Data Privacy Day is coming up on January 28th this year and to celebrate, we thought we'd take a fresh look at the status of data privacy regulation in the United States. In today's digital age, data is a valuable asset for businesses. With the increasing amount of personally identifiable information (PII) being collected and shared, keeping apprised of data privacy laws is critical.
Many U.S. states have followed the lead of the European Union's General Data Protection Regulation (GDPR) implemented in 2018 and taken steps to ensure data protection for their residents. This article discusses data privacy laws by state, including those currently in effect, in the legislative process, and those currently in discussion, as well as notes on how to avoid violations and penalties.
Several states' regulations go into effect this year and next year, so keep reading to see which ones apply to your business, as well as how you can quickly get your organization into compliance.
As of the publication of this article, there are no data privacy laws at the national level in the United States, but several states are enacting comprehensive data privacy legislation, and several already have privacy laws in effect.
Below is a breakdown of the current data privacy laws in the United States in chronological order (as of 12 January 2024).
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and was the first data privacy law at the state level in the United States. The CCPA was designed to enhance California residents' privacy rights and consumer protection. It gives consumers more control over their personal information and requires businesses to be transparent about their data collection and usage practices.
Under the CCPA, consumers can know what personal information companies collect, request deletion, and opt out of selling their personal data. Businesses are required to provide clear and accessible privacy policies that explain how they collect, use, and share personal information.
Businesses with an annual revenue of $25 million or more that process the personal data of 100,000 California residents or derive 50% or more of their revenue from the sale of personal data must comply with the CCPA. Businesses not complying can be sued by individual residents for up to $750 per violation after a 30-day cure period.
For serious violations the Attorney General or the California Privacy Protection Agency can take legal action.
The CCPA and the EU's General Data Protection Regulation (GDPR) likely served as models for the rest of the states' privacy laws, as many others have language similar to the GDPR and CCPA.
Maine was the second state to pass a law protecting user data, but it applies specifically to internet providers. Maine enacted a law called "An Act To Protect the Privacy of Online Customer Information." It took effect on July 1, 2020, and focuses on safeguarding the personal information of customers using broadband Internet access services.
This act prohibits companies that offer broadband internet in Maine (referred to as "providers") from using, disclosing, selling, or permitting access to customers' personal information unless they have express permission from the customer.
Providers must take reasonable measures to secure customers' personal information. Additionally, providers must provide clear and conspicuous notices to customers about their rights and the provider's obligations at the point of sale and on publicly accessible websites.
The Virginia Consumer Data Protection Act (VCDPA), effective as of January 1, 2023, applies to organizations conducting business in the Commonwealth of Virginia or targeting residents of Virginia. The VCDPA applies to businesses that have data of at least 100,000 consumers or derive over 50% of gross revenue from the sale of personal data.
Under the VCDPA, consumers can confirm, correct, delete, and obtain their personal data. Businesses must respond to consumer requests within specified time frames, provide information free of charge twice annually, and establish appeal processes.
Controllers (those determining data processing purposes) and processors (those processing data on behalf of controllers) must adhere to responsibilities, including limiting data collection, ensuring data security, and providing transparent privacy notices.
The Protect Personal Data Privacy Act (commonly referred to as the Colorado Privacy Act (CPA)) was signed into law on July 7, 2021, and is part of the State of Colorado Consumer Protection Act. It became effective on July 1, 2023. It applies to all entities that operate in Colorado or target its residents and target more than 100,000 consumers annually or sell the data of 25,000 or more Colorado residents.
Like the California Consumer Privacy Act (CCPA), the CPA grants consumers the right to know what personal information companies collect, request deletion of their personal information, and opt out of selling their personal information.
Failure to comply with the CPA can result in a $20,000 penalty per violation if it cannot be resolved in the 60-day cure period. The penalty cap of $500,000 is much higher than most states.
Like the CPA, the Connecticut Data Privacy Act (CTDPA) became effective on July 1, 2023. It provides Connecticut residents with various rights concerning their data. These rights encompass the ability to access, correct, and delete their personal information and obtain a portable copy of their data.
Additionally, the CTDPA grants residents the right to opt out of the sale of their personal data, the processing of data for targeted advertising, and profiling that may have legal or significant consequences.
The CTDPA only applies to businesses that meet specific criteria, including processing personal data of at least 100,000 consumers or 25,000 consumers while deriving over 25% of gross revenue from the sale of personal data.
The Utah Consumer Privacy Act, effective as of December 31, 2023, applies to controllers or processors conducting business in Utah or targeting residents of Utah. The law is unique because it only applies to controllers or processors with annual revenue of $25 million or more and who process personal data of 100,000 or more consumers or derive over 50% of gross revenue from selling personal data.
Like other privacy laws mentioned in this article, the UCPA mandates that consumers have the right to confirm whether companies can process personal data, access personal data, the right to delete personal data provided to the controller, obtain a copy of personal data in a portable format, and to opt out of processing for targeted advertising or sale of personal data.
Several states have passed data privacy laws that are waiting to come into effect. Here is a breakdown of the upcoming laws in chronological order.
The Florida Digital Bill of Rights (FDBR) will become effective on July 1, 2024. It aligns with the "Virginia model" but introduces unique features. The law is unique because it only applies to businesses with over $1 billion in revenue that either derive 50% of their revenue from selling advertisements, operate an intelligent voice service, or own an app distribution platform that distributes at least 250,000 different applications.
Consumers have the right to access, correct, request deletion, and request a copy of personal data, with a 45-day response time frame for controllers. Notably, there's no private right of action; enforcement lies with the Department of Legal Affairs, which can impose penalties of up to $50,000 per violation.
Oregon's new consumer privacy law, the Oregon Consumer Privacy Act (OCPA), will also take effect on July 1, 2024. The OCPA applies to controllers conducting business in Oregon or targeting Oregon residents. It applies to businesses that handle personal data of at least 100,000 residents or 25,000 residents with over 25% gross revenue from data sales.
Like other states’ laws, consumers under OCPA gain rights like data access, correction, deletion, and opt-out from targeted advertising, data sales, or profiling. Controllers must respond to requests within 45 days, and there's an appeal process. Nonprofits must also comply starting on July 1, 2025. The Oregon Attorney General will enforce the OCPA, and violations can lead to civil penalties of $7,500 per violation.
The Tennessee Information Protection Act (TIPA) will take effect on July 1, 2025. TIPA applies to businesses with over $25 million in annual revenue. Entities must also process the personal information of at least 25,000 consumers and derive over 50% of revenue from data sales or process the personal information of at least 175,000 consumers.
TIPA introduces a business-friendly approach, aligning with Virginia, Utah, and Iowa laws. Notably, it allows a safe harbor for controllers and processors adhering to a privacy program conforming to the National Institute of Standards and Practices (NIST) Privacy Framework or equivalent policies.
The Tennessee Attorney General enforces TIPA, issues notices, provides a 60-day cure period and seeks civil penalties of $7,500 per violation.
The Texas Data Privacy and Security Act (TDPSA), to take ffect on July 1, 2024, signifies Texas' entry into comprehensive consumer data privacy legislation. TDPSA is very unique in that it applies to entities conducting business in Texas or processing personal data but excludes "small businesses" as defined by the U.S. Small Business Administration.
This adds a complex twist as the definition of a "small business" varies by industry. Additionally, unlike other states like Virginia and Utah, the TDPSA does not have a specific threshold based on processed personal data or annual revenue. This lack of threshold may impact many businesses that conduct business in Texas.
Montana's Consumer Data Privacy Act (MTCDPA), becomes effective on October 1, 2024. Like the Connecticut Data Privacy Act, the MTCDPA grants consumers the ability to revoke data processing consent and request the deletion of personal data.
It prohibits businesses from selling or processing personal data for targeted advertising without consent, particularly for minors aged 13 to 16, like California’s and Connecticut's privacy protections for this age group.
The MTCDPA applies to companies engaged in Montana business or targeting Montana residents that process data for 50,000 residents or 25,000 residents with over 25% revenue from data sales. Exemptions include government entities, nonprofits, higher education institutions, and certain “covered entities” that abide by HIPPA.
The Iowa Act Relating to Consumer Data Protection (ICDPA), will be effective on January 1, 2025. Under the ICDPA, consumers gain the right to opt out of the processing of personal data for sale or targeted advertisements, mirroring provisions in the VCDPA and CPA. However, unlike the VCDPA and CPA, consumers lack the right to opt out of profiling.
The law requires controllers to establish contracts with processors, outlining data processing instructions and obligations, with the ability for controllers to request the deletion or return of personal data. Sensitive data processing mandates notice and opt-out options for consumers.
The ICDPA applies to controllers involved in Iowa business or targeting Iowa consumers that control or process the personal data of at least 100,000 Iowan consumers or derive over 50% of revenue from selling the personal data of at least 25,000 Iowan consumers.
Notably, the ICDPA does not impose a minimum annual revenue threshold, potentially subjecting smaller businesses to compliance. The ICDPA grants controllers a generous 90-day cure period to correct alleged violations, the longest among current U.S. privacy laws.
The Delaware Personal Data Privacy Act (DPDPA), will also become effective on January 1, 2025. It applies to businesses operating in Delaware or targeting its residents, and it has the lowest threshold of all U.S. state laws to date.
It applies to businesses that process data of only 35,000 or more Delaware residents (compared to the 175,000 limit of Tennessee) or 10,000 residents with over 20% revenue from data sales.
The DPDPA has notable provisions, including broad applicability to nonprofits, the absence of a HIPAA entity-level exemption, the introduction of universal opt-out mechanisms, and specific consumer rights like data access, correction, deletion, and opt-out options.
The Indiana Consumer Data Protection Act (INCDPA) is the latest of current state laws, taking effect on January 1, 2026. The INCDPA applies to controllers and processors conducting business in Indiana or targeting its residents and that process data of 100,000 Indiana residents or 25,000 Indiana residents and derive over 50% of their revenue from selling personal data.
However, the INCDPA does not feature a minimum annual revenue threshold, so relatively small businesses could still be subject to its provisions. Obligations for controllers and processors involve data minimization, security practices, nondiscrimination, and transparency.
The law grants the Indiana Attorney General enforcement authority, allowing civil penalties of up to $7,500 per violation, with a 30-day cure period.
Numerous states are considering data privacy legislation and have bills currently in progress as of January 12, 2024. Below are the states and the names of their respective bills.
Navigating the intricate landscape of data privacy laws in the United States poses a significant challenge for businesses. By 2026, twenty-five states will have privacy laws in effect, and many have unique stipulations.
Failure to abide by each state's privacy laws can incur a minimum fine of $750 per violation and upwards of a $50,000 fine per violation. Most states have a "cure" period to rectify the violation, but an inability to do so within the time frame can result in catastrophic financial hardship.
Keep in mind, too, that data privacy law compliance is not just an IT issue; it’s more complex than that. It requires an integral view of how data is captured, processed and stored, as well as how the company communicates with the people whose data are being captured (data subjects). A holistic approach is required for a solution that will best protect the interests of both the company and the data subjects.
Personally identifiable information (PII) permeates through the organization; it is not confined to the system or application that initially captured the data. Rather, the data finds its way to other systems (including external systems owned by partners and vendors) and reports through enterprise data integrations, so it is critical to understand the upstream and downstream paths of the PII. When a customer is expected to be able to make one request to delete or export personal data, it is the responsibility of the enterprise to retrace the path of data to delete or export, including inside reporting systems.
The complexity of this cannot be overstated, considering it could have taken years to build these integrations between platforms, and now the expectation is to deliver a capability to trace and delete that same information through the maze of systems.
iTalent Digital's iAgent for Privacy Protection uses AI, data forensics, and automation to seek out and delete PII across the enterprise ecosystem. Beginning with a comprehensive assessment of personal data within your applications or systems, iTalent Digital tailors iAgent to specific scenarios and unique requirements.
This customization includes providing a PII data inventory, data typing, tagging, classification, and configuring tailored data- and application-specific policies. Each customer request triggers necessary actions to ensure compliance across target systems and repositories.
Rather than tracing each state's requirements, let our AI-powered iAgent ensure you follow data privacy best practices.
To learn more about our iAgent, contact me at dataprotect@italentdigital.com.
You may also like:
Privacy protection laws are here to stay
The five levels of data visualization and reporting maturity – how does your organization stack up?
Embrace a holistic approach to customer obsession