Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

US data privacy laws emerge i state by state.

Published April 28, 2021.


A data privacy wave is making its way across the US, washing over state legislatures and challenging the adtech industry’s mass-collection of personal data for profit.

In the absence of a federal law, a state-by-state patchwork of data protection bills have begun to take shape. Three major bills have been signed into law so far and looking to the horizon, dozens more are on their way.

In this blogpost, we gaze out at the rapidly changing landscape of US data privacy law to give you an overview of what’s up and down, and what’s next.


US data privacy laws, in short

US data privacy laws emerge as jagged puzzle


A catalyst for the wave now rolling across the US was the passing of California’s two data privacy bills – the California Consumer Privacy Act (CCPA) in 2018 and the supplementary California Privacy Rights Act (CPRA) in 2020 – setting in motion a ripple-effect across the rest of the country with data protection bills now being drafted in a dozen states.

The speed with which the US data privacy law wave is spreading from state to state also seems to be increasing – it took California several years to get its CCPA/CPRA legal regime in place (and some would argue that it’s still a moving target), while Virginia became the second state to enact a comprehensive US data privacy law in just a matter of weeks, and several states could be next in 2021.



US data privacy laws count three, and more on the way.

After Virginia’s CDPA and California’s CCPA/CPRA, a dozen US data privacy laws are on the horizon.



States with draft US data privacy laws on the horizon include

Each state’s draft US data privacy law looks different from the next – some with prior consent requirements akin to the EU’s GDPR and others with broader opt-out rights; some with larger scopes and some with sectoral exemptions – and no state has so far simply copied California’s model.

Looming over the prospect of an uneven collage of state-level data protection across the country is the absence of a standardized federal US data privacy law, and the difficult path ahead for getting one passed and enacted.

To date three federal US data privacy laws have been put forward, but with no hearings planned anytime soon, the process shows signs of having stalled.

State-level US data privacy laws springing up left and right across the country will increase the federal momentum, argues Future of Privacy Forum Senior Fellow Peter Swire to IAPP, since a jagged patchwork of state laws with fundamentally different models create a headache of compliance and competition issues.

See IAPP's comparison of proposed federal US data privacy laws



A federal US data privacy law might come in 2021.

A federal US data privacy law would potentially override state bills and standardize data protection nationally.



US data privacy laws differ in important areas

What will it mean to have a number of different state-wide US data privacy laws, each with their own specific compliance requirements?

Well, we can glimpse this already by looking at the two major US data privacy laws passed so far, California’s CCPA/CPRA and Virginia’s CDPA.


Differences between California’s CCPA/CPRA and Virginia’s CDPA

See IAPPs comparison of California's CCPA and Virginia's CDPA

In short, a dozen different US data privacy laws across America means different compliance requirements for your website, company or organization – depending on each state bill’s scope, definitions and eligibility.

While many website owners might yearn for a simpler approach through a national US data privacy law, one is unlikely to be passed soon.

Rather, local and statewide data privacy bills will continue to be drafted and enacted, and so let’s take a look at the major bills passed and the ones on the horizon in 2021.


Try Cookiebot consent management platform (CMP) for free today

Scan your website for free to see what cookies and trackers are in use

Learn more about CCPA compliance with Cookiebot CMP


US data privacy law compliance with Cookiebot CMP


Cookiebot CMP is a consent management platform that offers unmatched compliance solutions to fit websites of any shape and size and help them meet the requirements of most major data privacy laws in the world.

Almost all processing of personal data and sensitive information on your website happens through cookies and trackers. These also share your users’ data with third parties like Google and Facebook.

With a powerful website scanner at its core that finds and controls all cookies and trackers on your website, Cookiebot CMP offers automatic granular consent and opt-out solutions to your end-user, bringing true compliance and data protection to your domain in a plug-and-play solution implemented straight from the cloud.

Through automatic geotargeting, Cookiebot CMP enables your website to always presents its users with the correct and compliant consent banner, opt-out link or privacy notice, depending on where in the world they are located, and which data privacy regime applies.

By giving you detailed information on each cookie’s duration, technical specifications, provider and purpose, you’ll be able to protect the privacy of your end-users and be in compliance with both US data privacy laws and data protection regulations around the world.

With Cookiebot CMP your website can achieve compliance with major data privacy laws like the EU’s GDPR, California’s CCPA, Canada’s PIPEDA, Brazil’s LGPD, South Africa’s POPIA, New Zealand’s Privacy Act, Singapore’s PDPA, Malaysia’s PDPA and more.


Try Cookiebot CMP free for 30 days – or forever if you have a small website

Scan your website for free to see what cookies and trackers are in use

Learn more about Cookiebot CMP and Google Consent Mode

Learn more about CCPA compliance with Cookiebot CMP



US data privacy law compliance with Cookiebot CMP



US data privacy laws passed


Let’s take a broad look at the two major US data privacy laws that have been signed to date and are either in effect now or waiting to go into effect.

We’ll start with the most recent, Virginia’s Consumer Data Protection Act (CDPA) and then look at California’s CCPA/CPRA model that started the legislative wave across America.


Virginia’s Consumer Data Protection Act (CDPA)


Newest major US data privacy law passed in Virginia’s CDPA

On March 2, 2021, Virginia’s Consumer Data Protection Act (CDPA) was signed into law, making the Old Dominion the second state to enact a broad and comprehensive US data privacy law (third if you count Nevada’s smaller and more limited SB220, scheduled to be overhauled soon).

Virginia’s Consumer Data Protection Act (CDPA) came about after a surprisingly short legislative session (less than two months) and borrows provisions and principles from both California’s Consumer Privacy Act (CCPA), Washington’s not-yet-passed Privacy Act (WPA) and the EU’s General Data Protection Regulation (GDPR).

Virginia’s Consumer Data Privacy Act (CDPA) will take effect on January 1, 2023 and will be enforced by the Virginia Attorney General.



Virginia's CDPA is the second major US data privacy law to be signed.

Virginia’s CDPA is the second US data privacy law to be signed into law, taking effect in January 2023.



Virginia’s Consumer Data Protection Act (CDPA) quick breakdown

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website to see all cookies and trackers in use



US data privacy laws empower Americans with data rights

Virginia’s CDPA empowers residents with rights found both in California’s CCPA and the EU’s GDPR.



Website owners and companies who have dealt with becoming compliant with California’s CCPA over the past two years will likely be familiar with the California Attorney General’s frequently changing draft regulations on enforcement, often the cause for the CCPA to be described as a “moving target” in the data privacy industry.

But, as IAPP notes, Virginia’s CDPA avoids this process altogether by not including any requirements for rulemaking. Rather, it rests with the Virginia Attorney General to enforce Virginia’s Consumer Data Protection Act (CDPA) as it’s written, with fines for non-compliance up to $7,500.

A review of potential legislative modifications has been scheduled for later in 2021.


Virginia’s CDPA rights for Virginia residents

In addition to the quick breakdown overview above, let’s have a look at what rights the second comprehensive US data privacy law brings for Virginia residents.

The Virginia Consumer Data Privacy Act (CDPA) empowers Virginia residents with the following rights –

Virginia’s Consumer Data Protection Act (CDPA) builds on the waves of data privacy legislation that have washed over the world in the past years, most notably California’s and the EU’s GDPR.

Building on the first comprehensive US data privacy law, California’s CCPA, Virginia’s CDPA also empowers state residents with the right to opt out of having personal data sold to third parties, but interestingly enough, it goes a bit further than California’s by also allowing users to opt out of personal data processing done for data profiling and targeted advertisement purposes.



Virginia's CDPA is a strong new US data Privacy law

US data privacy laws are shaping up in many states simultaneously, forming a patchwork of state-by-state data protection across America in the absence of a federal data privacy law.



See the Virginia Consumer Data Protection Act law text

Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website to see all cookies and trackers in use


Virginia’s CDPA vs EU’s GDPR

Looking across the Atlantic, Virginia’s CDPA borrows provisions from another major piece of data privacy legislation, namely the EU’s GDPR.

Like the EU’s GDPR, Virginia’s CDPA requires you to obtain explicit and affirmative consent from your website’s users when processing sensitive data. This makes the CDPA’s consent provision broader and stricter than California’s CCPA/CPRA, which only applies to minors.

The CDPA’s definition of consent is even word-for-word taken from the EU’s GDPR, requiring the “freely given, specific, informed and unambiguous agreement” to constitute a valid end-user consent.

Also inspired by the EU’s GDPR, Virginia’s CDPA requires you to perform data protection assessments for so-called “high risk processing” of personal data, which covers if you engage in targeted advertisement, the selling of personal data and profiling (though a bit different in practice from the GDPR’s provision).


Learn more about EU GDPR compliance with Cookiebot CMP

Scan your website for free to see all cookies and trackers in use


Virginia’s CDPA vs California’s CCPA

When comparing Virginia’s CDPA to California’s CCPA/CPRA, as we did in the introduction of this article, it becomes clear that (although inspired by California’s model) Virginia has gone its own way with its US data privacy law.

The biggest differences between Virginia’s CDPA and California’s CCPA/CPRA are –



EU's GDPR is stricter than US data privacy laws.

The two US data privacy laws offer different models with California’s applying to more businesses than Virginia’s.



With a faster legislative session and a, in many ways, tighter and more straight-forward bill in hand, Virginia now offers a different roadmap for US data privacy laws than California’s model.


California’s CCPA/CPRA


First major US data privacy law in effect in California

On January 1, 2020, California became the first state to enact a comprehensive US data privacy law when the California Consumer Privacy Act (CCPA) took effect.

Unlike Virginia’s CDPA that flew through the state’s legislatures, the California Consumer Privacy Act (CCPA) was a grassroots initiative by Alastair McTaggart of Californians for Consumer Privacy, who drafted an early version of the CCPA as a ballot initiative meant to be included in the 2018 November election.

After heavy industry lobbying, the initiative was watered down and co-written, sponsored, passed unanimously and signed into law on Thursday June 28, 2018.

Breaking new waves in the US data privacy law landscape, California’s CCPA is the first to empower residents with several rights over their personal information, chief among them the right to opt out of having it sold to third parties (the now-famous requirement for a Do Not Sell link on your website).

This opt out right has become a model for both Virginia’s CDPA and most other US data privacy laws in draft at this moment, and it categorically sets the overall US data privacy law landscape apart from the EU’s General Data Protection Regulation, which operates on a prior consent model – requiring first the explicit consent of users before any personal data can be processed, as opposed to California’s (and Virginia’s) model of post-collection opt outs.



California's CCPA was the first US data privacy law to be passed.

As the first US data privacy law to come into effect, California’s CCPA sparked change across the nation.



Then, in the 2020 General Election, the addendum California Privacy Rights Act (CPRA) was passed as a ballot initiative, bypassing the state legislature that had crafted the CCPA two years before, and now waiting to take effect on January 1, 2023.

California’s CPRA amends and expands the CCPA, e.g. changing the scope to exclude smaller businesses but include larger companies, specifying regulation of behavioral advertisement in the state, empowering California residents with four new data rights, establishing the California Privacy Protection Agency (CPPA) as lead enforcer in the state (rather than the Attorney General) and creates the category of sensitive personal information with stronger protections.

Together, California’s CCPA/CPRA setup –

Learn more about CCPA/CPRA compliance with Cookiebot CMP

Learn more about the California Privacy Rights Act (CPRA)

Learn more about California’s CCPA and website cookies

Learn more about California’s CCPA and personal information

Learn more about California’s CCPA and end-user rights


US data privacy laws on the way


US data privacy laws on the horizon and what they entail

Let’s look at two of the most prominent draft state bills that could be close to being passed, giving us a good overall indication of where the wave of US data privacy law is heading, how it’s spilling over the country and what shapes it takes from state to state.


Washington’s Privacy Act and People’s Privacy Act


Washington state has had two competing draft US data privacy laws in legislative process for a while now - the industry-friendly Washington Privacy Act (WPA) and the stricter Washington People’s Privacy Act (WPPA).

The Washington Privacy Act (WPA) saw its third version, having failed two years in a row in earlier drafts, and so this year’s revised WPA built on the issues of its predecessors – including changes and revisions advocated for by both privacy groups and business lobbies.

The WPA passed the Senate with a vote of 48 to 1 but was ultimately killed in the House of Representatives in early April and, so, failed thrice in a row to become US data privacy law. The lack of a private right of action for consumers in the Washington Privacy Act (WPA) was the point of contention, as in the previous two drafts, and ultimately why it failed to pass the House.

The Washington People’s Privacy Act (WPPA) was introduced in early 2021 as a response to the WPA and is still alive in legislative session (it could become law). It is a much stricter and privacy-friendly bill that would require opt-in consent similar to the EU’s GDPR before any collection and processing of personal information is allowed to take place.

Let’s have a look at both of Washington’s draft US data privacy laws – how they differ from each other, and the other US data privacy laws in play.


Washington’s Privacy Act (WPA)

The now-failed Washington Privacy Act (WPA) was introduced as Senate Bill 5062 and borrowed from both California’s CCPA/CPRA and the EU’s GDPR for provisions, making it similar to Virginia’s CDPA in some ways.



Washington Privacy Act could become the next major US data privacy law.

The failed Washington’ Privacy Act now has eyes shifting to the opt-in-based People’s Privacy Act – could it become the third comprehensive US data privacy law to be enacted after Virginia’s CDPA?



Washington’s Privacy Act quick breakdown

As noted in the beginning of this section, the Washington Privacy Act (WPA) failed to be passed into law in this year’s legislative session.


See the Washington Privacy Act law text and bill history

See IAPP’s US data privacy law comparison map

Try Cookiebot CMP free for 30 days – or forever if you have a small website


Washington People’s Privacy Act (WPPA)

If passed, the Washington People’s Privacy Act (WPPA) would be the first US data privacy law in the country to be opt-in/consent-based, akin the EU’s General Data Protection Regulation (GDPR) and fundamentally different than California’s CCPA/CPRA model.



The Washington People's Privacy Act (WPPA) could bring user consent to US data privacy law.

The Washington People’s Privacy Act (WPPA) is consent-based like the EU’s GDPR.



The WPPA also introduces a private right of action, unlike the WPA (a main reason for its failing to pass the House of Representatives) and creates the brand-new right to not be subject to surreptitious surveillance, which would prohibit any website or business from activating microphones, camera or any other sensor on a consumer’s device without privacy notice and prior consent (which would last 90 days after obtaining it).


Washington People’s Privacy Act quick breakdown

Whether the Washington People’s Privacy Act (WPPA) can go the extra mile and be passed into law, unlike the Washington Privacy Act (WPA) remains to be seen.

See the Washington People’s Privacy Act law text and current bill status

See IAPP’s US data privacy law comparison map

Try Cookiebot CMP free for 30 days – or forever if you have a small website


Oklahoma’s Computer Data Privacy Act (OCDPA)


Another state moving closer to getting its own US data privacy law is Oklahoma. In early March 2021, Oklahoma’s OCDPA passed its third reading in the state legislature and is currently under Senate consideration.



Oklahoma's OCDPA could also become the next US data privacy law.

Oklahoma’s OCDPA would bring end-user prior consent into US data privacy law as a first.



What sets Oklahoma’s OCDPA apart from other prominent US data privacy laws is that it would require prior consent from end-users before your website can collect and process their personal data.

This would be a first in the US data privacy law landscape, bringing it closer to the EU’s General Data Protection Regulation (GDPR) and setting it apart from bills like California’s CCPA/CPRA and Virginia’s CDPA that both rely on an opt out model.

Oklahoma Computer Data Privacy Act (OCDPA) quick breakdown

Oklahoma Computer Data Privacy Act (OCDPA) is currently in cross-chamber proceedings and can still be amended before passed.


See the Oklahoma Computer Data Privacy Act law text and current bill status

See IAPP’s US data privacy law comparison map

Try Cookiebot CMP free for 30 days – or forever if you have a small website


Summing up on the state of US data privacy laws


Three laws signed, dozens emerging and a push for a federal US data privacy law

The state of US data privacy law is in flux – a flurry of movement is happening across a dozen state legislatures, emboldened by California and Virginia’s data protection achievements, and left to draft their own in the absence of a federal law.

The data privacy wave spilling across the US, triggered by a big public awakening to the issues of data protection and surveillance capitalism in recent years, have created a legal landscape in rapid change, with some states following California’s model to varying degrees (like Virginia’s CDPA and Washington’s Privacy Act) and other states going their own way with an eye fixed on the EU and its strict prior consent model (like Oklahoma’s OCDPA).

Different roads are forking in the US data privacy law landscape, and it remains to be seen which one – if any – a federal bill would follow.

At Cybot, the creators of Cookiebot CMP, we work hard every day to push true end-user consent and data protection to the world through a balanced and sustainable Internet economy. We follow all US data privacy law developments closely, so we can bring our unmatched data privacy expertise to you and your compliance needs in the future.

Cookiebot CMP is a plug-and-play solution offering compliance for your website with all major data protection laws in the world, including California’s CCPA/CPRA.


Try Cookiebot CMP free for 30 days – or forever if you have a small website.

Scan your website to see what cookies and trackers are in use

Learn more about Cookiebot CMP and CCPA/CPRA compliance

Learn more about Cookiebot CMP and GDPR compliance

Get started with Cookiebot CMP and Google Consent Mode


FAQ


Does the US have data privacy laws?

Websites, companies and organizations located inside Malaysia and who process personal data from Malaysian residents are liable for PDPA compliance. Malaysia’s PDPA does not currently have extraterritorial scope, meaning that it does not apply to anyone outside of Malaysia, and does not prohibit transfers of personal data outside of Malaysia either.

Try Cookiebot CMP for free today


Which US states have data privacy laws?

California and Virginia has data privacy laws. California has two data privacy laws – the California Consumer Privacy Act (CCPA) and California Consumer Privacy Rights Act (CPRA) – while Virginia has the Consumer Data Protection Act (CDPA). Only California’s CCPA is in effect, with the CPRA and CDPA waiting to take effect on January 1, 2023.

Learn more about CCPA compliance with Cookiebot CMP


What is the difference between Virginia’s data privacy law and California?

Virginia’s Consumer Data Protection Act (CDPA) is very similar to California’s CCPA/CPRA model – empowering residents with close to the same rights, including the famous opt out right, and requires your website to provide users with detailed information on the data you collect and who you share it with. The biggest differences between Virginia’s CDPA and California’s CCPA/CPRA is its scope and enforcement range.

Scan your website to see what cookies are in use


Is the US affected by the EU’s GDPR?

Yes, websites, companies and organizations in the US who process personal data from users inside in the EU are required to comply with the EU’s General Data Protection Regulation (GDPR). Before collecting and processing personal data from EU users, websites must first obtain the explicit prior consent.

Learn more about GDPR compliance with Cookiebot CMP


Resources


IAPP US data privacy law comparison map

Comparison of proposed federal US data privacy laws

Lawmakers says national privacy law is a priority, Wall Street Journal

'States are where the action is' on US privacy legislation, IAPP

A U.S. privacy law seemed possible this Congress. Now, prospects are fading fast, Politico

Learn more about the California Consumer Privacy Act (CCPA)

Learn more about the California Consumer Privacy Rights Act (CPRA)

Virginia passes the Consumer Data Protection Act (CDPA)

Washington Privacy Act (WPA) law text and bill history

See the Washington People’s Privacy Act law text and current bill status

Oklahoma Computer Data Privacy Act (OCDPA) law text and bill status

IAPP on latest Washington Privacy Act developments

IAPP on latest Oklahoma’s OCDPA developments

IAPP on latest Florida Privacy Protection Act developments

Colorado’s Privacy Act overview by Husch Blackwell

6 things to watch for in the US privacy law debate

Over 4 in 5 Voters Want Congress to Prioritize Protection of Online Data

New: Cookiebot™ for Partners 

Deliver automated cookie compliance at scale with Cookiebot™ for Partners.

Make your website’s use of cookies and online tracking compliant today

Try for free