, Colorado’s CPA is not a trailblazer in the data privacy world, but its significance is reflected in the growing trend of enhanced consumer privacy protections in the US and by the fact that it is one of the first ones to be enacted.
If you were to compare it with the ones in California and Virginia, the Colorado CPA is probably a bit harsher than Virginia’s CDPA and a bit more moderate than California’s CCPA.
On January 1, 2020, California became the first state to enact a comprehensive US data privacy law when the California Consumer Privacy Act (CCPA) took effect.
Unlike Virginia’s CDPA that flew through the state’s legislatures, the California Consumer Privacy Act (CCPA) was a grassroots initiative by Alastair McTaggart of Californians for Consumer Privacy, who drafted an early version of the CCPA as a ballot initiative meant to be included in the 2018 November election.
After heavy industry lobbying, the initiative was watered down and co-written, sponsored, passed unanimously and signed into law on Thursday June 28, 2018.
Breaking new waves in the US data privacy law landscape, California’s CCPA is the first to empower residents with several rights over their personal information, chief among them the right to opt out of having it sold to third parties (the now-famous requirement for a Do Not Sell link on your website).
This opt out right has become a model for both Virginia’s CDPA and most other US data privacy laws in draft at this moment, and it categorically sets the overall US data privacy law landscape apart from the EU’s General Data Protection Regulation, which operates on a prior consent model – requiring first the explicit consent of users before any personal data can be processed, as opposed to California’s (and Virginia’s) model of post-collection opt outs.
As the first US data privacy law to come into effect, California’s CCPA sparked change across the nation.
Then, in the 2020 General Election, the addendum California Privacy Rights Act (CPRA) was passed as a ballot initiative, bypassing the state legislature that had crafted the CCPA two years before, and now waiting to take effect on January 1, 2023.
California’s CPRA amends and expands the CCPA, e.g. changing the scope to exclude smaller businesses but include larger companies, specifying regulation of behavioral advertisement in the state, empowering California residents with four new data rights, establishing the California Privacy Protection Agency (CPPA) as lead enforcer in the state (rather than the Attorney General) and creates the category of sensitive personal information with stronger protections.
Together, California’s CCPA/CPRA setup –
The state of US data privacy law is in flux – a flurry of movement is happening across a dozen state legislatures, emboldened by California, Virginia and Colorado's data protection achievements, and left to draft their own in the absence of a federal law.
The data privacy wave spilling across the US, triggered by a big public awakening to the issues of data protection and surveillance capitalism in recent years, have created a legal landscape in rapid change, with some states following California’s model to varying degrees (like Virginia’s CDPA and Washington’s Privacy Act) and other states going their own way with an eye fixed on the EU and its strict prior consent model (like Oklahoma’s OCDPA).
Different roads are forking in the US data privacy law landscape, and it remains to be seen which one – if any – a federal bill would follow.
At Usercentrics, the creators of Cookiebot CMP, we work hard every day to push true end-user consent and data protection to the world through a balanced and sustainable Internet economy. We follow all US data privacy law developments closely, so we can bring our unmatched data privacy expertise to you and your compliance needs in the future.
Cookiebot CMP is a plug-and-play solution offering compliance for your website with all major data protection laws in the world, including California’s CCPA/CPRA.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Yes, the US has several state-level US data privacy laws that regulate and protect end-user personal information in their respective states. While the US does not have a federal US data privacy law, Colorado’s Privacy Act, Virginia’s Consumer Data Protection Act and California’s Consumer Data Protection Act (CCPA) and Consumer Privacy Rights Act (CPRA) have been passed and signed, with California’s CCPA in effect today.
California, Virginia and Colorado has data privacy laws. California has two data privacy laws – the California Consumer Privacy Act (CCPA) and California Consumer Privacy Rights Act (CPRA) – while Virginia has the Consumer Data Protection Act (VCDPA). Only California’s CCPA is in effect, with the CPRA and CDPA waiting to take effect on January 1, 2023.
Virginia’s Consumer Data Protection Act (CDPA) is very similar to California’s CCPA/CPRA model – empowering residents with close to the same rights, including the famous opt out right, and requires your website to provide users with detailed information on the data you collect and who you share it with. The biggest differences between Virginia’s VCDPA and California’s CCPA/CPRA is its scope and enforcement range.
Yes, websites, companies and organizations in the US who process personal data from users inside in the EU are required to comply with the EU’s General Data Protection Regulation (GDPR). Before collecting and processing personal data from EU users, websites must first obtain the explicit prior consent.