Updated May 5, 2022.
A data privacy wave is making its way across the US, washing over state legislatures and challenging the adtech industry’s mass-collection of personal data for profit.
In the absence of a federal law, a state-by-state patchwork of data protection bills have begun to take shape. Four major bills have been signed into law so far and looking to the horizon, dozens more are on their way.
In this blogpost, we gaze out at the rapidly changing landscape of US data privacy law to give you an overview of what’s up and down, and what’s next.
US data privacy laws, in short
US data privacy laws emerge as jagged puzzle
A catalyst for the wave now rolling across the US was the passing of California’s two data privacy bills – the California Consumer Privacy Act (CCPA) in 2018 and the supplementary California Privacy Rights Act (CPRA) in 2020 – setting in motion a ripple-effect across the rest of the country with data protection bills now being drafted in a dozen states.
The speed with which the US data privacy law wave is spreading from state to state also seems to be increasing – it took California several years to get its CCPA/CPRA legal regime in place (and some would argue that it’s still a moving target), while Virginia became the second state to enact a comprehensive US data privacy law with the Virginia Consumer Data Protection Act (VCDPA).
After Virginia’s VCDPA and California’s CCPA/CPRA, a dozen US data privacy laws are on the horizon.
Each state’s draft US data privacy law looks different from the next – some with prior consent requirements akin to the EU’s GDPR and others with broader opt-out rights; some with larger scopes and some with sectoral exemptions – and no state has so far simply copied California’s model.
Looming over the prospect of an uneven collage of state-level data protection across the country is the absence of a standardized federal US data privacy law, and the difficult path ahead for getting one passed and enacted.
State-level US data privacy laws springing up left and right across the country will increase the federal momentum, argues Future of Privacy Forum Senior Fellow Peter Swire to IAPP, since a jagged patchwork of state laws with fundamentally different models create a headache of compliance and competition issues.
Virginia’s Consumer Data Protection Act (VCDPA)
Second major US data privacy law passed in Virginia’s VCDPA
On March 2, 2021, Virginia’s Consumer Data Protection Act (VCDPA) was signed into law, making the Old Dominion the second state to enact a broad and comprehensive US data privacy law (third if you count Nevada’s smaller and more limited SB220, scheduled to be overhauled soon).
Virginia’s Consumer Data Protection Act (VCDPA) came about after a surprisingly short legislative session (less than two months) and borrows provisions and principles from both California’s Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR).
Virginia’s Consumer Data Privacy Act (VCDPA) will take effect on January 1, 2023 and will be enforced by the Virginia Attorney General.
Virginia’s VCDPA is the second US data privacy law to be signed into law, taking effect in January 2023.
Virginia’s Consumer Data Protection Act (VCDPA) quick breakdown –
- Virginia’s VCDPA applies to websites and companies that do business in Virginia or offer services or products targeted to Virginia residents and 1) control or process personal data of at least 100,00 Virginia residents annually or 2) control or process personal data of at least 25,000 Virginia residents and derive over 50% of their gross annual revenue from the sale of personal data.
- Virginia’s VCDPA defines personal data as any information that is linked or reasonably linkable to an identified or identifiable natural person. Pseudonymous data is exempt from the CDPA if it is kept separately and is subject to effective technical and organizational controls.
- Virginia’s VCDPA defines sensitive data as information about race, ethnicity, sexual orientation, religious beliefs, health and biometric data and more.
- Virginia’s VCDPA defines sale as the exchange of personal data for monetary consideration by a controller to a third party (e.g. your website to an adtech business).
- Virginia’s VCDPA requires you to obtain the consent from users before processing any sensitive data, and before processing, collecting and selling children’s data.
- Virginia’s VCDPA requires you to provide a privacy notice to your users, including the categories of personal data that your website processes, the purpose for processing, the categories of personal data that you share with third parties, including the categories of third parties that your website shares personal data with – and, finally, how your users can exercise their CDPA rights under the law (see list of CDPA rights below).
- Virginia’s VCDPA prohibits any processing of personal data for different purposes than those disclosed in the privacy notice (unless user consent is subsequently obtained). You must disclose to your website’s users exactly what purposes you will be processing personal data for, or subsequently obtain their consent to do so.
- Virginia’s VCDPA requires websites and companies that perform high-risk personal data processing activities (e.g. sale of personal data, targeted advertisement, profiling or processing of sensitive data) to conduct a data protection assessment, documenting both the benefits and the risks associated with such processing.
- Virginia’s VCDPA will be enforced by the Virginia Attorney General and takes effect on January 1, 2023.
- Fines for non-compliance with Virginia’s CDPA can reach $7,500 per violation.
Website owners and companies who have dealt with becoming compliant with California’s CCPA over the past two years will likely be familiar with the California Attorney General’s frequently changing draft regulations on enforcement, often the cause for the CCPA to be described as a “moving target” in the data privacy industry.
But, as IAPP notes, Virginia’s VCDPA avoids this process altogether by not including any requirements for rule making. Rather, it rests with the Virginia Attorney General to enforce Virginia’s Consumer Data Protection Act (CDPA) as it’s written, with fines for non-compliance up to $7,500.
A review of potential legislative modifications has been scheduled for later in 2021.
Virginia’s VCDPA rights for Virginia residents
In addition to the quick breakdown overview above, let’s have a look at what rights the second comprehensive US data privacy law brings for Virginia residents.
The Virginia Consumer Data Privacy Act (CDPA) empowers Virginia residents with the following rights –
- Right to access personal data that has been collected
- Right to correct inaccurate or incomplete personal data
- Right to have collected personal data deleted
- Right to opt out of having their personal data processed for targeted advertisement
- Right to opt out of having their personal data sold
- Right to opt out of having their personal data be processed for data profiling (i.e. accumulating and combining personal data for the creation of profiles used for online marketing)
- Right of portability (i.e. the right to have their personal data made downloadable)
- Right to not have their personal data be processed as part of any automated decision making
Virginia’s Consumer Data Protection Act (CDPA) builds on the waves of data privacy legislation that have washed over the world in the past years, most notably California’s and the EU’s GDPR.
Building on the first comprehensive US data privacy law, California’s CCPA, Virginia’s VCDPA also empowers state residents with the right to opt out of having personal data sold to third parties, but interestingly enough, it goes a bit further than California’s by also allowing users to opt out of personal data processing done for data profiling and targeted advertisement purposes.
US data privacy laws are shaping up in many states simultaneously, forming a patchwork of state-by-state data protection across America in the absence of a federal data privacy law.
Virginia’s VCDPA vs EU’s GDPR
Looking across the Atlantic, Virginia’s VCDPA borrows provisions from another major piece of data privacy legislation, namely the EU’s GDPR.
Like the EU’s GDPR, Virginia’s VCDPA requires you to obtain explicit and affirmative consent from your website’s users when processing sensitive data. This makes the VCDPA’s consent provision broader and stricter than California’s CCPA/CPRA, which only applies to minors.
The VCDPA’s definition of consent is even word-for-word taken from the EU’s GDPR, requiring the “freely given, specific, informed and unambiguous agreement” to constitute a valid end-user consent.
Also inspired by the EU’s GDPR, Virginia’s VCDPA requires you to perform data protection assessments for so-called “high risk processing” of personal data, which covers if you engage in targeted advertisement, the selling of personal data and profiling (though a bit different in practice from the GDPR’s provision).
Virginia’s VCDPA vs California’s CCPA
When comparing Virginia’s VCDPA to California’s CCPA/CPRA, as we did in the introduction of this article, it becomes clear that (although inspired by California’s model) Virginia has gone its own way with its US data privacy law.
The biggest differences between Virginia’s VCDPA and California’s CCPA/CPRA are –
- Scope: California’s CCPA/CPRA applies to many more websites and businesses than Virginia’s CDPA.
- Personal data: Virginia’s VCDPA excludes a much larger part of end-user’s data, since its definition of what is publicly available is much broader than California’s CCPA/CPRA.
- Fines and enforcement: Virginia’s VCDPA comes with much bigger fines and harder penalties than California’s CCPA/CPRA. While both describe maximum penalties of $7,500 per violation, Virginia’s VCDPA also opens up for financial recovery of legal fees and investigative costs and violations are not limited to “intentional violations”, as is California’s CCPA/CPRA. On the other hand, as described above, California allows for a private right of action that can grant end-users up to $750 per violation.
- Sale: Virginia’s VCDPA has a narrower definition of sale, defining it as “the exchange of personal data for monetary consideration by the controller to a third party”, whereas California’s CCPA define it as “any sharing, disclosure or sale of personal information with a third party in exchange for money or other value.”
- Rights: Virginia’s VCDPA empower Virginia residents with much broader opt-out rights than in California, creating a way for end-users in Virginia to not only opt out of the sale of their personal information, but also specifically opt out of targeted advertisement and data profiling (the collection of personal data and inferences made for the purpose of predicting user behavior).
The two US data privacy laws offer different models with California’s applying to more businesses than Virginia’s.
With a faster legislative session and a, in many ways, tighter and more straight-forward bill in hand, Virginia now offers a different roadmap for US data privacy laws than California’s model.
Colorado’s Privacy Act (CPA)
Newest major US data privacy law passed in Colorado’s CPA
On July 8, 2021, the state of Colorado officially enacted the Colorado Privacy act, making the centennial state the third state to enact a broad and comprehensive US data privacy law following California in 2018 and Virginia earlier in 2021.
The enactment of Colorado’s CPA is a continuation of the trend of state legislatures directing the progress of the general consumer data privacy framework in the U.S.
Colorado’s Privacy Act will take effect on July 1, 2023.
Colorado’s Privacy Act (CPA) – quick breakdown –
- Colorado’s CPA applies to Colorado residents, referred to as consumers, and imposes data protection requirements on entities who either: 1) conduct business in Colorado or produce or deliver commercial products or services that are purposely targeted to residents of Colorado; and 2) control or processes personal data of at least 100,000 consumers a year or control or process personal data of at least 25,000 consumers and gain revenue or receives a discount on the price of goods and services, from the sale of personal data.
- Colorado’s CPA defines personal data as information that is linked or reasonably linkable to an identified or identifiable individual.
- Colorado’s CPA defines sensitive data as personal data that reveals a consumer’s ethnic origin, religious beliefs, health diagnosis, sex life or sexual orientation, or immigration status; relating to certain genetic or biometric data.
- Colorado’s CPA defines a controller as a person that determines the purposes for and means of processing personal data.
- Colorado’s CPA defines a processor as a person that processes personal data on behalf of the controller. The CPA requires them to adhere to the controller’s instructions and cooperate with the controller to comply with its obligations under the act.
- Colorado’s CPA broadly defines sale as the exchange of personal data for monetary or other valuable consideration by a controller to a third party, which is similarly broadly defined under the California Privacy Law (CCPA).
- Colorado’s CPA imposes a strict opt-in consent standard for secondary uses of personal data as well as the processing of sensitive data. Consent is defined as a clear and affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement. This aligns with the EU’s GDPR and Virginia’s CDPA. Additionally, parental consent is required to process data of a consumer under the age of 13.
- Colorado’s CPA does not exempt non-profit organizations from its scope, unlike other state data privacy legislations.
- Colorado’s CPA will be enforced by the Colorado Attorney General and takes effect on July 1, 2023.
Colorado became the third state to enact a broad and comprehensive US data privacy law.
Colorado’s CPA rights for Colorado consumers
After the quick breakdown, let’s now look at what rights the third comprehensive US data privacy law brings for Colorado consumers.
The Colorado Privacy Act (CPA) empowers Colorado consumers with the following five rights –
- Right of Access. The consumers in Colorado are entitled to confirm whether a controller is processing personal data about them, and if so, access their personal data.
- Right to correction. If the consumers have had personal data processed, they have the right to correct any inaccuracies in their data. This right also takes into account the nature of the personal data and the purpose of the processing.
- Right to data portability. Consumers have the right to transmit their data to another entity without interference. The consumer has the right to obtain their personal data in a portable and readily usable format, and this right supports that.
- Right to delete. The consumers have the right to delete personal data concerning themselves.
- Right to opt out. Consumers have the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data or if profiling them have legal effects concerning them.
Not unlike Virginia’s CDPA, the CPA also gives the consumers the right to appeal a business’ denial to take action within a reasonable time period. Under the CPA, a business has to respond to a consumer request within 45 days.
If a business fails to take action, the CPA dictates that the controller provide an appeal process that must be visibly available and easy to use.
Obligations of Colorado’s CPA
Colorado’s CPA has a controller to determine the purposes for and means of processing personal data. Colorado’s CPA has obligations that are similar to the ones defined in California’s CCPA and Virginia’s CDPA.
These obligations will be explained in more detail here:
- Obligation of transparency. Colorado’s CPA dictates that the controller provide its consumers with a clear, reasonably understandable and meaningful privacy notice.
- The notice needs to include the purpose of processing the data, how to exercise rights and appeal, categories of personal information shared, categories of third parties the data has been shared with and categories collected or processed by the controller.
- Obligation of care. Colorado’s CPA requires that the controller take comprehensive security precautions to guarantee that the storage and use of data is being handled without violating the rights of the consumer.
- Obligation of purpose specification. Under Colorado’s CPA, a controller is obliged to specify the explicit purposes for which the personal data are collected and processed.
- Obligation of data minimization. The controllers are required to limit their collection of personal data to what is reasonably necessary. This needs to be in relation to the specified purposes for which data are processed and it must be adequate and relevant.
- Obligation regarding sensitive data. Controllers need to retrieve a freely given, specific, informed and clear consent from consumers if they wish to process sensitive data. Otherwise, it is prohibited.
- Obligation to avoid unlawful discrimination. Controllers are under Colorado’s CPA prohibited from processing personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
Besides these obligations, the controller also has to be governed by a contract between the controller and the processor.
The purpose of the contract is to establish the processing instruction to which the processor is bound, including the nature of the processing and its duration. Similar requirements are stated in the EU’s GDPR and Virginia’s CPDA as well.
Overall, Colorado’s CPA is not a trailblazer in the data privacy world, but its significance is reflected in the growing trend of enhanced consumer privacy protections in the US and by the fact that it is one of the first ones to be enacted.
If you were to compare it with the ones in California and Virginia, the Colorado CPA is probably a bit harsher than Virginia’s CDPA and a bit more moderate than California’s CCPA.
First major US data privacy law in effect in California
On January 1, 2020, California became the first state to enact a comprehensive US data privacy law when the California Consumer Privacy Act (CCPA) took effect.
Unlike Virginia’s CDPA that flew through the state’s legislatures, the California Consumer Privacy Act (CCPA) was a grassroots initiative by Alastair McTaggart of Californians for Consumer Privacy, who drafted an early version of the CCPA as a ballot initiative meant to be included in the 2018 November election.
After heavy industry lobbying, the initiative was watered down and co-written, sponsored, passed unanimously and signed into law on Thursday June 28, 2018.
Breaking new waves in the US data privacy law landscape, California’s CCPA is the first to empower residents with several rights over their personal information, chief among them the right to opt out of having it sold to third parties (the now-famous requirement for a Do Not Sell link on your website).
This opt out right has become a model for both Virginia’s CDPA and most other US data privacy laws in draft at this moment, and it categorically sets the overall US data privacy law landscape apart from the EU’s General Data Protection Regulation, which operates on a prior consent model – requiring first the explicit consent of users before any personal data can be processed, as opposed to California’s (and Virginia’s) model of post-collection opt outs.
As the first US data privacy law to come into effect, California’s CCPA sparked change across the nation.
Then, in the 2020 General Election, the addendum California Privacy Rights Act (CPRA) was passed as a ballot initiative, bypassing the state legislature that had crafted the CCPA two years before, and now waiting to take effect on January 1, 2023.
California’s CPRA amends and expands the CCPA, e.g. changing the scope to exclude smaller businesses but include larger companies, specifying regulation of behavioral advertisement in the state, empowering California residents with four new data rights, establishing the California Privacy Protection Agency (CPPA) as lead enforcer in the state (rather than the Attorney General) and creates the category of sensitive personal information with stronger protections.
Together, California’s CCPA/CPRA setup –
- Empower California residents with nine data rights, including the right to correction, right to opt-out of data sales and automated decision making, right to delete, right to know and the right to data portability.
- Applies to businesses that have an annual gross revenue exceeding $25 million; derives 50% or more of its annual revenues from selling or sharing consumers’ personal information; buys, sells or shares the personal information of more than 100,000 consumers or households per year.
- Requires your website to provide a notice to end-users at or before the point of collection informing the consumer of the categories of personal information that the company collects and for what purpose.
- Requires you to feature the following links on your website: Do Not Sell or Share My Personal Information and Limit The Use Of My Sensitive Personal Information that end-users can exercise their opt out rights through.
- Requires your website to obtain consent from end-users before collecting or processing any sensitive personal information, including data on race, ethnicity, religious belief, political convictions, health, geolocation, sexual orientation and more.
Summing up on the state of US data privacy laws
Four laws signed, dozens emerging and a push for a federal US data privacy law
The state of US data privacy law is in flux – a flurry of movement is happening across a dozen state legislatures, emboldened by California, Virginia and Colorado’s data protection achievements, and left to draft their own in the absence of a federal law.
The data privacy wave spilling across the US, triggered by a big public awakening to the issues of data protection and surveillance capitalism in recent years, have created a legal landscape in rapid change, with some states following California’s model to varying degrees (like Virginia’s CDPA and Washington’s Privacy Act) and other states going their own way with an eye fixed on the EU and its strict prior consent model (like Oklahoma’s OCDPA).
Different roads are forking in the US data privacy law landscape, and it remains to be seen which one – if any – a federal bill would follow.
At Usercentrics, the creators of Cookiebot CMP, we work hard every day to push true end-user consent and data protection to the world through a balanced and sustainable Internet economy. We follow all US data privacy law developments closely, so we can bring our unmatched data privacy expertise to you and your compliance needs in the future.
Cookiebot CMP is a plug-and-play solution offering compliance for your website with all major data protection laws in the world, including California’s CCPA/CPRA.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Cookiebot CMP enables compliance with most of the world’s major data privacy laws, including South Korea’s PIPA.
Does the US have data privacy laws?
Yes, the US has several state-level US data privacy laws that regulate and protect end-user personal information in their respective states. While the US does not have a federal US data privacy law, Colorado’s Privacy Act, Virginia’s Consumer Data Protection Act and California’s Consumer Data Protection Act (CCPA) and Consumer Privacy Rights Act (CPRA) have been passed and signed, with California’s CCPA in effect today.
Which US states have data privacy laws?
California, Virginia and Colorado has data privacy laws. California has two data privacy laws – the California Consumer Privacy Act (CCPA) and California Consumer Privacy Rights Act (CPRA) – while Virginia has the Consumer Data Protection Act (VCDPA). Only California’s CCPA is in effect, with the CPRA and CDPA waiting to take effect on January 1, 2023.
What is the difference between Virginia’s data privacy law and California?
Virginia’s Consumer Data Protection Act (CDPA) is very similar to California’s CCPA/CPRA model – empowering residents with close to the same rights, including the famous opt out right, and requires your website to provide users with detailed information on the data you collect and who you share it with. The biggest differences between Virginia’s VCDPA and California’s CCPA/CPRA is its scope and enforcement range.
Is the US affected by the EU’s GDPR?
Yes, websites, companies and organizations in the US who process personal data from users inside in the EU are required to comply with the EU’s General Data Protection Regulation (GDPR). Before collecting and processing personal data from EU users, websites must first obtain the explicit prior consent.