Navigating the Waves of New Data Privacy Legislation in the U.S.

Recent years have seen a remarkable shift in data privacy legislation across the United States, influenced by landmark laws such as California’s Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). As businesses grapple with this evolving landscape, understanding the differences and similarities between state laws is essential for compliance.

The Influencers: CCPA and GDPR

The CCPA, enacted in 2018 and later amended by the California Privacy Rights Act, has set a high standard for privacy regulations. It opened the floodgates for other states to follow suit, emphasizing consumer rights and privacy protections. The GDPR also serves as a global benchmark, prompting U.S. lawmakers to introduce their versions of data protection. As a result, we see a spectrum of state-level privacy laws emerging, categorized into what can be termed three primary styles: California-style, Virginia-style, and Utah-style.

California-Style Privacy Laws

California continues to lead the way with its extensive CCPA. This law now encompasses a broader array of “consumers,” expanding beyond the general public to include employees, job applicants, and business contacts. Compliance is monitored by both the California Attorney General and the newly established California Privacy Protection Agency (CPPA), which has the authority to impose statutory penalties for noncompliance.

The CCPA grants consumers several crucial rights, including the ability to request information on their data, correct inaccuracies, delete personal information, and opt-out of data sharing, especially for targeted advertising. This broad framework has made it necessary for many businesses operating in California to restructure how they handle personal information. The CPPA continues to evolve the legislation with ongoing regulatory proposals, maintaining California’s status as a trendsetter in data privacy.

Virginia-Style Laws

Virginia’s Consumer Data Protection Act (VCDPA) launched on January 1, 2023, marking the state’s entry into the realm of comprehensive privacy legislation. Much like the CCPA, the VCDPA empowers consumers with rights to access, correct, and delete their personal information. Businesses must adapt to these new requirements while also offering consumers the option to opt-out of certain data uses, particularly concerning targeted advertising.

However, an essential distinction arises when comparing Virginia-style laws to California’s. Under the VCDPA, certain entities regulated by federal legislation, like the Gramm-Leach-Bliley Act (GLBA), are exempt. This contrasts with California’s approach, where only specific information governed by such laws is excluded, leaving other personal data subject to regulation.

The Colorado Privacy Act

Colorado joined the ranks of states with comprehensive privacy laws when the Colorado Privacy Act (CPA) was signed into law on July 8, 2021. Taking effect on July 1, 2023, the CPA closely mirrors the Virginia framework, emphasizing consumer rights and data security. Colorado consumers can access, correct, delete, and opt-out of data processing for advertising and profiling.

Moreover, Colorado has taken a pioneering step with the Colorado Artificial Intelligence Act, the first comprehensive regulation of AI in the U.S., which will come into force in February 2026. This law requires developers to implement policies governing their AI systems concerning privacy and risk management, setting a precedent for future legislative efforts in emerging technologies.

Connecticut and Its Approach

The Connecticut Data Privacy Act (CTDPA), effective from July 1, 2023, closely aligns with the Virginia-style framework. Companies must fulfill rights requests from consumers and are required to provide opt-out options for targeted advertising and profiling. Effectively enforced by the Connecticut Attorney General, the CTDPA empowers consumers with the right to access, correct, and delete their personal data.

Utah-Style Laws and Their Business-Friendly Focus

Utah’s Consumer Privacy Act (UCPA), which took effect on December 31, 2023, simplifies the privacy landscape, particularly for businesses. Although it shares some similarities with California and Virginia standards, it is characterized as more limited and business-friendly. For instance, the UCPA grants fewer consumer rights, omitting the right to correct data or opt-out of automated decision-making.

This less stringent approach may attract businesses to operate within Utah, despite the trade-off for consumer protections. An entity-level exemption for financial institutions under the GLBA further emphasizes the UCPA’s business-friendly angle.

Upcoming State Laws: Texas, Oregon, and Montana

July 1, 2024, marks a significant date, as it will see the enactment of new Virginia-style laws in Texas, Oregon, and Montana. Texas’s Data Privacy and Security Act (TDPSA) takes a notably broad approach, extending its reach beyond state lines to any entity processing personal data related to Texas residents. In contrast, the Oregon Consumer Privacy Act (OCPA) and the Montana Consumer Data Privacy Act (MCDPA) will similarly empower consumers with rights across targeted advertising, data sales, and privacy protections.

Future Developments in 2025 and Beyond

Looking ahead, January 1, 2025, will bring a flurry of new state laws into effect, including the Delaware Personal Data Privacy Act and the Iowa Act Relating to Consumer Data Protection, among others. These laws will mostly align with the Virginia-style framework, offering consumers similar rights regarding their data.

As the landscape evolves, more laws are anticipated beyond 2025, with states like Tennessee and Minnesota set to introduce their regulations. The proliferation of these laws illustrates a nationwide acknowledgment of the critical importance of consumer privacy.

Conclusion

In this rapidly changing regulatory environment, it’s essential for businesses to stay informed and prepared. Morgan Lewis advises companies of all sizes, helping navigate the complexities of the new privacy landscape. As legislation continues to emerge and evolve, organizations must remain vigilant and adaptable to ensure compliance and protect consumer rights across all states.