Comparison guide to US state level data privacy laws
Home Resources Articles Comparing US state-level data privacy laws

Comparing US state-level data privacy laws

The US has no federal privacy law, though 6 states have passed laws. We compare what these laws mean for consumers and businesses.
by Usercentrics
Feb 15, 2023
Comparison guide to US state level data privacy laws
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

2023 is the biggest year to date for US data privacy law. Though federal legislation has not made much progress, two new state-level privacy laws came into effect on January 1st: California’s Consumer Privacy Rights Act (CPRA) and Virginia’s Consumer Data Privacy Act (VCDPA). (California’s first privacy law, the California Consumer Privacy Act (CCPA), came into effect January 1st, 2020.) Two more will come into effect on July 1st: Connecticut’s Data Privacy Act (CTDPA) and Colorado’s Privacy Act (CPA). Utah’s Consumer Privacy Act (UCPA) will close out the year, coming into effect on December 31st.

 

The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) was enacted in 2017, preceding California’s, and the SB-260 amendment came into effect October 1, 2021. Technically, Nevada’s law predates California’s, though that law, and its amendment, are a fair bit different and much more limited in scope and consumers’ rights than the privacy laws in the other states.

 

Michigan, New Jersey, Ohio and Pennsylvania have active bills in committee as of early 2023. This is the second step after the introduction of a bill. States from Alaska to Wisconsin have introduced bills — more than once in some cases — but they are currently inactive as of early 2023. It is likely that many states will keep working toward passing legislation, however, especially as long as a federal law is stalled.

 

There are many similarities among the US privacy laws that are already in effect or coming into effect this year. There are fewer differences than between the US laws and the European Union’s General Data Protection Regulation (GDPR), for example. While the requirement to provide notification about data collected, collection purposes, and parties it’s shared with are pretty universally included in the US laws, only one state, California, provides consumers with private right of action (the ability to sue offenders in the event of a data breach or other violation). Of the five states with laws, Utah’s is considered the most “business friendly”.

 

Let’s look at a comparison of the US state-level data privacy laws and what they mean for businesses and consumers.

What is the state data privacy law's effective date?

Data privacy laws in the US tend to draw on existing privacy laws. When the CCPA was drafted, there were certainly fewer available options than when the other US laws were in progress. However, the GDPR was already in effect in 2018 when the CCPA was passed. Typically, there is a span of a couple of years between when legislation is passed and the law comes into effect, giving businesses and other organizations time to familiarize themselves with the law’s contents and requirements.

 

Effective date:

CCPA CPRA VCDPA CTDPA
January 1, 2020 January 1, 2023 January 1, 2023 July 1, 2023
CPA UCPA NPICICA & SB-260
July 1, 2023 December 31, 2023 July 1, 2017
October 1, 2021

Who does the state's data privacy law protect?

These state-level data privacy laws are designed primarily to protect consumers, the data subjects from whom businesses and other organizations collect personal data. The laws apply to residents of the state in question. This means that a company does not need to be headquartered in a state, or even have an office there, to be subject to the state’s privacy law, if their users or customers include residents of that state.

 

Protected parties:

CCPA CPRA VCDPA CTDPA
Residents of California Residents of California Residents of Virginia

Acting in an individual or household context.

Residents of Connecticut

Acting in an individual or household context.

CPA UCPA NPICICA & SB-260
Residents of Colorado

Acting in an individual or household context.

Residents of Utah

Acting in an individual or household context.

Residents of Nevada

Who has to comply with the data privacy law?

The data privacy laws in the US are primarily aimed at businesses. Those that obtain revenue from selling personal data are particularly responsible for compliance. While the number of people whose data is sold is a common criterion, a company revenue threshold is only in use for some laws, and does exempt many small businesses. There are also some exemptions for who needs to comply with the various US privacy laws, e.g. if they are subject to other regulations (like financial institutions or healthcare), if they are nonprofits or institutions of higher learning, etc. Exemptions vary among laws, so each law’s requirements should be checked.

 

Responsible parties:

CCPA CPRA VCDPA CTDPA
Businesses that:

– Have gross annual revenue greater than US $25 million;

or

– Buy, receive, or sell the personal data of 50,000 or more California residents, households, or devices;

or

– Derive 50% or more of annual revenue from selling California residents’ personal data.

Businesses that:

– Have gross annual revenue greater than US $25 million in the preceding calendar year;

or

– Alone or in combination, annually buy, sell or share the personal data of 100,000 or more consumers or households;

or

– Derive 50% or more of annual revenue from selling or sharing consumers’ personal data.

Businesses that:

– Process personal data of at least 100,000 consumers;

or

– Process personal data of at least 25,000 consumers;

and

– Derive at least 50% of gross annual revenue from selling personal data.

Businesses that:

– Process personal data of at least 100,000 consumers;

or

– Process personal data of at least 25,000 consumers;

and

– Receive a discount on goods or services from selling personal data.

CPA UCPA NPICICA & SB-260
Businesses that:

– Process personal data of at least 100,000 consumers;

or

– Process personal data of at least 25,000 consumers;

and

– Derive at least 50% of gross revenue from selling personal data.

Businesses that:

– Have gross annual revenue of at least US $25 million;

and

– Process personal data of at least 100,000 consumers

or

– Process personal data of at least 25,000 consumers;

and

– Derive at least 50% of gross revenue from selling personal data.

Businesses that:

– Own or operate a website or an online service for business purposes;

and

– Collect and maintain the personal information of consumers who reside in Nevada and use or visit the website or the online service;

and

– Engage in activities catered towards Nevada and conduct transactions with the State of Nevada, or its consumers or residents;

and

– Have more than 20,000 visitors per year

Who is the data privacy law’s enforcement authority?

Each state manages enforcement of the data privacy law, including investigations and penalties. The creation of the California Privacy Protection Agency was included in the CPRA, but to date it is the only state with a separate agency to enforce privacy law. All the other states have these functions under the Attorney General’s office.

 

Enforcement authority:

CCPA CPRA VCDPA CTDPA
Attorney General California Privacy Protection Agency Attorney General Attorney General
CPA UCPA NPICICA & SB-260
Attorney General Attorney General Attorney General

What are the penalties for violation or noncompliance with the data privacy law?

All of the US data privacy laws provide a cure period (“right to cure”), which gives businesses that violate the law a set period of time to fix the issue and prevent it from recurring before they are fined or otherwise penalized. Internationally, not all data privacy laws do this. Or, in some cases, there is no cure period for very severe, repeat, or willful violations. Penalties are primarily monetary, though cure periods, for example, can include requirements to limit or cease data processing, or delete data.

 

Penalties:

CCPA CPRA VCDPA CTDPA
– US $2,500 for each violation (e.g. negligence) or $7,500 for willful violations.

– Provides consumers with private right of action — the ability to sue a business for violation — only when their unencrypted or unredacted personal information is breached.

– Companies have a 30-day period to cure the violations before being penalized.

– Up to US $2,500 for each violation (e.g. negligence) or $7,500 for willful violations.

– Provides consumers with private right of action — the ability to sue a business for violation — only when their unencrypted or unredacted personal information is breached.

– Companies have a 30-day period to cure the violations before being penalized.

– Up to US $7,500 per violation.
– Companies have a 30-day period to cure the violations before being penalized.
No specified fines, however, a CPA violation is considered a deceptive trade practice. Penalties for that are governed by the Colorado Consumer Protection Act and can be from US $2,000 to US $20,000 per violation, or between US $10,000 to US $50,000 per violation against an elderly person.

– Companies have a 60-day period to cure violations before being penalized.

CPA UCPA NPICICA & SB-260
Up to US $5,000 per violation.

– Companies have a 60-day period to cure violations before being penalized.

Up to US $7,500 per violation.

– Companies have a 30-day period to cure the violations before being penalized.

Up to US $5,000 per violation. (“Per violation” can mean per website visitor.)

– Companies have a 30-day period to cure the violations before being penalized.

Opt in consent means that in many cases a business or other organization must obtain informed, valid consent from users and customers (data subjects) before collecting their personal data. Opt out consent means that in many cases a business can collect and use data subjects’ personal data without requiring consent, but they must have the option to opt out of that. Typically, it is required that data subjects be notified under all circumstances about what data is collected, for what purposes, who it’s shared with, etc.

 

Opt in / Opt out consent:

CCPA CPRA VCDPA CTDPA
Opt out Opt out Opt out
Opt in required for sensitive personal data.
Opt out
Opt in required for sensitive personal data.
CPA UCPA NPICICA & SB-260
Opt out
Opt in required for sensitive personal data.
Opt out Opt out

If a user or customer goes to a website or uses an app and opts out of collection and use of their data, that person must be able to return to that online property in the future and change their consent preference, i.e. use the banner or other tool to opt in to tracking for data collection and use generally or at a granular level.

 

Consent requirement after opting out:

CCPA CPRA VCDPA CTDPA
No Yes No Yes
CPA UCPA NPICICA & SB-260
No No No

What are the law’s privacy notice requirements?

While in many cases the US data privacy laws do not require consent before data collection or use, all of them require users to be notified with information about what data is collected, for what purposes, what parties it gets shared with, what consumers’ rights are and how to exercise them, etc. This is most commonly presented in a Privacy Policy.

 

Privacy notice requirements:

CCPA CPRA VCDPA CTDPA
A privacy notice needs to include following information:

– Categories of personal data the business collects about consumers and the purposes for which they use the categories of information.

– Practices for the collection, use, sharing and sale of consumers’ personal data (i.e. how data is collected and processed).

– Information on consumers’ privacy rights and how to exercise them.

A comprehensive description of the business’ online practices regarding the collection, use, sale, sharing and retention of personal data needs to be provided, including:

– Explanation of the consumer’s rights.

– How consumers can exercise their rights.

– Categories of personal data collected.

– Purposes for which personal data is used.

– Retention period for personal data.

– Whether the personal data collected is sold or shared with third parties.

The data controller must include an accessible and simple to read privacy notice on their website. This privacy notice must contain at least the following information:

– The categories of personal data processed by the controller

– The purposes for processing personal data.

– How consumers can exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request.

– The categories of personal data that the controller shares with third parties, if any.

– The categories of third parties, if any, with whom the controller shares personal data.

The data controller must include an accessible and simple to read privacy notice on their website. This privacy notice must contain at least the following information:

– The categories of personal data processed by the controller or processor.

– The purposes for processing personal data.

– How consumers can exercise their consumer rights, including contact information and how a consumer may appeal a controller’s decision with regard to the consumer’s request.

– The categories of personal data that the controller shares with third parties, if any.

– The categories of third parties, if any, with whom the controller shares personal data.

CPA UCPA NPICICA & SB-260
The data controller must include an accessible and simple to read privacy notice on their website. This privacy notice must contain at least the following information:

– The categories of personal data processed by the controller.

– The purposes for processing personal data.

– How consumers can exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request.

– The categories of personal data that the controller shares with third parties, if any.

– The categories of third parties, if any, with whom the controller shares personal data.

– An active electronic mail address or other online mechanism that the consumer may use to contact the controller.

The data controller needs to provide an accessible and simple to read privacy notice on their website. This privacy notice must contain at least the following information:

– The categories of personal data processed by the controller or processor.

– The purpose for processing personal data.

– How consumers can exercise their consumer rights.

– The categories of personal data that the controller shares with third parties, if any.

– The categories of third parties, if any, with whom the controller shares personal data.

The data processors need to provide an accessible and simple to read privacy notice on their website. This privacy notice must contain at least the following information:

– The categories of personal data processed by the controller or processor.

– The categories of third parties, if any, with whom the controller shares personal data.

– If the controller sells personal data.

– Third parties that collect information about consumers throughout different websites (cookies).

– How consumers may exercise their consumer rights, including contact information for how consumers may request their personal data not be sold.

– Effective date of the Privacy Policy and a description of the process by which controllers will let consumers know of any changes to their Privacy Policy.

How does the state-level data privacy law define personal data?

Information that is considered personal data is generally required to be able to identify a person, by itself or in combination with other data points (e.g. name, address, credit card number, IP address). Many data privacy laws also have explicit consideration for “sensitive personal data”, which can include information belonging to children, about racial or ethnic origin, medical or genetic data, sexual orientation, etc. Generally, information that could particularly be used to cause discrimination or harm if misused. It is more common for sensitive personal information to require consent before it can be collected or processed. Specific US data privacy laws should be checked for their definitions and requirements for sensitive personal data. Data that is publicly available, like government records, is not typically considered personal data.

 

Definition of personal data:

CCPA CPRA VCDPA CTDPA
Any information that identifies, relates to, or could reasonably be linked with an individual person or their household. Any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information. Any information that is linked or reasonably linkable to an identified or identifiable individual; and does not include de-identified data or publicly available information.
CPA UCPA NPICICA & SB-260
Any information that can be linked to an identifiable individual, excluding publicly available information. Any information that is linked or reasonably linkable to an identified individual or an identifiable individual. *Definition of “covered information” is more relevant, as sale of covered information is what the consumer can opt out of. The law does define personal information, however.

Covered information means any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator or a data broker in an accessible form:

– First and last name

– Home or other physical address, which includes the name of a street and the name of a city or town

– Email address

– Telephone number

– Social Security Number

– Identifier that allows a specific person to be contacted either physically or online

– Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator or data broker in combination with an identifier in a form that makes the information personally identifiable.

What are consumers’ rights under the states’ data privacy law?

Consumers covered by the US privacy laws share some rights across all of them, but some laws get more granular than others. California is currently the only state that enables consumers to sue for a data breach in specific circumstances (private right of action). Not all data privacy laws enable portability of one’s data, either. It is common for businesses to have 45 days from receiving a consumer’s request to exercise their rights to fulfill it, with an option to extend that under certain circumstances. Specific data privacy laws should be reviewed to confirm the exact time frame for responding to requests, extensions, and/or the ability to refuse requests, as well as ensuring familiarity with each data privacy law’s specific consumer rights to ensure consumers can exercise them.

 

Consumers’ rights:

CCPA CPRA VCDPA CTDPA
– The right to know about the personal data a business collects about them and how it is used and shared.

– The right to have personal data collected from them deleted (with some exceptions).

– The right to opt out of the sale of their personal data.

– The right to non-discrimination for exercising their rights.

– Private right of action, only when their unencrypted or unredacted personal data is breached.

– Right to limit collection and processing of personal data.

– Right to opt out of the selling or sharing of personal data.

– Right to opt-out of the use of and to access information about automated decision-making technologies.

– Right to opt in to the selling or sharing of personal data after having opted out.

– Right to restrict collection and processing of sensitive personal data.

– Right to correct personal data.

– Right to delete personal data.

– Right to know what personal data is processed by a business.

– Private right of action, only when their unencrypted or unredacted personal data is breached.

– Right to confirm whether personal data is processed and access it.

– Right to correct inaccuracies in personal data.

– Right to delete personal data.

– Right to obtain a copy of the personal data.

– Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

– Right of access to the personal data collected.

– Right to correction of personal data.

– Right to deletion of personal data.

– Right to data portability.

– Right to opt out of the sale of personal data, targeted advertising, or profiling that may have a legal or other significant impact.

CPA UCPA NPICICA & SB-260
– Right to access personal data that a controller has collected about them.

– Right to correct inaccuracies in their personal data.

– Right to delete their personal data, including personal data that a controller collected through third parties.

– Right to obtain a copy of their personal data in a portable and readily usable format that allows them to transfer the data to another controller with ease.

– Right to opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data, or profiling.

– Right of access to personal data.

– Right to deletion of personal data.

– Right to data portability and obtaining a copy of the personal data that was previously collected.

– Right to opt out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.

– Right to access personal data that a controller has collected about them.

– Right to correction.

– Right to opt out of the sale of personal data.

The US data privacy laws use an opt out model of consent that does not require businesses to obtain consent before collecting personal data. However, the laws do require consumers to be notified about data collection and use, and provided with an option to opt out (of collection, selling, or sharing of their personal data, depending on the law).

 

Consent management requirements:

CCPA CPRA VCDPA CTDPA
– Must clearly and conspicuously display a link on the website reading “Do Not Sell My Personal Information” to enable consumers to submit an opt out request. – Must clearly and conspicuously display a link reading “Do Not Sell Or Share My Personal Information” to enable consumers to submit an opt out request.

– Must honor the Global Privacy Signal.

– No specific requirements regarding how an opt out option needs to be presented. – No specific requirements regarding how an opt out option needs to be presented.
CPA UCPA NPICICA & SB-260
– Must clearly and conspicuously display a link on the website that enables the consumer to submit an opt out request.

– By January 1st, 2025, websites must be able to honor preference signals that communicate the consumer’s opt out choice.

– No specific requirements regarding how an opt out option needs to be presented.

– Must clearly and conspicuously provide an option on the website that enables the consumer to submit an opt out request.

– No specific requirements regarding how an opt out option needs to be presented.

– Privacy Policy is required.

Related Articles

How the EU Data Act affects businesses and consumers

How the EU Data Act affects businesses and consumers

The European Union's Data Act sets new rules to regulate the way data holders and users can manage and...

PIPEDA hero

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): An Overview

Canada’s data privacy law has been active since 2020, through big changes in digital markets and business and personal...