Top US State Data Privacy Laws To Watch Out For in 2024

The digital era has brought new levels of attention to the privacy debate. From big data breaches in fortune 500 companies to small-scale fraud, it’s clear public perception is rapidly changing. 

Just how much has this perception changed? In 2021, a survey by Morning Consult revealed that 83% of Americans supported the idea that the U.S. House of Representatives should create a national standard for data privacy. Additionally, 75% of voters believe this is a state-level issue.

Regardless—one takeaway was clear: the general public understands how important privacy laws are, which has led governments at all levels to start exploring how they can implement them.

So, what are the new privacy laws? What should your business know to prepare for them? And how do they fit in with the information security landscape of today?

In this article, we’ll cover the basics of US state data privacy laws, who the top states with strong privacy laws are, the immense progress of 2023, and what to expect in 2024.

Top US State Data Privacy Laws To Watch Out For in 2023

Data Privacy in the United States: A Quick Overview

The United States has its own set of data privacy standards that businesses must follow, understand, and comply with. It’s quite a bit different from the European Union’s federal-level General Data Protection Regulation, as most of these regulations come from the states individually.

Data privacy standards are changing across the country. Now more than ever, individual states are rapidly exploring how to regulate data privacy to better protect consumers.

Because the market is shaped by these laws, it’s important for organizations to keep track of what’s happening.

Understanding Current Federal Privacy Regulations

Before we get into what the states are doing, we should cover some of the federal-level US data privacy laws first.

  • The US Privacy Act of 1974: Put restrictions on the data that government agencies collected. At the time, computer databases were becoming a new technology, and lawmakers wanted to cover any potential abuses of the new resource. Citizens had the ability to see their own data held by the government, and the agencies themselves had limits on how much information they could collect and could only access data on a “need to know” basis.
  • Health Insurance Portability and Accountability Act (HIPAA): Well known in the medical community as the data security standard for health insurance information. Passed in 1996, it was broken down into two main components: The Security Rule for data protection and The Privacy Rule for data confidentiality. The “data” in this case refers to protected health information (PHI). HIPAA is notoriously complex with delegating who has the permission to access PHI, so you can think of it as role-based access control.
  • Gramm-Leach-Bliley Act (GLBA): Applies to the banking and financial sector to secure nonpublic personal information. However, it has received quite a bit of criticism for its poor coverage and presence of loopholes. Time will tell how GLBA will update itself to match modern-day standards.
  • Children’s Online Privacy Protection Act (COPPA): As its name suggests, prevents businesses from collecting the personal information of children under the age of 13 without parental consent. COPPA has had a few data privacy updates over the years to expand its protections to email addresses, screen names, photographs, and even GPS coordinates.

While these data privacy laws apply to all the states through the federal government, the states individual do most of the heavy lifting when it comes to privacy and information security in the digital age.

New data privacy regulations, together with updates for existing state privacy laws will be coming into effect in 2023 for the states of Connecticut, Utah, Virginia, Colorado and California. They are leading the pack and shaping the future of personal information security in the United States.

Top privacy laws 2024

#1 – California Privacy Rights Act (CPRA) 

Coming into effect on January 1, 2023

We have to start with one of the forerunners and most comprehensive examples of online privacy regulation, the California Consumer Privacy Act (CCPA) signed in 2018. The rules include:

  • A data subject access request (DSAR) where customers can see exactly what pieces of information a business has regarding the client.
  • A ban on a business’s ability to sell personal information without providing an online notice.
  • A requirement that customers have an opportunity to opt-out of the collection.
  • Data must be deleted upon request in most cases.
  • Lawsuits by customers against companies that leak data through breaches is more possible now.

CCPA applies to any business that passes the following criteria:

  • Generating $25 million in annual gross revenue
  • Handling records for at least 50,000 California residents
  • Generating over 50% of annual revenue from consumer data sales

Keep in mind, the threshold and requirements are subject to change as data privacy laws evolve.

CCPA also has a rather broad definition of “personal information,” which includes browsing history, emails, GPS coordinates, biometric data, and basically anything that can be linked to you either directly or indirectly.

The concept of “probabilistic identifiers” states that any combination of data that has an over 50% chance of being connected with you is protected under the law, though enforcement of these identifiers is going to be subjective to attorney discretion.

In 2023, CCPA will be enhanced by another set of regulations known as the California Privacy Rights Act (CPRA), which will:

  • Add extra limitations on especially sensitive information like social security numbers and driver’s license numbers.
  • Provide consumers with opt-out rights in relation to “sensitive personal information.”
  • Give consumers the right to make corrections to their own information.
  • Close legal loopholes that allowed businesses to use consumer data for targeted advertising without proper opt-out opportunities.

Because of its comprehensiveness and lack of a federal equivalent, California’s data privacy guidelines are often used as a guiding framework by other states also looking to implement their own privacy protection laws.

#2 – Virginia Consumer Data Protection (CPDA) 

Coming into effect on January 1, 2023

The Virginia Consumer Data Privacy Act (VCDPA) was developed to provide fundamental protections for consumers and clearly define the obligations of businesses to ensure that protection. The law provides guidelines that pave a smooth path toward compliance, without imposing overly complicated requirements.

Under the law, customers have the right to view their data and ask corporations to erase their personal information under the Virginia consumer privacy act. Additionally, it mandates that businesses carry out data protection assessments when processing personal data for targeted marketing and sales efforts.

Entities operating businesses in Virginia must satisfy one of two thresholds for eligibility:

Entities must control or process:

  • the personal data of at least 100,000 consumers in a calendar year, or 
  • the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.

The CDPA provides consumers with 6 definitive rights. Notably, the CDPA fails to provide any exceptions to these rights. The bulleted list below constitutes the law’s discussion of consumer rights in its entirety. Thus, where a consumer chooses to practice these rights, a business must comply, regardless of the impracticability or hardship to fulfill the request.  

Right to access: Consumers have the right to confirm whether a controller is processing their data and have the right to access their data.

Right to correct: Consumers have the right to correct inaccurate information in the consumer’s collected personal data.

Right to delete: Consumers have the right to opt to delete personal data that they provided or that was obtained about them.

Right to data portability: Consumers have the right to obtain a copy of their data in a portable, user-friendly format.

Right to opt-out of data processing: Consumers will have the right to disallow the processing of personal data for purposes of targeted advertising the sale of personal data profiling in further decisions that produce legal or similarly significant effects concerning the consumer. 

Right to appeal: The final right the CDPA provides to consumers is the right to appeal a business’s denial to accommodate their rights within a reasonable time. The law requires that businesses respond to a consumer request within 45 days of receipt. Where reasonably necessary, the timeframe may be extended by an additional 45 days, with the condition that they notify the consumer within the initial response window.

Companies must advise customers of their rights under the Virginia data protection act and establish a process for them to exercise their rights. In addition, companies subject to the law are required to acquire consent before collecting and processing certain types of sensitive personal data, including information about a person’s exact location, information about their identities, and genetic or biometric information. Similar to the CCPA, the VCDPA mandates that businesses must enter into a special contract with each service provider they hire to process data on their behalf. This contract must implement the Virginia privacy law requirements and spell out the service provider’s obligations concerning the personal data they handle.

The VCDPA also mandates that businesses retain the data they collected for that specific purpose and only for as long as is necessary to fulfill that goal; these principles are sometimes known as data retention limitations or purpose limitations. To safeguard the confidentiality, integrity, and availability of personal data, businesses must also develop and maintain strong cyber security measures. Although the exact standard is vaguely worded, a company’s data security system is most probably adequate if it adheres to a recognized industry standard.

The Virginia Attorney General will be responsible for enforcing the VCDPA, which has a 30-day cure period but also carries a maximum civil penalty of $7,500 per violation if noncompliance is not remedied. 

#3 – Colorado Privacy Act (CPA)

Coming into effect on July 1, 2023

The Colorado Privacy Act was signed into law on July 8, 2021, making Colorado the third state to pass a privacy law to protect the personal information of its residents. The Colorado new laws usher in additional compliance obligations for businesses that engage with Colorado residents both online and offline starting in 2023. The Colorado Privacy Act’s effective date is July 1, 2023. The law covers any entity that conducts business in Colorado or intentionally provides services, or delivers products to state residents that either:

Control or process the personal data of 100,000 or more consumers a year

Control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of persona data

The CPA Outlines 5 Consumer Rights

Controllers have an obligation to communicate to consumers a process by which they may submit a request regarding their personal data, access it, correct errors, delete it, and subsequently appeal any previously mentioned decision. 

Right to Access: Consumers have “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”

Right to Correction: Consumers have “the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”

Right to Delete: Consumers have “the right to delete personal data concerning the consumer.”

Right to Data Portability: Consumers have “the right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”

Right to Opt-Out: Consumers have “the right to opt-out of the processing of personal data concerning the consumer for purposes of targeted advertising the sale of personal data profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”

Controllers must establish a user-selected universal opt-out mechanism by the deadline of July 1, 2024.

The CPA Outlines 7 Controller Obligations 

Duty of Transparency: The CPA requires a controller to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice.” This notice must include:

Informational categories collected or processed by the controller

Planned purpose of processing the data

How consumers can exercise their previously mentioned rights and appeal

Which categories of personal information were shared

Which type of third parties data is shared with

If the data will be sold to a third party or designated for advertising campaigns, the controller shall “clearly and conspicuously disclose the sale or processing” as well as the opt-out mechanism.

Duty of Purpose Specification: Upon collection of personal data, a controller must “specify the express purposes for which personal data are collected and processed.” 

The law seems to require something more than the standard “how we use your information “ section in a privacy policy. According to a Colorado Privacy Act summary, businesses would be required to specify the specific purposes for which data is collected and processed in “sufficiently unambiguous, specific, and clear” terms. 

Duty of Data Minimization: The Colorado Privacy Laws propose a policy of data minimization where “a controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.”

Duty to Avoid Subsequent Use:  Without consent, it is illegal for a controller to process personal data for “purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed.”

Duty of Due Care: Controllers must take security precautions to store and use data by imposing due care. Measures of due care must be in accordance with the “volume, scope, and nature of the personal data processed.” 

Duty to Avoid Personal Discrimination: It is illegal for controllers to process personal information that violates state or federal laws regarding unlawful discrimination against consumers.

Duty of Protecting Sensitive Data: Sensitive data is inferential information that indicates racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, or citizenship. Consent must be obtained before processing sensitive data unless four questions can be answered positively: 

  • the purpose of the processing is obvious to a “reasonable Consumer”
  • both the underlying personal data and the Sensitive Data Inferences are deleted within 12 hours of collection or completion of the processing activity
  • the data is not sold or even shared with any processors
  • the data is not processed for any secondary purpose 

If the business does consent (it most likely will), the Draft Colorado Rules set forth extensive requirements for consent. 

#4 –  Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, also known as the Connecticut Data Privacy Act (CTDPA) 

Coming into effect on July 1, 2023

The Connecticut Data Privacy Act (CTDPA) is the fifth and latest comprehensive state consumer privacy law. Companies have 2 years with which to become compliant.

The CTDPA is similar to consumer privacy laws of other states (California, Virginia, Colorado and Utah), but most resembles the VCDPA of Virginia and the Colorado Privacy Act (CPA). These are both primarily consumer-oriented, compared to more the business-friendly act of UCPA (Utah).

The Connecticut privacy act establishes a framework for controlling and processing personal data; provides responsibilities and privacy protection standards for data controllers and processors; and give rights to consumers to access, delete, correct and obtain a copy of personal data, and opt out of the processing of personal data. 

#5 – Utah Consumer Privacy Act (UCPA) 

Coming into effect on December 31, 2023 

The Utah privacy bill is more business-friendly than other state data protection acts. Its threshold for compliance is higher than the other state privacy acts, making more SMBs exempt from it. Generally, the Utah consumer protection act resembles the Virginia Consumer Data Protection Act (VCDPA) more than the California Consumer Privacy Act (CCPA) or the Colorado Privacy Act (CPA).

Businesses should first assess whether they are subject to the UCPA, based on the revenues and data processing activities of Utah residents. A business that is subject to the UCPA should evaluate, and, where appropriate, update, its data collection and privacy policies and practices as follows: 

  • Develop a comprehensive understanding of the personal data and the sensitive data that the business collects and processes.
  • Review its privacy notices to ensure they contain the content required by the UCPA.
  • Review its policies, procedures, and systems designed to respond to consumer rights under the UCPA.
  • Review and revise, as appropriate, its contracts with third-party service providers to include the provisions required by the UCPA.
  • Develop any necessary opt-out mechanisms applicable to the business’s processing of sensitive data, the use of personal data for targeted advertising, or the sale of personal data. 

The UCPA contains requirements for both controllers and processors. These requirements are similar to those found in the CPA and VCDPA, with some variations. 

As to the future of data privacy laws, people are demanding a greater level of control over their personal data, without compromising the sharing of data online. Companies who exhibit a true commitment to being transparent and taking data privacy seriously are more likely to be adopted by consumers and succeed in the current market. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about how to be compliant with State Data Privacy Laws

Data Privacy laws in 2022

#1 – New York

Arguably matching California’s solution in terms of strictness, the New York Privacy Act covers most of the bases already, including a broad definition of personal information, the right to request deletion of personal data, the ability to make corrections to your own data, and the right to know what information a business has of you.

This last point comes with the caveat that the business only has to divulge a broad category of what it shares with third parties, so getting more specific information might take more effort. At the same time, you are allowed a private right of action for any violation of this law.

Another unique aspect of New York’s approach is the data fiduciary: because the consumer still owns the data, the business is legally responsible for the data that it retains.

#2 – Massachusetts

The Baked Bean State has the descriptively-named Data Privacy Law that adopts many of the same elements from the CCPA, such as:

  • Consumer access to personal information
  • Deletion of data upon request
  • Opt-out options for third-party information access
  • A broad definition of what constitutes “personal data”
  • Probabilistic identifiers

Massachusetts also guarantees a right to bring class action lawsuits against companies that suffer data breaches, and customers can expect up to $750 each. In fact, the client does not have to suffer a monetary loss as a result of the breach to be part of the lawsuit.

#3 – Maryland

Maryland’s Personal Information Protection Act (PIPA) ensures that Maryland citizens’ “pii” (personally identifiable information) is fairly protected. If personal data gets compromised, consumers are notified in order to take further action to mitigate threats and protect themselves. 

The Online Consumer Protection Act expands upon part of California’s rendition of data privacy regulations. While the requirement to disclose the type of information used isn’t as extensive as it is in California, consumers do have the “probabilistic identifier” right as described before.

What sets Maryland apart from other states, however, is the need to disclose the third-party usage of personal data. With many other states, such a notice is only necessary if the data is being sold for a price. Under Maryland law, any transfer of information free or paid must be disclosed. On top of that, information belonging to children must never be shared.

#4 – Nevada

While not attracting as much fanfare as CCPA, Nevada did create and pass its own Senate Bill 220 for the same purpose first. The Silver State actually became the first to allow customers to opt out of having their personal information sold.

The bill details what companies must include in their privacy policies:

  • Type of information collected
  • Types of third parties that will receive the data
  • How clients can request changes to their own information
  • A notice that third-party businesses may track the online activities of users

The attorney general’s office administers penalties for noncompliance but also allows a 30-day period to fix certain violations first. Because these fines can add up to $5,000 per violation, it’s more vital than ever for Nevada-based businesses to focus on privacy law compliance.

This law applies to any business that interacts with PII of Nevada consumers, has Nevada customers, or “directs its activities towards Nevada.

#5 – Maine

A unique aspect of Maine’s approach to the situation is that it targets broadband Internet providers specifically. These vendors cannot share or sell customer personal information unless given expressed permission in most cases. They also cannot deny service if a client refuses to consent.

The bill makes it clear that the business itself is largely responsible for protecting the data, which can include web browsing history, geolocation coordinates, and device identifiers.

#6 – Hawaii

You’re probably seeing a pattern here already. Hawaii’s SB 418 shares many parts with California’s ruling, but there’s one exception that will likely get patched out in the near future. While other states usually only apply these regulations to companies doing business within the state borders, Hawaii’s laws technically apply to any company in the world.

It’s highly likely that this bill will interact with any form of data that relates to Hawaii, its residents, or activities occurring in relation to the state. Keep yourself posted on new developments in Hawaii if you’re serious about data privacy laws and compliance.

#7 – Virginia

Virginia citizens have the right to access, correct, remove their own data from a business, as well as opt out of collection entirely. One major distinction is that Virginia law also adds an exception for information used to fulfill contracts between the customer and the company.

Marketing departments should pay special attention to Virginia, as the regulations there often give them more opportunities for the use of consumer data compared to other states. But, once again, always keep a lookout for new changes.

#8 – North Dakota

While one of the lightest bills we’ve discussed so far, North Dakota makes a valiant first effort with HB 1485, which restricts the sharing of personal information to third parties without client consent.

Other features common to other states like removing personal data upon request are not available yet, but we should expect more developments to come out of North Dakota in the future as data privacy becomes a more popular topic.

#9 – New Jersey

New Jersey Disclosure and Accountability Transparency Act (NJ DaTA) was brought to the attention of the Assembly Science, Innovation, and Technology Committee in early 2021. This framework deals with data processing, consumers’ rights, and even requirements around automated decision-making.

The use of personal information is essentially allowed when the “legitimate interests” of both parties are involved, and any data collected can only be used for no more than the intended purpose. Consumers can also choose to object to personal data processing for direct marketing, profiling, and other uses.

Finally, the bill establishes a new Office of Data Protection and Responsible Uses in the Division of Consumer Affairs to oversee enforcement. Of course, the exact details are far more complicated, so consult the text for a more comprehensive understanding.

UPDATE NOVEMBER 2022: The speed with which new US state data privacy laws have developed is unprecedented. The urgency with which new privacy laws are coming into effect is a reflection of demands on the market in a new digital world and shifting priorities: information security above all. 

New data privacy regulations, together with updates for existing state privacy laws will be coming into effect in 2023 for the states of Connecticut, Utah, Virginia, Colorado and California. They are leading the pack and shaping the future of personal information security in the United States.

Is Your Business Prepared for Enhanced Privacy Laws?

What we can learn from all these state laws regarding online data privacy is that the United States has a diverse but also fragmented approach to personal information protection. While the federal government does have regulations in place for the healthcare and finance industries (as well as for children’s data), there is no equivalent to the EU’s GDPR yet.

However, California’s CCPA can be considered an alternative since it does have several protections in place that many other states are looking to copy in some form. It will be up to state legislatures to decide how they want to balance consumer privacy with business flexibility.

As for the business manager, keeping track of the ever-changing legal landscape for data privacy laws should be the top priority. New bills are being launched, debated on, passed, and shot down in multiple states, so finding out how you can stay compliant and work with new regulations is your best response. Are you looking to stay compliant with emerging state data privacy laws? Centraleyes team of analysts tracks the latest state data privacy laws with 24/7/365 coverage. Book a demo today and see why companies rely on Centraleyes’s platform to stay up to speed on rapidly changing state privacy laws.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Does your company need to be compliant with State Data Privacy Laws?
Skip to content